commit e2954d55f4708ff30598b17366f09553855cd156 Author: bms8197 Date: Mon May 24 22:18:33 2021 +0300 Initial commit. diff --git a/.etckeeper b/.etckeeper new file mode 100755 index 0000000..454f6fe --- /dev/null +++ b/.etckeeper @@ -0,0 +1,4890 @@ +# Generated by etckeeper. Do not edit. + +mkdir -p './.java/.systemPrefs' +mkdir -p './NetworkManager/conf.d' +mkdir -p './NetworkManager/dispatcher.d/no-wait.d' +mkdir -p './NetworkManager/dispatcher.d/pre-down.d' +mkdir -p './NetworkManager/dispatcher.d/pre-up.d' +mkdir -p './NetworkManager/dnsmasq-shared.d' +mkdir -p './NetworkManager/dnsmasq.d' +mkdir -p './NetworkManager/system-connections' +mkdir -p './X11/applnk' +mkdir -p './X11/xorg.conf.d' +mkdir -p './ansible/roles' +mkdir -p './authselect/custom' +mkdir -p './binfmt.d' +mkdir -p './chkconfig.d' +mkdir -p './cron.weekly' +mkdir -p './crypto-policies/policies/modules' +mkdir -p './cxs/newusers' +mkdir -p './dbus-1/session.d' +mkdir -p './dnf/aliases.d' +mkdir -p './dnf/modules.defaults.d' +mkdir -p './dnf/plugins/copr.d' +mkdir -p './egl/egl_external_platform.d' +mkdir -p './exports.d' +mkdir -p './fail2ban/fail2ban.d' +mkdir -p './falco/rules.d' +mkdir -p './firewalld/helpers' +mkdir -p './firewalld/icmptypes' +mkdir -p './firewalld/ipsets' +mkdir -p './firewalld/services' +mkdir -p './gdbinit.d' +mkdir -p './glvnd/egl_vendor.d' +mkdir -p './gnupg' +mkdir -p './groff/site-font' +mkdir -p './immortal' +mkdir -p './incron.d' +mkdir -p './java/security/security.d' +mkdir -p './jvm' +mkdir -p './jvm-commmon' +mkdir -p './letsencrypt/renewal-hooks/deploy' +mkdir -p './letsencrypt/renewal-hooks/post' +mkdir -p './letsencrypt/renewal-hooks/pre' +mkdir -p './libpaper.d' +mkdir -p './libreport/events' +mkdir -p './libreport/plugins' +mkdir -p './libreport/workflows.d' +mkdir -p './mail/spamassassin/.pyzor' +mkdir -p './mail/spamassassin/sa-update-keys/private-keys-v1.d' +mkdir -p './modulefiles' +mkdir -p './modules-load.d' +mkdir -p './named' +mkdir -p './nginx/conf.d/ganool/nginx/modules' +mkdir -p './nginx/conf.d/ganool/nginx/ngx1/nginx/modules' +mkdir -p './nginx/html/.well-known/acme-challenge' +mkdir -p './nrpe.d' +mkdir -p './oddjob' +mkdir -p './openldap/certs' +mkdir -p './opt' +mkdir -p './pear' +mkdir -p './pkcs11/modules' +mkdir -p './pki/ca-trust/source/anchors' +mkdir -p './pki/ca-trust/source/blacklist' +mkdir -p './pki/consumer' +mkdir -p './pki/entitlement' +mkdir -p './pki/product' +mkdir -p './pki/product-default' +mkdir -p './pki/rsyslog' +mkdir -p './pki/tls/misc' +mkdir -p './pm/config.d' +mkdir -p './pm/power.d' +mkdir -p './pm/sleep.d' +mkdir -p './polkit-1/localauthority.conf.d' +mkdir -p './polkit-1/localauthority/10-vendor.d' +mkdir -p './polkit-1/localauthority/20-org.d' +mkdir -p './polkit-1/localauthority/30-site.d' +mkdir -p './polkit-1/localauthority/50-local.d' +mkdir -p './polkit-1/localauthority/90-mandatory.d' +mkdir -p './pyzor' +mkdir -p './qemu-ga/fsfreeze-hook.d' +mkdir -p './rhsm/ca' +mkdir -p './rhsm/facts' +mkdir -p './rhsm/pluginconf.d' +mkdir -p './rspamd/override.d' +mkdir -p './scl/modulefiles' +mkdir -p './security/console.perms.d' +mkdir -p './security/namespace.d' +mkdir -p './security/pwquality.conf.d' +mkdir -p './selinux/targeted/logins' +mkdir -p './sssd/conf.d' +mkdir -p './sssd/pki' +mkdir -p './subversion' +mkdir -p './sysconfig/console' +mkdir -p './sysconfig/modules' +mkdir -p './sysconfig/rhn/allowed-actions/configfiles' +mkdir -p './sysconfig/rhn/allowed-actions/script' +mkdir -p './sysconfig/rhn/clientCaps.d' +mkdir -p './systemd/system/nginx.service.d' +mkdir -p './systemd/system/php-fpm.service.d' +mkdir -p './terminfo' +mkdir -p './tuned/recommend.d' +mkdir -p './udev/hwdb.d' +mkdir -p './xdg/QtProject' +maybe chmod 0755 '.' +maybe chmod 0700 '.etckeeper' +maybe chmod 0640 '.gitignore' +maybe chmod 0755 '.java' +maybe chmod 0755 '.java/.systemPrefs' +maybe chmod 0644 '.updated' +maybe chmod 0644 'DIR_COLORS' +maybe chmod 0644 'DIR_COLORS.256color' +maybe chmod 0644 'DIR_COLORS.lightbgcolor' +maybe chmod 0644 'GREP_COLORS' +maybe chmod 0755 'ImageMagick-6' +maybe chmod 0644 'ImageMagick-6/coder.xml' +maybe chmod 0644 'ImageMagick-6/colors.xml' +maybe chmod 0644 'ImageMagick-6/delegates.xml' +maybe chmod 0644 'ImageMagick-6/log.xml' +maybe chmod 0644 'ImageMagick-6/magic.xml' +maybe chmod 0644 'ImageMagick-6/mime.xml' +maybe chmod 0644 'ImageMagick-6/policy.xml' +maybe chmod 0644 'ImageMagick-6/quantization-table.xml' +maybe chmod 0644 'ImageMagick-6/thresholds.xml' +maybe chmod 0644 'ImageMagick-6/type-apple.xml' +maybe chmod 0644 'ImageMagick-6/type-dejavu.xml' +maybe chmod 0644 'ImageMagick-6/type-ghostscript.xml' +maybe chmod 0644 'ImageMagick-6/type-urw-base35.xml' +maybe chmod 0644 'ImageMagick-6/type-windows.xml' +maybe chmod 0644 'ImageMagick-6/type.xml' +maybe chmod 0755 'NetworkManager' +maybe chmod 0644 'NetworkManager/NetworkManager.conf' +maybe chmod 0755 'NetworkManager/conf.d' +maybe chmod 0755 'NetworkManager/dispatcher.d' +maybe chmod 0755 'NetworkManager/dispatcher.d/11-dhclient' +maybe chmod 0755 'NetworkManager/dispatcher.d/20-chrony' +maybe chmod 0755 'NetworkManager/dispatcher.d/no-wait.d' +maybe chmod 0755 'NetworkManager/dispatcher.d/pre-down.d' +maybe chmod 0755 'NetworkManager/dispatcher.d/pre-up.d' +maybe chmod 0755 'NetworkManager/dnsmasq-shared.d' +maybe chmod 0755 'NetworkManager/dnsmasq.d' +maybe chmod 0755 'NetworkManager/system-connections' +maybe chmod 0640 'README.md' +maybe chmod 0755 'X11' +maybe chmod 0755 'X11/applnk' +maybe chmod 0755 'X11/fontpath.d' +maybe chmod 0755 'X11/xinit' +maybe chmod 0755 'X11/xinit/xinitrc.d' +maybe chmod 0755 'X11/xinit/xinitrc.d/10-qt5-check-opengl2.sh' +maybe chmod 0755 'X11/xinit/xinitrc.d/50-systemd-user.sh' +maybe chmod 0755 'X11/xorg.conf.d' +maybe chmod 0600 'aide.conf' +maybe chmod 0644 'aliases' +maybe chmod 0644 'aliases.db' +maybe chmod 0755 'alternatives' +maybe chmod 0755 'amavisd' +maybe chmod 0644 'amavisd/amavisd.conf' +maybe chmod 0644 'amavisd/amavisd.conf.rpmnew' +maybe chmod 0644 'amavisd/whitelist' +maybe chmod 0644 'anacrontab' +maybe chmod 0755 'ansible' +maybe chmod 0644 'ansible/ansible.cfg' +maybe chmod 0644 'ansible/hosts' +maybe chmod 0755 'ansible/roles' +maybe chmod 0755 'asciidoc' +maybe chmod 0644 'asciidoc/asciidoc.conf' +maybe chmod 0644 'asciidoc/docbook45.conf' +maybe chmod 0755 'asciidoc/filters' +maybe chmod 0755 'asciidoc/filters/code' +maybe chmod 0644 'asciidoc/filters/code/code-filter.conf' +maybe chmod 0755 'asciidoc/filters/code/code-filter.py' +maybe chmod 0755 'asciidoc/filters/graphviz' +maybe chmod 0644 'asciidoc/filters/graphviz/graphviz-filter.conf' +maybe chmod 0755 'asciidoc/filters/graphviz/graphviz2png.py' +maybe chmod 0755 'asciidoc/filters/source' +maybe chmod 0644 'asciidoc/filters/source/source-highlight-filter.conf' +maybe chmod 0644 'asciidoc/help.conf' +maybe chmod 0644 'asciidoc/html4.conf' +maybe chmod 0644 'asciidoc/html5.conf' +maybe chmod 0644 'asciidoc/lang-cs.conf' +maybe chmod 0644 'asciidoc/lang-de.conf' +maybe chmod 0644 'asciidoc/lang-el.conf' +maybe chmod 0644 'asciidoc/lang-en.conf' +maybe chmod 0644 'asciidoc/lang-es.conf' +maybe chmod 0644 'asciidoc/lang-fi.conf' +maybe chmod 0644 'asciidoc/lang-fr.conf' +maybe chmod 0644 'asciidoc/lang-hu.conf' +maybe chmod 0644 'asciidoc/lang-id.conf' +maybe chmod 0644 'asciidoc/lang-it.conf' +maybe chmod 0644 'asciidoc/lang-ja.conf' +maybe chmod 0644 'asciidoc/lang-nl.conf' +maybe chmod 0644 'asciidoc/lang-pl.conf' +maybe chmod 0644 'asciidoc/lang-pt-BR.conf' +maybe chmod 0644 'asciidoc/lang-ro.conf' +maybe chmod 0644 'asciidoc/lang-ru.conf' +maybe chmod 0644 'asciidoc/lang-sv.conf' +maybe chmod 0644 'asciidoc/lang-uk.conf' +maybe chmod 0644 'asciidoc/latex.conf' +maybe chmod 0644 'asciidoc/slidy.conf' +maybe chmod 0644 'asciidoc/text.conf' +maybe chmod 0755 'asciidoc/themes' +maybe chmod 0755 'asciidoc/themes/flask' +maybe chmod 0644 'asciidoc/themes/flask/flask.css' +maybe chmod 0755 'asciidoc/themes/volnitsky' +maybe chmod 0644 'asciidoc/themes/volnitsky/volnitsky.css' +maybe chmod 0644 'asciidoc/xhtml11-quirks.conf' +maybe chmod 0644 'asciidoc/xhtml11.conf' +maybe chmod 0644 'asound.conf' +maybe chmod 0644 'at.deny' +maybe chmod 0750 'audit' +maybe chmod 0640 'audit/audit-stop.rules' +maybe chmod 0640 'audit/audit.rules' +maybe chmod 0640 'audit/audit.rules.prev' +maybe chmod 0640 'audit/auditd.conf' +maybe chmod 0750 'audit/plugins.d' +maybe chmod 0640 'audit/plugins.d/af_unix.conf' +maybe chmod 0750 'audit/rules.d' +maybe chmod 0640 'audit/rules.d/99-finalize.rules' +maybe chmod 0600 'audit/rules.d/audit.rules' +maybe chmod 0755 'authselect' +maybe chmod 0644 'authselect/authselect.conf' +maybe chmod 0755 'authselect/custom' +maybe chmod 0644 'authselect/dconf-db' +maybe chmod 0644 'authselect/dconf-locks' +maybe chmod 0644 'authselect/fingerprint-auth' +maybe chmod 0644 'authselect/nsswitch.conf' +maybe chmod 0644 'authselect/password-auth' +maybe chmod 0644 'authselect/postlogin' +maybe chmod 0644 'authselect/smartcard-auth' +maybe chmod 0644 'authselect/system-auth' +maybe chmod 0644 'authselect/user-nsswitch.conf' +maybe chmod 0755 'awstats' +maybe chmod 0644 'awstats/awstats.192.168.1.2.conf' +maybe chmod 0644 'awstats/awstats.club3d.ro.conf' +maybe chmod 0644 'awstats/awstats.localhost.localdomain.conf' +maybe chmod 0644 'awstats/awstats.model.conf' +maybe chmod 0644 'awstats/awstats.zira.898.ro.conf' +maybe chmod 0755 'bash_completion.d' +maybe chmod 0644 'bash_completion.d/authselect-completion.sh' +maybe chmod 0644 'bash_completion.d/pip2' +maybe chmod 0644 'bash_completion.d/redefine_filedir' +maybe chmod 0644 'bash_completion.d/scl' +maybe chmod 0644 'bashrc' +maybe chmod 0644 'bindresvport.blacklist' +maybe chmod 0755 'binfmt.d' +maybe chmod 0644 'centos-release' +maybe chmod 0644 'centos-release-upstream' +maybe chmod 0755 'chkconfig.d' +maybe chmod 0644 'chrony.conf' +maybe chgrp 'chrony' 'chrony.keys' +maybe chmod 0640 'chrony.keys' +maybe chmod 0755 'cifs-utils' +maybe chown 'amavis' 'clamav-unofficial-sigs' +maybe chgrp 'amavis' 'clamav-unofficial-sigs' +maybe chmod 0755 'clamav-unofficial-sigs' +maybe chown 'amavis' 'clamav-unofficial-sigs/master.conf' +maybe chgrp 'amavis' 'clamav-unofficial-sigs/master.conf' +maybe chmod 0644 'clamav-unofficial-sigs/master.conf' +maybe chown 'amavis' 'clamav-unofficial-sigs/os.conf' +maybe chgrp 'amavis' 'clamav-unofficial-sigs/os.conf' +maybe chmod 0644 'clamav-unofficial-sigs/os.conf' +maybe chown 'amavis' 'clamav-unofficial-sigs/user.conf' +maybe chgrp 'amavis' 'clamav-unofficial-sigs/user.conf' +maybe chmod 0644 'clamav-unofficial-sigs/user.conf' +maybe chmod 0640 'clamd.conf' +maybe chown 'amavis' 'clamd.conf.rpmnew' +maybe chgrp 'amavis' 'clamd.conf.rpmnew' +maybe chmod 0644 'clamd.conf.rpmnew' +maybe chown 'amavis' 'clamd.conf.rpmsave' +maybe chgrp 'amavis' 'clamd.conf.rpmsave' +maybe chmod 0644 'clamd.conf.rpmsave' +maybe chown 'amavis' 'clamd.d' +maybe chgrp 'amavis' 'clamd.d' +maybe chmod 0755 'clamd.d' +maybe chown 'amavis' 'clamd.d/amavisd.conf' +maybe chgrp 'amavis' 'clamd.d/amavisd.conf' +maybe chmod 0644 'clamd.d/amavisd.conf' +maybe chown 'amavis' 'clamd.d/scan.conf' +maybe chgrp 'amavis' 'clamd.d/scan.conf' +maybe chmod 0644 'clamd.d/scan.conf' +maybe chown 'amavis' 'clamd.d/scan.conf.rpmnew' +maybe chgrp 'amavis' 'clamd.d/scan.conf.rpmnew' +maybe chmod 0644 'clamd.d/scan.conf.rpmnew' +maybe chown 'amavis' 'clamd.d/scan.conf.rpmsave' +maybe chgrp 'amavis' 'clamd.d/scan.conf.rpmsave' +maybe chmod 0644 'clamd.d/scan.conf.rpmsave' +maybe chmod 0755 'cloud' +maybe chmod 0644 'cloud/cloud.cfg.rpmsave' +maybe chmod 0755 'cockpit' +maybe chmod 0755 'cockpit/ws-certs.d' +maybe chmod 0644 'cockpit/ws-certs.d/0-self-signed-ca.pem' +maybe chgrp 'cockpit-ws' 'cockpit/ws-certs.d/0-self-signed.cert' +maybe chmod 0640 'cockpit/ws-certs.d/0-self-signed.cert' +maybe chmod 0644 'colordiffrc' +maybe chmod 0755 'containerd' +maybe chmod 0644 'containerd/config.toml' +maybe chmod 0700 'cron.d' +maybe chmod 0644 'cron.d/0hourly' +maybe chmod 0644 'cron.d/clamav-unofficial-sigs' +maybe chmod 0644 'cron.d/csf-cron' +maybe chmod 0600 'cron.d/csf_update' +maybe chmod 0644 'cron.d/lfd-cron' +maybe chmod 0644 'cron.d/maldet_pub' +maybe chmod 0700 'cron.daily' +maybe chmod 0750 'cron.daily/aide' +maybe chmod 0700 'cron.daily/csget' +maybe chmod 0755 'cron.daily/etckeeper' +maybe chmod 0755 'cron.daily/logrotate' +maybe chmod 0755 'cron.daily/maldet' +maybe chmod 0755 'cron.daily/rkhunter' +maybe chmod 0600 'cron.deny' +maybe chmod 0700 'cron.hourly' +maybe chmod 0755 'cron.hourly/0anacron' +maybe chmod 0750 'cron.hourly/awstats' +maybe chmod 0700 'cron.monthly' +maybe chmod 0755 'cron.monthly/psacct' +maybe chmod 0700 'cron.weekly' +maybe chmod 0600 'crontab' +maybe chmod 0755 'crypto-policies' +maybe chmod 0755 'crypto-policies/back-ends' +maybe chmod 0644 'crypto-policies/back-ends/nss.config' +maybe chmod 0644 'crypto-policies/config' +maybe chmod 0755 'crypto-policies/local.d' +maybe chmod 0644 'crypto-policies/local.d/nss-p11-kit.config' +maybe chmod 0755 'crypto-policies/policies' +maybe chmod 0755 'crypto-policies/policies/modules' +maybe chmod 0755 'crypto-policies/state' +maybe chmod 0644 'crypto-policies/state/CURRENT.pol' +maybe chmod 0644 'crypto-policies/state/current' +maybe chmod 0600 'crypttab' +maybe chmod 0600 'csf' +maybe chmod 0644 'csf.tgz' +maybe chmod 0600 'csf/changelog.txt' +maybe chmod 0600 'csf/csf.allow' +maybe chmod 0600 'csf/csf.blocklists' +maybe chmod 0600 'csf/csf.blocklists.new' +maybe chmod 0600 'csf/csf.cloudflare' +maybe chmod 0600 'csf/csf.conf' +maybe chmod 0600 'csf/csf.deny' +maybe chmod 0600 'csf/csf.dirwatch' +maybe chmod 0600 'csf/csf.dyndns' +maybe chmod 0600 'csf/csf.fignore' +maybe chmod 0600 'csf/csf.ignore' +maybe chmod 0600 'csf/csf.logfiles' +maybe chmod 0600 'csf/csf.logignore' +maybe chmod 0600 'csf/csf.mignore' +maybe chmod 0600 'csf/csf.pignore' +maybe chmod 0600 'csf/csf.rblconf' +maybe chmod 0600 'csf/csf.redirect' +maybe chmod 0600 'csf/csf.resellers' +maybe chmod 0600 'csf/csf.rignore' +maybe chmod 0600 'csf/csf.signore' +maybe chmod 0600 'csf/csf.sips' +maybe chmod 0600 'csf/csf.smtpauth' +maybe chmod 0600 'csf/csf.suignore' +maybe chmod 0600 'csf/csf.syslogs' +maybe chmod 0600 'csf/csf.syslogusers' +maybe chmod 0600 'csf/csf.uidignore' +maybe chmod 0700 'csf/csfpost.sh' +maybe chmod 0700 'csf/csfpre.sh' +maybe chmod 0600 'csf/disabled' +maybe chmod 0600 'csf/disabled/csfpost.sh' +maybe chmod 0600 'csf/disabled/csfpre.sh' +maybe chmod 0600 'csf/downloadservers' +maybe chmod 0600 'csf/install.txt' +maybe chmod 0600 'csf/license.txt' +maybe chmod 0600 'csf/messenger' +maybe chmod 0600 'csf/messenger/en.php' +maybe chmod 0600 'csf/messenger/index.html' +maybe chmod 0600 'csf/messenger/index.php' +maybe chmod 0600 'csf/messenger/index.recaptcha.html' +maybe chmod 0600 'csf/messenger/index.recaptcha.php' +maybe chmod 0600 'csf/messenger/index.text' +maybe chmod 0600 'csf/readme.txt' +maybe chmod 0600 'csf/ui' +maybe chmod 0600 'csf/ui/images' +maybe chmod 0600 'csf/ui/images/LICENSE.txt' +maybe chmod 0600 'csf/ui/images/admin_icon.svg' +maybe chmod 0600 'csf/ui/images/bootstrap' +maybe chmod 0600 'csf/ui/images/bootstrap-chosen.css' +maybe chmod 0600 'csf/ui/images/bootstrap-switch.min.css' +maybe chmod 0600 'csf/ui/images/bootstrap-switch.min.js' +maybe chmod 0600 'csf/ui/images/bootstrap.confirm.js' +maybe chmod 0600 'csf/ui/images/bootstrap/css' +maybe chmod 0600 'csf/ui/images/bootstrap/css/bootstrap.min.css' +maybe chmod 0600 'csf/ui/images/bootstrap/css/bootstrap.min.css.map' +maybe chmod 0600 'csf/ui/images/bootstrap/fonts' +maybe chmod 0600 'csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.eot' +maybe chmod 0600 'csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.svg' +maybe chmod 0600 'csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.ttf' +maybe chmod 0600 'csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.woff' +maybe chmod 0600 'csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.woff2' +maybe chmod 0600 'csf/ui/images/bootstrap/js' +maybe chmod 0600 'csf/ui/images/bootstrap/js/bootstrap.min.js' +maybe chmod 0600 'csf/ui/images/chosen-sprite.png' +maybe chmod 0600 'csf/ui/images/chosen-sprite@2x.png' +maybe chmod 0600 'csf/ui/images/chosen.jquery.min.js' +maybe chmod 0600 'csf/ui/images/chosen.min.css' +maybe chmod 0600 'csf/ui/images/chosen.min.js' +maybe chmod 0600 'csf/ui/images/configserver.css' +maybe chmod 0600 'csf/ui/images/csf-loader.gif' +maybe chmod 0600 'csf/ui/images/csf.svg' +maybe chmod 0600 'csf/ui/images/csf_small.png' +maybe chmod 0600 'csf/ui/images/jquery.min.js' +maybe chmod 0600 'csf/ui/images/loader.gif' +maybe chmod 0600 'csf/ui/images/reseller_icon.svg' +maybe chmod 0600 'csf/ui/server.crt' +maybe chmod 0600 'csf/ui/server.key' +maybe chmod 0600 'csf/ui/ui.allow' +maybe chmod 0600 'csf/ui/ui.ban' +maybe chmod 0600 'csf/version.txt' +maybe chmod 0644 'csh.cshrc' +maybe chmod 0644 'csh.login' +maybe chmod 0611 'cxs' +maybe chmod 0600 'cxs/changelog.txt' +maybe chmod 0700 'cxs/cpanelsuspend.example.pl' +maybe chmod 0600 'cxs/csfajaxtail.js' +maybe chmod 0755 'cxs/cxs' +maybe chmod 0644 'cxs/cxs.data' +maybe chmod 0644 'cxs/cxs.default' +maybe chmod 0644 'cxs/cxs.defaults.example' +maybe chmod 0644 'cxs/cxs.fp' +maybe chmod 0644 'cxs/cxs.ignore' +maybe chmod 0644 'cxs/cxs.ignore.example' +maybe chmod 0644 'cxs/cxs.monitor.example' +maybe chmod 0755 'cxs/cxs.pl' +maybe chmod 0644 'cxs/cxs.pod' +maybe chmod 0600 'cxs/cxs.sec' +maybe chmod 0600 'cxs/cxs.sver' +maybe chmod 0644 'cxs/cxs.template.example' +maybe chmod 0644 'cxs/cxs.xtra' +maybe chmod 0644 'cxs/cxs.xtra.example' +maybe chmod 0755 'cxs/cxs/images' +maybe chmod 0644 'cxs/cxs/images/cxs_small.png' +maybe chmod 0644 'cxs/cxs/images/icon.gif' +maybe chmod 0644 'cxs/cxs/index.cgi' +maybe chmod 0644 'cxs/cxs/module.info' +maybe chmod 0755 'cxs/cxscgi.sh' +maybe chmod 0700 'cxs/cxschroot.sh' +maybe chmod 0600 'cxs/cxscron.txt' +maybe chmod 0700 'cxs/cxsdaily.sh' +maybe chmod 0700 'cxs/cxsftp.sh' +maybe chmod 0700 'cxs/cxsui.pl' +maybe chmod 0700 'cxs/cxswatch.sh' +maybe chmod 0644 'cxs/cxswebmin.tgz' +maybe chmod 0755 'cxs/htaccessdisable.example.pl' +maybe chmod 0600 'cxs/install.txt' +maybe chmod 0644 'cxs/license.txt' +maybe chmod 0644 'cxs/new.fp' +maybe chmod 0755 'cxs/newusers' +maybe chmod 0600 'cxs/reference.txt' +maybe chmod 0600 'cxs/servers' +maybe chmod 0644 'cxs/symlinkdisable.pl' +maybe chmod 0600 'cxs/test' +maybe chmod 0600 'cxs/test/testexploit.php' +maybe chmod 0700 'cxs/uninstall.sh' +maybe chmod 0755 'dbus-1' +maybe chmod 0644 'dbus-1/session.conf' +maybe chmod 0755 'dbus-1/session.d' +maybe chmod 0644 'dbus-1/system.conf' +maybe chmod 0755 'dbus-1/system.d' +maybe chmod 0644 'dbus-1/system.d/com.redhat.RHSM1.Facts.conf' +maybe chmod 0644 'dbus-1/system.d/com.redhat.RHSM1.conf' +maybe chmod 0644 'dbus-1/system.d/com.redhat.tuned.conf' +maybe chmod 0644 'dbus-1/system.d/nm-dispatcher.conf' +maybe chmod 0644 'dbus-1/system.d/nm-ifcfg-rh.conf' +maybe chmod 0644 'dbus-1/system.d/oddjob-mkhomedir.conf' +maybe chmod 0644 'dbus-1/system.d/oddjob.conf' +maybe chmod 0644 'dbus-1/system.d/org.freedesktop.NetworkManager.conf' +maybe chmod 0644 'dbus-1/system.d/org.freedesktop.PolicyKit1.conf' +maybe chmod 0644 'dbus-1/system.d/org.selinux.conf' +maybe chmod 0644 'dbus-1/system.d/teamd.conf' +maybe chmod 0755 'dconf' +maybe chmod 0755 'dconf/db' +maybe chmod 0755 'dconf/db/distro.d' +maybe chmod 0755 'dconf/db/distro.d/locks' +maybe chmod 0755 'default' +maybe chmod 0644 'default/grub' +maybe chmod 0600 'default/useradd' +maybe chmod 0644 'default/useradd-' +maybe chmod 0755 'depmod.d' +maybe chmod 0644 'depmod.d/dist.conf' +maybe chmod 0644 'depmod.d/kmod-wireguard.conf' +maybe chmod 0750 'dhcp' +maybe chmod 0644 'dhcp/dhclient.conf' +maybe chmod 0755 'dhcp/dhclient.d' +maybe chmod 0755 'dhcp/dhclient.d/chrony.sh' +maybe chmod 0755 'dkms' +maybe chmod 0644 'dkms/framework.conf' +maybe chmod 0755 'dkms/kernel_install.d_dkms' +maybe chmod 0755 'dkms/sign_helper.sh' +maybe chmod 0644 'dkms/template-dkms-mkrpm.spec' +maybe chmod 0644 'dkms/template-dkms-redhat-kmod.spec' +maybe chmod 0755 'dnf' +maybe chmod 0755 'dnf/aliases.d' +maybe chmod 0644 'dnf/dnf.conf' +maybe chmod 0755 'dnf/modules.d' +maybe chmod 0644 'dnf/modules.d/container-tools.module' +maybe chmod 0644 'dnf/modules.d/httpd.module' +maybe chmod 0644 'dnf/modules.d/javapackages-runtime.module' +maybe chmod 0644 'dnf/modules.d/llvm-toolset.module' +maybe chmod 0644 'dnf/modules.d/nginx.module' +maybe chmod 0644 'dnf/modules.d/nodejs.module' +maybe chmod 0644 'dnf/modules.d/perl-DBD-MySQL.module' +maybe chmod 0644 'dnf/modules.d/perl-DBD-SQLite.module' +maybe chmod 0644 'dnf/modules.d/perl-DBI.module' +maybe chmod 0644 'dnf/modules.d/perl-IO-Socket-SSL.module' +maybe chmod 0644 'dnf/modules.d/perl-libwww-perl.module' +maybe chmod 0644 'dnf/modules.d/perl.module' +maybe chmod 0644 'dnf/modules.d/php.module' +maybe chmod 0644 'dnf/modules.d/python27.module' +maybe chmod 0644 'dnf/modules.d/python36.module' +maybe chmod 0644 'dnf/modules.d/redis.module' +maybe chmod 0644 'dnf/modules.d/ruby.module' +maybe chmod 0644 'dnf/modules.d/rust-toolset.module' +maybe chmod 0644 'dnf/modules.d/satellite-5-client.module' +maybe chmod 0644 'dnf/modules.d/subversion.module' +maybe chmod 0644 'dnf/modules.d/virt.module' +maybe chmod 0755 'dnf/modules.defaults.d' +maybe chmod 0755 'dnf/plugins' +maybe chmod 0644 'dnf/plugins/copr.conf' +maybe chmod 0755 'dnf/plugins/copr.d' +maybe chmod 0644 'dnf/plugins/debuginfo-install.conf' +maybe chmod 0644 'dnf/plugins/product-id.conf' +maybe chmod 0644 'dnf/plugins/spacewalk.conf' +maybe chmod 0644 'dnf/plugins/subscription-manager.conf' +maybe chmod 0755 'dnf/protected.d' +maybe chmod 0644 'dnf/protected.d/dnf.conf' +maybe chmod 0644 'dnf/protected.d/setup.conf' +maybe chmod 0644 'dnf/protected.d/sudo.conf' +maybe chmod 0644 'dnf/protected.d/systemd.conf' +maybe chmod 0644 'dnf/protected.d/yum.conf' +maybe chmod 0755 'dnf/vars' +maybe chmod 0644 'dnf/vars/contentdir' +maybe chmod 0644 'dnf/vars/infra' +maybe chmod 0755 'docker' +maybe chmod 0600 'docker/key.json' +maybe chmod 0755 'dovecot' +maybe chmod 0755 'dovecot/conf.d' +maybe chmod 0644 'dovecot/conf.d/10-auth.conf' +maybe chmod 0644 'dovecot/conf.d/10-director.conf' +maybe chmod 0644 'dovecot/conf.d/10-logging.conf' +maybe chmod 0644 'dovecot/conf.d/10-mail.conf' +maybe chmod 0644 'dovecot/conf.d/10-mail.conf.rpmnew' +maybe chmod 0644 'dovecot/conf.d/10-master.conf' +maybe chmod 0644 'dovecot/conf.d/10-ssl.conf' +maybe chmod 0644 'dovecot/conf.d/15-lda.conf' +maybe chmod 0644 'dovecot/conf.d/15-mailboxes.conf' +maybe chmod 0644 'dovecot/conf.d/15-mailboxes.conf.rpmnew' +maybe chmod 0644 'dovecot/conf.d/20-imap.conf' +maybe chmod 0644 'dovecot/conf.d/20-imap.conf.rpmnew' +maybe chmod 0644 'dovecot/conf.d/20-lmtp.conf' +maybe chmod 0644 'dovecot/conf.d/20-lmtp.conf.rpmnew' +maybe chmod 0644 'dovecot/conf.d/20-managesieve.conf' +maybe chmod 0644 'dovecot/conf.d/20-pop3.conf' +maybe chmod 0644 'dovecot/conf.d/20-submission.conf' +maybe chmod 0644 'dovecot/conf.d/90-acl.conf' +maybe chown 'vmail' 'dovecot/conf.d/90-imapsieve.conf' +maybe chgrp 'dovecot' 'dovecot/conf.d/90-imapsieve.conf' +maybe chmod 0640 'dovecot/conf.d/90-imapsieve.conf' +maybe chmod 0644 'dovecot/conf.d/90-plugin.conf' +maybe chmod 0644 'dovecot/conf.d/90-quota.conf' +maybe chmod 0644 'dovecot/conf.d/90-quota.conf.rpmnew' +maybe chmod 0644 'dovecot/conf.d/90-sieve-extprograms.conf' +maybe chmod 0644 'dovecot/conf.d/90-sieve.conf' +maybe chmod 0644 'dovecot/conf.d/90-sieve.conf.rpmnew' +maybe chmod 0644 'dovecot/conf.d/auth-checkpassword.conf.ext' +maybe chmod 0644 'dovecot/conf.d/auth-deny.conf.ext' +maybe chmod 0644 'dovecot/conf.d/auth-dict.conf.ext' +maybe chmod 0644 'dovecot/conf.d/auth-ldap.conf.ext' +maybe chmod 0644 'dovecot/conf.d/auth-master.conf.ext' +maybe chmod 0644 'dovecot/conf.d/auth-passwdfile.conf.ext' +maybe chmod 0644 'dovecot/conf.d/auth-sql.conf.ext' +maybe chmod 0644 'dovecot/conf.d/auth-static.conf.ext' +maybe chmod 0644 'dovecot/conf.d/auth-system.conf.ext' +maybe chmod 0644 'dovecot/conf.d/auth-vpopmail.conf.ext' +maybe chown 'vmail' 'dovecot/dovecot-dict-auth.conf.ext' +maybe chgrp 'dovecot' 'dovecot/dovecot-dict-auth.conf.ext' +maybe chmod 0640 'dovecot/dovecot-dict-auth.conf.ext' +maybe chown 'vmail' 'dovecot/dovecot-dict-quota.conf' +maybe chgrp 'dovecot' 'dovecot/dovecot-dict-quota.conf' +maybe chmod 0640 'dovecot/dovecot-dict-quota.conf' +maybe chown 'dovecot' 'dovecot/dovecot-dict-sql.conf.ext' +maybe chgrp 'dovecot' 'dovecot/dovecot-dict-sql.conf.ext' +maybe chmod 0640 'dovecot/dovecot-dict-sql.conf.ext' +maybe chown 'vmail' 'dovecot/dovecot-mysql.conf' +maybe chgrp 'dovecot' 'dovecot/dovecot-mysql.conf' +maybe chmod 0640 'dovecot/dovecot-mysql.conf' +maybe chmod 0644 'dovecot/dovecot.conf' +maybe chown 'vmail' 'dovecot/quota-warning.sh' +maybe chgrp 'dovecot' 'dovecot/quota-warning.sh' +maybe chmod 0750 'dovecot/quota-warning.sh' +maybe chown 'vmail' 'dovecot/sieve' +maybe chgrp 'dovecot' 'dovecot/sieve' +maybe chmod 0750 'dovecot/sieve' +maybe chown 'vmail' 'dovecot/sieve/learn-ham.sh' +maybe chgrp 'dovecot' 'dovecot/sieve/learn-ham.sh' +maybe chmod 0750 'dovecot/sieve/learn-ham.sh' +maybe chown 'vmail' 'dovecot/sieve/learn-spam.sh' +maybe chgrp 'dovecot' 'dovecot/sieve/learn-spam.sh' +maybe chmod 0750 'dovecot/sieve/learn-spam.sh' +maybe chown 'vmail' 'dovecot/sieve/report-ham.sieve' +maybe chgrp 'dovecot' 'dovecot/sieve/report-ham.sieve' +maybe chmod 0640 'dovecot/sieve/report-ham.sieve' +maybe chown 'vmail' 'dovecot/sieve/report-spam.sieve' +maybe chgrp 'dovecot' 'dovecot/sieve/report-spam.sieve' +maybe chmod 0640 'dovecot/sieve/report-spam.sieve' +maybe chown 'vmail' 'dovecot/sieve/spam-global.sieve' +maybe chgrp 'dovecot' 'dovecot/sieve/spam-global.sieve' +maybe chmod 0640 'dovecot/sieve/spam-global.sieve' +maybe chown 'vmail' 'dovecot/sieve/spam-global.svbin' +maybe chgrp 'dovecot' 'dovecot/sieve/spam-global.svbin' +maybe chmod 0640 'dovecot/sieve/spam-global.svbin' +maybe chown 'vmail' 'dovecot/trash.conf' +maybe chgrp 'dovecot' 'dovecot/trash.conf' +maybe chmod 0640 'dovecot/trash.conf' +maybe chmod 0644 'dracut.conf' +maybe chmod 0755 'dracut.conf.d' +maybe chmod 0644 'dracut.conf.d/40-fips.conf' +maybe chmod 0755 'egl' +maybe chmod 0755 'egl/egl_external_platform.d' +maybe chmod 0644 'environment' +maybe chmod 0755 'environment-modules' +maybe chmod 0644 'environment-modules/initrc' +maybe chmod 0644 'environment-modules/modulespath' +maybe chmod 0644 'environment-modules/siteconfig.tcl' +maybe chmod 0755 'etckeeper' +maybe chmod 0755 'etckeeper/commit.d' +maybe chmod 0755 'etckeeper/commit.d/10vcs-test' +maybe chmod 0755 'etckeeper/commit.d/30bzr-add' +maybe chmod 0755 'etckeeper/commit.d/30darcs-add' +maybe chmod 0755 'etckeeper/commit.d/30git-add' +maybe chmod 0755 'etckeeper/commit.d/30hg-addremove' +maybe chmod 0755 'etckeeper/commit.d/50vcs-commit' +maybe chmod 0755 'etckeeper/commit.d/99push' +maybe chmod 0644 'etckeeper/commit.d/README' +maybe chmod 0755 'etckeeper/daily' +maybe chmod 0644 'etckeeper/etckeeper.conf' +maybe chmod 0755 'etckeeper/init.d' +maybe chmod 0755 'etckeeper/init.d/10restore-metadata' +maybe chmod 0755 'etckeeper/init.d/20restore-etckeeper' +maybe chmod 0755 'etckeeper/init.d/40vcs-init' +maybe chmod 0755 'etckeeper/init.d/50vcs-ignore' +maybe chmod 0755 'etckeeper/init.d/50vcs-perm' +maybe chmod 0755 'etckeeper/init.d/50vcs-pre-commit-hook' +maybe chmod 0755 'etckeeper/init.d/60darcs-deleted-symlinks' +maybe chmod 0755 'etckeeper/init.d/70vcs-add' +maybe chmod 0644 'etckeeper/init.d/README' +maybe chmod 0755 'etckeeper/list-installed.d' +maybe chmod 0755 'etckeeper/list-installed.d/50list-installed' +maybe chmod 0755 'etckeeper/post-install.d' +maybe chmod 0755 'etckeeper/post-install.d/50vcs-commit' +maybe chmod 0644 'etckeeper/post-install.d/README' +maybe chmod 0755 'etckeeper/pre-commit.d' +maybe chmod 0755 'etckeeper/pre-commit.d/20warn-problem-files' +maybe chmod 0755 'etckeeper/pre-commit.d/30store-metadata' +maybe chmod 0644 'etckeeper/pre-commit.d/README' +maybe chmod 0755 'etckeeper/pre-install.d' +maybe chmod 0755 'etckeeper/pre-install.d/10packagelist' +maybe chmod 0755 'etckeeper/pre-install.d/50uncommitted-changes' +maybe chmod 0644 'etckeeper/pre-install.d/README' +maybe chmod 0755 'etckeeper/unclean.d' +maybe chmod 0755 'etckeeper/unclean.d/50test' +maybe chmod 0644 'etckeeper/unclean.d/README' +maybe chmod 0755 'etckeeper/uninit.d' +maybe chmod 0755 'etckeeper/uninit.d/01prompt' +maybe chmod 0755 'etckeeper/uninit.d/50remove-metadata' +maybe chmod 0755 'etckeeper/uninit.d/50vcs-uninit' +maybe chmod 0644 'etckeeper/uninit.d/README' +maybe chmod 0755 'etckeeper/update-ignore.d' +maybe chmod 0755 'etckeeper/update-ignore.d/01update-ignore' +maybe chmod 0644 'etckeeper/update-ignore.d/README' +maybe chmod 0755 'etckeeper/vcs.d' +maybe chmod 0755 'etckeeper/vcs.d/50vcs-cmd' +maybe chmod 0644 'ethertypes' +maybe chmod 0644 'exports' +maybe chmod 0755 'exports.d' +maybe chmod 0755 'fail2ban' +maybe chmod 0755 'fail2ban/action.d' +maybe chmod 0644 'fail2ban/action.d/abuseipdb.conf' +maybe chmod 0644 'fail2ban/action.d/apf.conf' +maybe chmod 0644 'fail2ban/action.d/badips.conf' +maybe chmod 0644 'fail2ban/action.d/badips.py' +maybe chmod 0644 'fail2ban/action.d/badips.py.rpmnew' +maybe chmod 0644 'fail2ban/action.d/blocklist_de.conf' +maybe chmod 0644 'fail2ban/action.d/cloudflare.conf' +maybe chmod 0644 'fail2ban/action.d/dshield.conf' +maybe chmod 0644 'fail2ban/action.d/dummy.conf' +maybe chmod 0644 'fail2ban/action.d/firewallcmd-allports.conf' +maybe chmod 0644 'fail2ban/action.d/firewallcmd-common.conf' +maybe chmod 0644 'fail2ban/action.d/firewallcmd-ipset.conf' +maybe chmod 0644 'fail2ban/action.d/firewallcmd-multiport.conf' +maybe chmod 0644 'fail2ban/action.d/firewallcmd-new.conf' +maybe chmod 0644 'fail2ban/action.d/firewallcmd-rich-logging.conf' +maybe chmod 0644 'fail2ban/action.d/firewallcmd-rich-rules.conf' +maybe chmod 0644 'fail2ban/action.d/helpers-common.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-allports.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-common.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto4.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto6-allports.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto6.conf' +maybe chmod 0640 'fail2ban/action.d/iptables-ipset.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-multiport-log.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-multiport.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-new.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-xt_recent-echo.conf' +maybe chmod 0644 'fail2ban/action.d/iptables.conf' +maybe chmod 0644 'fail2ban/action.d/mail-whois-common.conf' +maybe chmod 0644 'fail2ban/action.d/mail.conf.rpmsave' +maybe chmod 0644 'fail2ban/action.d/mynetwatchman.conf' +maybe chmod 0644 'fail2ban/action.d/netscaler.conf' +maybe chmod 0644 'fail2ban/action.d/nftables-allports.conf' +maybe chmod 0644 'fail2ban/action.d/nftables-multiport.conf' +maybe chmod 0644 'fail2ban/action.d/nftables.conf' +maybe chmod 0644 'fail2ban/action.d/nginx-block-map.conf' +maybe chmod 0644 'fail2ban/action.d/npf.conf' +maybe chmod 0644 'fail2ban/action.d/nsupdate.conf' +maybe chmod 0644 'fail2ban/action.d/route.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-buffered.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-common.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-geoip-lines.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-whois-ipjailmatches.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-whois-ipmatches.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-whois-lines.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-whois-matches.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-whois.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail.conf' +maybe chmod 0644 'fail2ban/action.d/shorewall-ipset-proto6.conf' +maybe chmod 0644 'fail2ban/action.d/smtp.py' +maybe chmod 0644 'fail2ban/action.d/smtp.py.rpmnew' +maybe chmod 0644 'fail2ban/action.d/symbiosis-blacklist-allports.conf' +maybe chmod 0644 'fail2ban/action.d/xarf-login-attack.conf' +maybe chmod 0644 'fail2ban/fail2ban.conf' +maybe chmod 0644 'fail2ban/fail2ban.conf.rpmnew' +maybe chmod 0755 'fail2ban/fail2ban.d' +maybe chmod 0755 'fail2ban/filter.d' +maybe chmod 0644 'fail2ban/filter.d/3proxy.conf' +maybe chmod 0640 'fail2ban/filter.d/a.txt' +maybe chmod 0644 'fail2ban/filter.d/apache-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-badbots.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-botsearch.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-common.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-fakegooglebot.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-modsecurity.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-nohome.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-noscript.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-overflows.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-pass.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-shellshock.conf' +maybe chmod 0644 'fail2ban/filter.d/assp.conf' +maybe chmod 0644 'fail2ban/filter.d/asterisk.conf' +maybe chmod 0644 'fail2ban/filter.d/bitwarden.conf' +maybe chmod 0644 'fail2ban/filter.d/botsearch-common.conf' +maybe chmod 0644 'fail2ban/filter.d/centreon.conf' +maybe chmod 0644 'fail2ban/filter.d/common.conf' +maybe chmod 0644 'fail2ban/filter.d/counter-strike.conf' +maybe chmod 0644 'fail2ban/filter.d/courier-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/courier-smtp.conf' +maybe chmod 0644 'fail2ban/filter.d/cyrus-imap.conf' +maybe chmod 0644 'fail2ban/filter.d/directadmin.conf' +maybe chmod 0644 'fail2ban/filter.d/domino-smtp.conf' +maybe chmod 0644 'fail2ban/filter.d/dovecot.conf' +maybe chmod 0644 'fail2ban/filter.d/dovecot.conf.rpmnew' +maybe chmod 0644 'fail2ban/filter.d/dropbear.conf' +maybe chmod 0644 'fail2ban/filter.d/drupal-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/ejabberd-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/exim-common.conf' +maybe chmod 0644 'fail2ban/filter.d/exim-spam.conf' +maybe chmod 0644 'fail2ban/filter.d/exim.conf' +maybe chmod 0644 'fail2ban/filter.d/freeswitch.conf' +maybe chmod 0644 'fail2ban/filter.d/froxlor-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/gitlab.conf' +maybe chmod 0644 'fail2ban/filter.d/grafana.conf' +maybe chmod 0644 'fail2ban/filter.d/groupoffice.conf' +maybe chmod 0644 'fail2ban/filter.d/gssftpd.conf' +maybe chmod 0644 'fail2ban/filter.d/guacamole.conf' +maybe chmod 0644 'fail2ban/filter.d/haproxy-http-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/horde.conf' +maybe chmod 0755 'fail2ban/filter.d/ignorecommands' +maybe chmod 0755 'fail2ban/filter.d/ignorecommands/apache-fakegooglebot' +maybe chmod 0644 'fail2ban/filter.d/kerio.conf' +maybe chmod 0644 'fail2ban/filter.d/lighttpd-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/mongodb-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/monit.conf' +maybe chmod 0644 'fail2ban/filter.d/murmur.conf' +maybe chmod 0644 'fail2ban/filter.d/mysqld-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/nagios.conf' +maybe chmod 0644 'fail2ban/filter.d/named-refused.conf' +maybe chmod 0644 'fail2ban/filter.d/named-refused.conf.rpmnew' +maybe chmod 0644 'fail2ban/filter.d/nginx-botsearch.conf' +maybe chmod 0640 'fail2ban/filter.d/nginx-forbidden.conf' +maybe chmod 0644 'fail2ban/filter.d/nginx-http-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/nginx-limit-req.conf' +maybe chmod 0644 'fail2ban/filter.d/nsd.conf' +maybe chmod 0644 'fail2ban/filter.d/openhab.conf' +maybe chmod 0644 'fail2ban/filter.d/openwebmail.conf' +maybe chmod 0644 'fail2ban/filter.d/oracleims.conf' +maybe chmod 0644 'fail2ban/filter.d/pam-generic.conf' +maybe chmod 0644 'fail2ban/filter.d/perdition.conf' +maybe chmod 0644 'fail2ban/filter.d/php-url-fopen.conf' +maybe chmod 0644 'fail2ban/filter.d/phpmyadmin-syslog.conf' +maybe chmod 0644 'fail2ban/filter.d/portsentry.conf' +maybe chmod 0640 'fail2ban/filter.d/postfix-auth.conf' +maybe chmod 0640 'fail2ban/filter.d/postfix-rbl.conf' +maybe chmod 0644 'fail2ban/filter.d/postfix-sasl.conf' +maybe chmod 0640 'fail2ban/filter.d/postfix-smtp-reject.conf' +maybe chmod 0640 'fail2ban/filter.d/postfix-ssl-error.conf' +maybe chmod 0644 'fail2ban/filter.d/postfix.conf' +maybe chmod 0644 'fail2ban/filter.d/proftpd.conf' +maybe chmod 0644 'fail2ban/filter.d/pure-ftpd.conf' +maybe chmod 0644 'fail2ban/filter.d/qmail.conf' +maybe chmod 0644 'fail2ban/filter.d/recidive.conf' +maybe chmod 0644 'fail2ban/filter.d/roundcube-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/screensharingd.conf' +maybe chmod 0644 'fail2ban/filter.d/selinux-common.conf' +maybe chmod 0644 'fail2ban/filter.d/selinux-ssh.conf' +maybe chmod 0644 'fail2ban/filter.d/sendmail-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/sendmail-reject.conf' +maybe chmod 0644 'fail2ban/filter.d/sieve.conf' +maybe chmod 0644 'fail2ban/filter.d/slapd.conf' +maybe chmod 0644 'fail2ban/filter.d/softethervpn.conf' +maybe chmod 0644 'fail2ban/filter.d/sogo-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/solid-pop3d.conf' +maybe chmod 0644 'fail2ban/filter.d/squid.conf' +maybe chmod 0644 'fail2ban/filter.d/squirrelmail.conf' +maybe chmod 0644 'fail2ban/filter.d/sshd.conf' +maybe chmod 0644 'fail2ban/filter.d/sshd.conf.rpmnew' +maybe chmod 0644 'fail2ban/filter.d/stunnel.conf' +maybe chmod 0644 'fail2ban/filter.d/suhosin.conf' +maybe chmod 0644 'fail2ban/filter.d/tine20.conf' +maybe chmod 0644 'fail2ban/filter.d/traefik-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/uwimap-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/vsftpd.conf' +maybe chmod 0644 'fail2ban/filter.d/webmin-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/wuftpd.conf' +maybe chmod 0644 'fail2ban/filter.d/xinetd-fail.conf' +maybe chmod 0644 'fail2ban/filter.d/znc-adminlog.conf' +maybe chmod 0644 'fail2ban/filter.d/zoneminder.conf' +maybe chmod 0644 'fail2ban/jail.conf' +maybe chmod 0644 'fail2ban/jail.conf.rpmnew' +maybe chmod 0755 'fail2ban/jail.d' +maybe chmod 0644 'fail2ban/jail.d/00-firewalld.conf' +maybe chmod 0640 'fail2ban/jail.d/default.conf' +maybe chmod 0644 'fail2ban/jail.d/recidive.conf' +maybe chmod 0640 'fail2ban/jail.local' +maybe chmod 0644 'fail2ban/paths-common.conf' +maybe chmod 0644 'fail2ban/paths-fedora.conf' +maybe chmod 0755 'falco' +maybe chmod 0644 'falco/falco.yaml' +maybe chmod 0644 'falco/falco_rules.local.yaml' +maybe chmod 0644 'falco/falco_rules.yaml' +maybe chmod 0644 'falco/k8s_audit_rules.yaml' +maybe chmod 0755 'falco/rules.available' +maybe chmod 0644 'falco/rules.available/application_rules.yaml' +maybe chmod 0755 'falco/rules.d' +maybe chmod 0644 'filesystems' +maybe chmod 0750 'firewalld' +maybe chmod 0644 'firewalld/firewalld.conf' +maybe chmod 0750 'firewalld/helpers' +maybe chmod 0750 'firewalld/icmptypes' +maybe chmod 0750 'firewalld/ipsets' +maybe chmod 0644 'firewalld/lockdown-whitelist.xml' +maybe chmod 0750 'firewalld/services' +maybe chmod 0750 'firewalld/zones' +maybe chmod 0644 'firewalld/zones/public.xml' +maybe chmod 0755 'fonts' +maybe chmod 0755 'fonts/conf.d' +maybe chmod 0644 'fonts/conf.d/README' +maybe chmod 0644 'fonts/fonts.conf' +maybe chmod 0600 'freshclam.conf' +maybe chmod 0644 'freshclam.conf.rpmnew' +maybe chown 'amavis' 'freshclam.conf.rpmsave' +maybe chgrp 'amavis' 'freshclam.conf.rpmsave' +maybe chmod 0600 'freshclam.conf.rpmsave' +maybe chmod 0644 'fstab' +maybe chmod 0644 'fuse.conf' +maybe chmod 0755 'gcrypt' +maybe chmod 0644 'gcrypt/random.conf' +maybe chmod 0644 'gdbinit' +maybe chmod 0755 'gdbinit.d' +maybe chmod 0755 'glances' +maybe chmod 0644 'glances/glances.conf' +maybe chmod 0755 'glvnd' +maybe chmod 0755 'glvnd/egl_vendor.d' +maybe chmod 0755 'gnupg' +maybe chmod 0640 'grc.conf' +maybe chmod 0640 'grc.fish' +maybe chmod 0640 'grc.zsh' +maybe chmod 0755 'groff' +maybe chmod 0755 'groff/site-font' +maybe chmod 0755 'groff/site-tmac' +maybe chmod 0644 'groff/site-tmac/man.local' +maybe chmod 0644 'groff/site-tmac/mdoc.local' +maybe chmod 0644 'group' +maybe chmod 0644 'group-' +maybe chmod 0700 'grub.d' +maybe chmod 0755 'grub.d/00_header' +maybe chmod 0755 'grub.d/00_tuned' +maybe chmod 0755 'grub.d/01_users' +maybe chmod 0755 'grub.d/08_fallback_counting' +maybe chmod 0755 'grub.d/10_linux' +maybe chmod 0755 'grub.d/10_reset_boot_success' +maybe chmod 0755 'grub.d/12_menu_auto_hide' +maybe chmod 0755 'grub.d/20_linux_xen' +maybe chmod 0755 'grub.d/20_ppc_terminfo' +maybe chmod 0755 'grub.d/30_os-prober' +maybe chmod 0755 'grub.d/30_uefi-firmware' +maybe chmod 0755 'grub.d/40_custom' +maybe chmod 0755 'grub.d/41_custom' +maybe chmod 0644 'grub.d/README' +maybe chmod 0000 'gshadow' +maybe chmod 0000 'gshadow-' +maybe chmod 0755 'gss' +maybe chmod 0755 'gss/mech.d' +maybe chmod 0644 'gss/mech.d/gssproxy.conf' +maybe chmod 0755 'gssproxy' +maybe chmod 0600 'gssproxy/24-nfs-server.conf' +maybe chmod 0600 'gssproxy/99-nfs-client.conf' +maybe chmod 0600 'gssproxy/gssproxy.conf' +maybe chmod 0644 'host.conf' +maybe chmod 0644 'hostname' +maybe chmod 0644 'hosts' +maybe chgrp 'ossec' 'hosts.deny' +maybe chmod 0644 'hosts.deny' +maybe chmod 0644 'hosts.sbak' +maybe chmod 0755 'httpd' +maybe chmod 0755 'httpd/conf' +maybe chmod 0755 'httpd/conf.d' +maybe chmod 0644 'httpd/conf.d/README' +maybe chmod 0644 'httpd/conf.d/acme.conf' +maybe chmod 0644 'httpd/conf.d/autoindex.conf' +maybe chmod 0644 'httpd/conf.d/awstats.conf' +maybe chmod 0644 'httpd/conf.d/mailgraph.conf' +maybe chmod 0640 'httpd/conf.d/mod_deflate.conf' +maybe chmod 0644 'httpd/conf.d/perl.conf' +maybe chmod 0644 'httpd/conf.d/perl.conf.rpmnew' +maybe chmod 0644 'httpd/conf.d/php.conf' +maybe chmod 0644 'httpd/conf.d/phpmyadmin.conf' +maybe chmod 0644 'httpd/conf.d/ssl.conf_disabled' +maybe chmod 0644 'httpd/conf.d/userdir.conf' +maybe chmod 0644 'httpd/conf.d/welcome.conf' +maybe chmod 0644 'httpd/conf.d/welcome.conf.rpmnew' +maybe chmod 0755 'httpd/conf.modules.d' +maybe chmod 0644 'httpd/conf.modules.d/00-base.conf' +maybe chmod 0644 'httpd/conf.modules.d/00-dav.conf' +maybe chmod 0644 'httpd/conf.modules.d/00-lua.conf' +maybe chmod 0644 'httpd/conf.modules.d/00-mpm.conf' +maybe chmod 0644 'httpd/conf.modules.d/00-optional.conf' +maybe chmod 0644 'httpd/conf.modules.d/00-proxy.conf' +maybe chmod 0644 'httpd/conf.modules.d/00-ssl.conf' +maybe chmod 0644 'httpd/conf.modules.d/00-systemd.conf' +maybe chmod 0644 'httpd/conf.modules.d/01-cgi.conf' +maybe chmod 0644 'httpd/conf.modules.d/02-perl.conf' +maybe chmod 0644 'httpd/conf.modules.d/10-h2.conf' +maybe chmod 0644 'httpd/conf.modules.d/10-proxy_h2.conf' +maybe chmod 0644 'httpd/conf.modules.d/15-php.conf' +maybe chmod 0644 'httpd/conf.modules.d/15-php.conf.rpmnew' +maybe chmod 0644 'httpd/conf.modules.d/README' +maybe chmod 0644 'httpd/conf/httpd.conf' +maybe chmod 0644 'httpd/conf/magic' +maybe chmod 0644 'idmapd.conf' +maybe chmod 0755 'immortal' +maybe chmod 0644 'incron.conf' +maybe chmod 0755 'incron.d' +maybe chmod 0644 'inittab' +maybe chmod 0644 'inputrc' +maybe chmod 0755 'iproute2' +maybe chmod 0644 'iproute2/bpf_pinning' +maybe chmod 0644 'iproute2/ematch_map' +maybe chmod 0644 'iproute2/group' +maybe chmod 0644 'iproute2/nl_protos' +maybe chmod 0644 'iproute2/rt_dsfield' +maybe chmod 0644 'iproute2/rt_protos' +maybe chmod 0644 'iproute2/rt_realms' +maybe chmod 0644 'iproute2/rt_scopes' +maybe chmod 0644 'iproute2/rt_tables' +maybe chmod 0644 'issue' +maybe chmod 0755 'issue.d' +maybe chmod 0644 'issue.net' +maybe chmod 0644 'issue.rpmnew' +maybe chmod 0755 'java' +maybe chmod 0755 'java/java-1.8.0-openjdk' +maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64' +maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib' +maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/calendars.properties' +maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/logging.properties' +maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security' +maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/blacklisted.certs' +maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/java.policy' +maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/java.security' +maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/nss.cfg' +maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/nss.fips.cfg' +maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy' +maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/limited' +maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/limited/US_export_policy.jar' +maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/limited/local_policy.jar' +maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/unlimited' +maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/unlimited/US_export_policy.jar' +maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/unlimited/local_policy.jar' +maybe chmod 0755 'java/security' +maybe chmod 0755 'java/security/security.d' +maybe chmod 0755 'jvm' +maybe chmod 0755 'jvm-commmon' +maybe chmod 0755 'kernel' +maybe chmod 0755 'kernel/install.d' +maybe chmod 0644 'kernel/install.d/20-grubby.install' +maybe chmod 0644 'kernel/install.d/90-loaderentry.install' +maybe chmod 0755 'kernel/postinst.d' +maybe chmod 0755 'kernel/postinst.d/dkms' +maybe chmod 0755 'kernel/prerm.d' +maybe chmod 0755 'kernel/prerm.d/dkms' +maybe chmod 0644 'krb5.conf' +maybe chmod 0755 'krb5.conf.d' +maybe chmod 0644 'krb5.conf.d/kcm_default_ccache' +maybe chmod 0644 'ld.so.conf' +maybe chmod 0755 'ld.so.conf.d' +maybe chmod 0644 'ld.so.conf.d/bind-export-x86_64.conf' +maybe chmod 0644 'ld.so.conf.d/dyninst-x86_64.conf' +maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-193.6.3.el8_2.x86_64.conf' +maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-240.10.1.el8_3.x86_64.conf' +maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-240.15.1.el8_3.x86_64.conf' +maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-240.22.1.el8_3.x86_64.conf' +maybe chmod 0755 'letsencrypt' +maybe chown 'setroubleshoot' 'letsencrypt/.updated-options-ssl-apache-conf-digest.txt' +maybe chgrp 'setroubleshoot' 'letsencrypt/.updated-options-ssl-apache-conf-digest.txt' +maybe chmod 0644 'letsencrypt/.updated-options-ssl-apache-conf-digest.txt' +maybe chown 'setroubleshoot' 'letsencrypt/.updated-options-ssl-nginx-conf-digest.txt' +maybe chgrp 'setroubleshoot' 'letsencrypt/.updated-options-ssl-nginx-conf-digest.txt' +maybe chmod 0644 'letsencrypt/.updated-options-ssl-nginx-conf-digest.txt' +maybe chown 'setroubleshoot' 'letsencrypt/.updated-ssl-dhparams-pem-digest.txt' +maybe chgrp 'setroubleshoot' 'letsencrypt/.updated-ssl-dhparams-pem-digest.txt' +maybe chmod 0644 'letsencrypt/.updated-ssl-dhparams-pem-digest.txt' +maybe chown 'setroubleshoot' 'letsencrypt/accounts' +maybe chgrp 'setroubleshoot' 'letsencrypt/accounts' +maybe chmod 0700 'letsencrypt/accounts' +maybe chmod 0700 'letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org' +maybe chmod 0700 'letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory' +maybe chmod 0700 'letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory/8c870eb6e2bbf8f8d2c2f25f758c6e72' +maybe chmod 0640 'letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory/8c870eb6e2bbf8f8d2c2f25f758c6e72/meta.json' +maybe chmod 0400 'letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory/8c870eb6e2bbf8f8d2c2f25f758c6e72/private_key.json' +maybe chmod 0640 'letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory/8c870eb6e2bbf8f8d2c2f25f758c6e72/regr.json' +maybe chown 'setroubleshoot' 'letsencrypt/accounts/acme-v01.api.letsencrypt.org' +maybe chgrp 'setroubleshoot' 'letsencrypt/accounts/acme-v01.api.letsencrypt.org' +maybe chmod 0700 'letsencrypt/accounts/acme-v01.api.letsencrypt.org' +maybe chown 'setroubleshoot' 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory' +maybe chgrp 'setroubleshoot' 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory' +maybe chmod 0700 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory' +maybe chown 'setroubleshoot' 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/995d0d90943dc1603856ca5d83fcd7e0' +maybe chgrp 'setroubleshoot' 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/995d0d90943dc1603856ca5d83fcd7e0' +maybe chmod 0700 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/995d0d90943dc1603856ca5d83fcd7e0' +maybe chown 'setroubleshoot' 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/995d0d90943dc1603856ca5d83fcd7e0/meta.json' +maybe chgrp 'setroubleshoot' 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/995d0d90943dc1603856ca5d83fcd7e0/meta.json' +maybe chmod 0644 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/995d0d90943dc1603856ca5d83fcd7e0/meta.json' +maybe chown 'setroubleshoot' 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/995d0d90943dc1603856ca5d83fcd7e0/private_key.json' +maybe chgrp 'setroubleshoot' 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/995d0d90943dc1603856ca5d83fcd7e0/private_key.json' +maybe chmod 0400 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/995d0d90943dc1603856ca5d83fcd7e0/private_key.json' +maybe chown 'setroubleshoot' 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/995d0d90943dc1603856ca5d83fcd7e0/regr.json' +maybe chgrp 'setroubleshoot' 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/995d0d90943dc1603856ca5d83fcd7e0/regr.json' +maybe chmod 0644 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/995d0d90943dc1603856ca5d83fcd7e0/regr.json' +maybe chmod 0700 'letsencrypt/accounts/acme-v02.api.letsencrypt.org' +maybe chown 'setroubleshoot' 'letsencrypt/archive' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive' +maybe chmod 0700 'letsencrypt/archive' +maybe chown 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro' +maybe chmod 0755 'letsencrypt/archive/bcn.898.ro' +maybe chown 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro/cert1.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro/cert1.pem' +maybe chmod 0644 'letsencrypt/archive/bcn.898.ro/cert1.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro/cert2.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro/cert2.pem' +maybe chmod 0640 'letsencrypt/archive/bcn.898.ro/cert2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro/chain1.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro/chain1.pem' +maybe chmod 0644 'letsencrypt/archive/bcn.898.ro/chain1.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro/chain2.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro/chain2.pem' +maybe chmod 0640 'letsencrypt/archive/bcn.898.ro/chain2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro/fullchain1.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro/fullchain1.pem' +maybe chmod 0644 'letsencrypt/archive/bcn.898.ro/fullchain1.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro/fullchain2.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro/fullchain2.pem' +maybe chmod 0640 'letsencrypt/archive/bcn.898.ro/fullchain2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro/privkey1.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro/privkey1.pem' +maybe chmod 0644 'letsencrypt/archive/bcn.898.ro/privkey1.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro/privkey2.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/bcn.898.ro/privkey2.pem' +maybe chmod 0640 'letsencrypt/archive/bcn.898.ro/privkey2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/club3d.ro' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/club3d.ro' +maybe chmod 0755 'letsencrypt/archive/club3d.ro' +maybe chmod 0750 'letsencrypt/archive/club3d.ro-0001' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/cert1.pem' +maybe chmod 0644 'letsencrypt/archive/club3d.ro-0001/cert10.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/cert11.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/cert12.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/cert2.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/cert3.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/cert4.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/cert5.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/cert6.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/cert7.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/cert8.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/cert9.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/chain1.pem' +maybe chmod 0644 'letsencrypt/archive/club3d.ro-0001/chain10.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/chain11.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/chain12.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/chain2.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/chain3.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/chain4.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/chain5.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/chain6.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/chain7.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/chain8.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/chain9.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/fullchain1.pem' +maybe chmod 0644 'letsencrypt/archive/club3d.ro-0001/fullchain10.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/fullchain11.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/fullchain12.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/fullchain2.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/fullchain3.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/fullchain4.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/fullchain5.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/fullchain6.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/fullchain7.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/fullchain8.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/fullchain9.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/privkey1.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/privkey10.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/privkey11.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/privkey12.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/privkey2.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/privkey3.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/privkey4.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/privkey5.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/privkey6.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/privkey7.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/privkey8.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro-0001/privkey9.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/club3d.ro/cert1.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/club3d.ro/cert1.pem' +maybe chmod 0644 'letsencrypt/archive/club3d.ro/cert1.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/cert10.pem' +maybe chmod 0644 'letsencrypt/archive/club3d.ro/cert11.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/club3d.ro/cert2.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/club3d.ro/cert2.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/cert2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/club3d.ro/cert3.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/club3d.ro/cert3.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/cert3.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/cert4.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/cert5.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/cert6.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/cert7.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/cert8.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/cert9.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/club3d.ro/chain1.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/club3d.ro/chain1.pem' +maybe chmod 0644 'letsencrypt/archive/club3d.ro/chain1.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/chain10.pem' +maybe chmod 0644 'letsencrypt/archive/club3d.ro/chain11.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/club3d.ro/chain2.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/club3d.ro/chain2.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/chain2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/club3d.ro/chain3.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/club3d.ro/chain3.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/chain3.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/chain4.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/chain5.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/chain6.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/chain7.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/chain8.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/chain9.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/club3d.ro/fullchain1.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/club3d.ro/fullchain1.pem' +maybe chmod 0644 'letsencrypt/archive/club3d.ro/fullchain1.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/fullchain10.pem' +maybe chmod 0644 'letsencrypt/archive/club3d.ro/fullchain11.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/club3d.ro/fullchain2.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/club3d.ro/fullchain2.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/fullchain2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/club3d.ro/fullchain3.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/club3d.ro/fullchain3.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/fullchain3.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/fullchain4.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/fullchain5.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/fullchain6.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/fullchain7.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/fullchain8.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/fullchain9.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/club3d.ro/privkey1.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/club3d.ro/privkey1.pem' +maybe chmod 0644 'letsencrypt/archive/club3d.ro/privkey1.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/privkey10.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/privkey11.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/club3d.ro/privkey2.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/club3d.ro/privkey2.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/privkey2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/club3d.ro/privkey3.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/club3d.ro/privkey3.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/privkey3.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/privkey4.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/privkey5.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/privkey6.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/privkey7.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/privkey8.pem' +maybe chmod 0640 'letsencrypt/archive/club3d.ro/privkey9.pem' +maybe chmod 0750 'letsencrypt/archive/files.898.ro' +maybe chmod 0640 'letsencrypt/archive/files.898.ro/cert1.pem' +maybe chmod 0640 'letsencrypt/archive/files.898.ro/cert2.pem' +maybe chmod 0644 'letsencrypt/archive/files.898.ro/cert3.pem' +maybe chmod 0640 'letsencrypt/archive/files.898.ro/cert4.pem' +maybe chmod 0640 'letsencrypt/archive/files.898.ro/chain1.pem' +maybe chmod 0640 'letsencrypt/archive/files.898.ro/chain2.pem' +maybe chmod 0644 'letsencrypt/archive/files.898.ro/chain3.pem' +maybe chmod 0640 'letsencrypt/archive/files.898.ro/chain4.pem' +maybe chmod 0640 'letsencrypt/archive/files.898.ro/fullchain1.pem' +maybe chmod 0640 'letsencrypt/archive/files.898.ro/fullchain2.pem' +maybe chmod 0644 'letsencrypt/archive/files.898.ro/fullchain3.pem' +maybe chmod 0640 'letsencrypt/archive/files.898.ro/fullchain4.pem' +maybe chmod 0600 'letsencrypt/archive/files.898.ro/privkey1.pem' +maybe chmod 0600 'letsencrypt/archive/files.898.ro/privkey2.pem' +maybe chmod 0600 'letsencrypt/archive/files.898.ro/privkey3.pem' +maybe chmod 0600 'letsencrypt/archive/files.898.ro/privkey4.pem' +maybe chmod 0750 'letsencrypt/archive/git.898.ro' +maybe chmod 0640 'letsencrypt/archive/git.898.ro/cert1.pem' +maybe chmod 0640 'letsencrypt/archive/git.898.ro/cert2.pem' +maybe chmod 0640 'letsencrypt/archive/git.898.ro/cert3.pem' +maybe chmod 0644 'letsencrypt/archive/git.898.ro/cert4.pem' +maybe chmod 0640 'letsencrypt/archive/git.898.ro/cert5.pem' +maybe chmod 0640 'letsencrypt/archive/git.898.ro/chain1.pem' +maybe chmod 0640 'letsencrypt/archive/git.898.ro/chain2.pem' +maybe chmod 0640 'letsencrypt/archive/git.898.ro/chain3.pem' +maybe chmod 0644 'letsencrypt/archive/git.898.ro/chain4.pem' +maybe chmod 0640 'letsencrypt/archive/git.898.ro/chain5.pem' +maybe chmod 0640 'letsencrypt/archive/git.898.ro/fullchain1.pem' +maybe chmod 0640 'letsencrypt/archive/git.898.ro/fullchain2.pem' +maybe chmod 0640 'letsencrypt/archive/git.898.ro/fullchain3.pem' +maybe chmod 0644 'letsencrypt/archive/git.898.ro/fullchain4.pem' +maybe chmod 0640 'letsencrypt/archive/git.898.ro/fullchain5.pem' +maybe chmod 0600 'letsencrypt/archive/git.898.ro/privkey1.pem' +maybe chmod 0600 'letsencrypt/archive/git.898.ro/privkey2.pem' +maybe chmod 0600 'letsencrypt/archive/git.898.ro/privkey3.pem' +maybe chmod 0600 'letsencrypt/archive/git.898.ro/privkey4.pem' +maybe chmod 0600 'letsencrypt/archive/git.898.ro/privkey5.pem' +maybe chmod 0750 'letsencrypt/archive/jekyll.club3d.ro' +maybe chmod 0640 'letsencrypt/archive/jekyll.club3d.ro/cert1.pem' +maybe chmod 0640 'letsencrypt/archive/jekyll.club3d.ro/chain1.pem' +maybe chmod 0640 'letsencrypt/archive/jekyll.club3d.ro/fullchain1.pem' +maybe chmod 0600 'letsencrypt/archive/jekyll.club3d.ro/privkey1.pem' +maybe chmod 0755 'letsencrypt/archive/mail.898.ro' +maybe chmod 0644 'letsencrypt/archive/mail.898.ro/cert1.pem' +maybe chmod 0640 'letsencrypt/archive/mail.898.ro/cert2.pem' +maybe chmod 0640 'letsencrypt/archive/mail.898.ro/cert3.pem' +maybe chmod 0644 'letsencrypt/archive/mail.898.ro/chain1.pem' +maybe chmod 0640 'letsencrypt/archive/mail.898.ro/chain2.pem' +maybe chmod 0640 'letsencrypt/archive/mail.898.ro/chain3.pem' +maybe chmod 0644 'letsencrypt/archive/mail.898.ro/fullchain1.pem' +maybe chmod 0640 'letsencrypt/archive/mail.898.ro/fullchain2.pem' +maybe chmod 0640 'letsencrypt/archive/mail.898.ro/fullchain3.pem' +maybe chmod 0600 'letsencrypt/archive/mail.898.ro/privkey1.pem' +maybe chmod 0600 'letsencrypt/archive/mail.898.ro/privkey2.pem' +maybe chmod 0600 'letsencrypt/archive/mail.898.ro/privkey3.pem' +maybe chmod 0750 'letsencrypt/archive/mail.anywhere.ro' +maybe chmod 0640 'letsencrypt/archive/mail.anywhere.ro/cert1.pem' +maybe chmod 0644 'letsencrypt/archive/mail.anywhere.ro/cert2.pem' +maybe chmod 0640 'letsencrypt/archive/mail.anywhere.ro/cert3.pem' +maybe chmod 0640 'letsencrypt/archive/mail.anywhere.ro/cert4.pem' +maybe chmod 0640 'letsencrypt/archive/mail.anywhere.ro/chain1.pem' +maybe chmod 0644 'letsencrypt/archive/mail.anywhere.ro/chain2.pem' +maybe chmod 0640 'letsencrypt/archive/mail.anywhere.ro/chain3.pem' +maybe chmod 0640 'letsencrypt/archive/mail.anywhere.ro/chain4.pem' +maybe chmod 0640 'letsencrypt/archive/mail.anywhere.ro/fullchain1.pem' +maybe chmod 0644 'letsencrypt/archive/mail.anywhere.ro/fullchain2.pem' +maybe chmod 0640 'letsencrypt/archive/mail.anywhere.ro/fullchain3.pem' +maybe chmod 0640 'letsencrypt/archive/mail.anywhere.ro/fullchain4.pem' +maybe chmod 0600 'letsencrypt/archive/mail.anywhere.ro/privkey1.pem' +maybe chmod 0600 'letsencrypt/archive/mail.anywhere.ro/privkey2.pem' +maybe chmod 0600 'letsencrypt/archive/mail.anywhere.ro/privkey3.pem' +maybe chmod 0600 'letsencrypt/archive/mail.anywhere.ro/privkey4.pem' +maybe chmod 0750 'letsencrypt/archive/mail.club3d.ro' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/cert1.pem' +maybe chmod 0644 'letsencrypt/archive/mail.club3d.ro/cert10.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/cert11.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/cert2.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/cert3.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/cert4.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/cert5.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/cert6.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/cert7.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/cert8.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/cert9.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/chain1.pem' +maybe chmod 0644 'letsencrypt/archive/mail.club3d.ro/chain10.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/chain11.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/chain2.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/chain3.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/chain4.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/chain5.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/chain6.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/chain7.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/chain8.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/chain9.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/fullchain1.pem' +maybe chmod 0644 'letsencrypt/archive/mail.club3d.ro/fullchain10.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/fullchain11.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/fullchain2.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/fullchain3.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/fullchain4.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/fullchain5.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/fullchain6.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/fullchain7.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/fullchain8.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/fullchain9.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/privkey1.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/privkey10.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/privkey11.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/privkey2.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/privkey3.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/privkey4.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/privkey5.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/privkey6.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/privkey7.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/privkey8.pem' +maybe chmod 0640 'letsencrypt/archive/mail.club3d.ro/privkey9.pem' +maybe chmod 0750 'letsencrypt/archive/rspamd.club3d.ro' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/cert1.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/cert10.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/cert2.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/cert3.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/cert4.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/cert5.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/cert6.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/cert7.pem' +maybe chmod 0644 'letsencrypt/archive/rspamd.club3d.ro/cert8.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/cert9.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/chain1.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/chain10.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/chain2.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/chain3.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/chain4.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/chain5.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/chain6.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/chain7.pem' +maybe chmod 0644 'letsencrypt/archive/rspamd.club3d.ro/chain8.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/chain9.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/fullchain1.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/fullchain10.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/fullchain2.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/fullchain3.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/fullchain4.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/fullchain5.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/fullchain6.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/fullchain7.pem' +maybe chmod 0644 'letsencrypt/archive/rspamd.club3d.ro/fullchain8.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/fullchain9.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/privkey1.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/privkey10.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/privkey2.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/privkey3.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/privkey4.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/privkey5.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/privkey6.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/privkey7.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/privkey8.pem' +maybe chmod 0640 'letsencrypt/archive/rspamd.club3d.ro/privkey9.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/scmp.ro' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/scmp.ro' +maybe chmod 0755 'letsencrypt/archive/scmp.ro' +maybe chown 'setroubleshoot' 'letsencrypt/archive/scmp.ro/cert1.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/scmp.ro/cert1.pem' +maybe chmod 0644 'letsencrypt/archive/scmp.ro/cert1.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/scmp.ro/cert2.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/scmp.ro/cert2.pem' +maybe chmod 0640 'letsencrypt/archive/scmp.ro/cert2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/scmp.ro/chain1.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/scmp.ro/chain1.pem' +maybe chmod 0644 'letsencrypt/archive/scmp.ro/chain1.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/scmp.ro/chain2.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/scmp.ro/chain2.pem' +maybe chmod 0640 'letsencrypt/archive/scmp.ro/chain2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/scmp.ro/fullchain1.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/scmp.ro/fullchain1.pem' +maybe chmod 0644 'letsencrypt/archive/scmp.ro/fullchain1.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/scmp.ro/fullchain2.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/scmp.ro/fullchain2.pem' +maybe chmod 0640 'letsencrypt/archive/scmp.ro/fullchain2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/scmp.ro/privkey1.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/scmp.ro/privkey1.pem' +maybe chmod 0644 'letsencrypt/archive/scmp.ro/privkey1.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/scmp.ro/privkey2.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/scmp.ro/privkey2.pem' +maybe chmod 0640 'letsencrypt/archive/scmp.ro/privkey2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro' +maybe chmod 0755 'letsencrypt/archive/sumo.898.ro' +maybe chown 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/cert1.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/cert1.pem' +maybe chmod 0644 'letsencrypt/archive/sumo.898.ro/cert1.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/cert10.pem' +maybe chmod 0644 'letsencrypt/archive/sumo.898.ro/cert11.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/cert2.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/cert2.pem' +maybe chmod 0644 'letsencrypt/archive/sumo.898.ro/cert2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/cert3.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/cert3.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/cert3.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/cert4.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/cert5.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/cert6.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/cert7.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/cert8.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/cert9.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/chain1.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/chain1.pem' +maybe chmod 0644 'letsencrypt/archive/sumo.898.ro/chain1.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/chain10.pem' +maybe chmod 0644 'letsencrypt/archive/sumo.898.ro/chain11.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/chain2.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/chain2.pem' +maybe chmod 0644 'letsencrypt/archive/sumo.898.ro/chain2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/chain3.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/chain3.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/chain3.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/chain4.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/chain5.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/chain6.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/chain7.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/chain8.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/chain9.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/fullchain1.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/fullchain1.pem' +maybe chmod 0644 'letsencrypt/archive/sumo.898.ro/fullchain1.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/fullchain10.pem' +maybe chmod 0644 'letsencrypt/archive/sumo.898.ro/fullchain11.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/fullchain2.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/fullchain2.pem' +maybe chmod 0644 'letsencrypt/archive/sumo.898.ro/fullchain2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/fullchain3.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/fullchain3.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/fullchain3.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/fullchain4.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/fullchain5.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/fullchain6.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/fullchain7.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/fullchain8.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/fullchain9.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/privkey1.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/privkey1.pem' +maybe chmod 0644 'letsencrypt/archive/sumo.898.ro/privkey1.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/privkey10.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/privkey11.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/privkey2.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/privkey2.pem' +maybe chmod 0644 'letsencrypt/archive/sumo.898.ro/privkey2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/privkey3.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/archive/sumo.898.ro/privkey3.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/privkey3.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/privkey4.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/privkey5.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/privkey6.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/privkey7.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/privkey8.pem' +maybe chmod 0640 'letsencrypt/archive/sumo.898.ro/privkey9.pem' +maybe chmod 0750 'letsencrypt/archive/trtlexplorer.gocrypto.ro' +maybe chmod 0640 'letsencrypt/archive/trtlexplorer.gocrypto.ro/cert1.pem' +maybe chmod 0640 'letsencrypt/archive/trtlexplorer.gocrypto.ro/cert2.pem' +maybe chmod 0640 'letsencrypt/archive/trtlexplorer.gocrypto.ro/cert3.pem' +maybe chmod 0644 'letsencrypt/archive/trtlexplorer.gocrypto.ro/cert4.pem' +maybe chmod 0640 'letsencrypt/archive/trtlexplorer.gocrypto.ro/chain1.pem' +maybe chmod 0640 'letsencrypt/archive/trtlexplorer.gocrypto.ro/chain2.pem' +maybe chmod 0640 'letsencrypt/archive/trtlexplorer.gocrypto.ro/chain3.pem' +maybe chmod 0644 'letsencrypt/archive/trtlexplorer.gocrypto.ro/chain4.pem' +maybe chmod 0640 'letsencrypt/archive/trtlexplorer.gocrypto.ro/fullchain1.pem' +maybe chmod 0640 'letsencrypt/archive/trtlexplorer.gocrypto.ro/fullchain2.pem' +maybe chmod 0640 'letsencrypt/archive/trtlexplorer.gocrypto.ro/fullchain3.pem' +maybe chmod 0644 'letsencrypt/archive/trtlexplorer.gocrypto.ro/fullchain4.pem' +maybe chmod 0600 'letsencrypt/archive/trtlexplorer.gocrypto.ro/privkey1.pem' +maybe chmod 0600 'letsencrypt/archive/trtlexplorer.gocrypto.ro/privkey2.pem' +maybe chmod 0600 'letsencrypt/archive/trtlexplorer.gocrypto.ro/privkey3.pem' +maybe chmod 0600 'letsencrypt/archive/trtlexplorer.gocrypto.ro/privkey4.pem' +maybe chmod 0750 'letsencrypt/archive/zira.898.ro' +maybe chmod 0750 'letsencrypt/archive/zira.898.ro-0001' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro-0001/cert1.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro-0001/chain1.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro-0001/fullchain1.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro-0001/privkey1.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/cert1.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/cert2.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/cert3.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/cert4.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/cert5.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/cert6.pem' +maybe chmod 0644 'letsencrypt/archive/zira.898.ro/cert7.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/cert8.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/cert9.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/chain1.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/chain2.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/chain3.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/chain4.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/chain5.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/chain6.pem' +maybe chmod 0644 'letsencrypt/archive/zira.898.ro/chain7.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/chain8.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/chain9.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/fullchain1.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/fullchain2.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/fullchain3.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/fullchain4.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/fullchain5.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/fullchain6.pem' +maybe chmod 0644 'letsencrypt/archive/zira.898.ro/fullchain7.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/fullchain8.pem' +maybe chmod 0640 'letsencrypt/archive/zira.898.ro/fullchain9.pem' +maybe chmod 0600 'letsencrypt/archive/zira.898.ro/privkey1.pem' +maybe chmod 0600 'letsencrypt/archive/zira.898.ro/privkey2.pem' +maybe chmod 0600 'letsencrypt/archive/zira.898.ro/privkey3.pem' +maybe chmod 0600 'letsencrypt/archive/zira.898.ro/privkey4.pem' +maybe chmod 0600 'letsencrypt/archive/zira.898.ro/privkey5.pem' +maybe chmod 0600 'letsencrypt/archive/zira.898.ro/privkey6.pem' +maybe chmod 0600 'letsencrypt/archive/zira.898.ro/privkey7.pem' +maybe chmod 0600 'letsencrypt/archive/zira.898.ro/privkey8.pem' +maybe chmod 0600 'letsencrypt/archive/zira.898.ro/privkey9.pem' +maybe chmod 0755 'letsencrypt/archive/zira.go.ro' +maybe chmod 0644 'letsencrypt/archive/zira.go.ro/cert1.pem' +maybe chmod 0640 'letsencrypt/archive/zira.go.ro/cert2.pem' +maybe chmod 0644 'letsencrypt/archive/zira.go.ro/chain1.pem' +maybe chmod 0640 'letsencrypt/archive/zira.go.ro/chain2.pem' +maybe chmod 0644 'letsencrypt/archive/zira.go.ro/fullchain1.pem' +maybe chmod 0640 'letsencrypt/archive/zira.go.ro/fullchain2.pem' +maybe chmod 0600 'letsencrypt/archive/zira.go.ro/privkey1.pem' +maybe chmod 0600 'letsencrypt/archive/zira.go.ro/privkey2.pem' +maybe chown 'setroubleshoot' 'letsencrypt/csr' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr' +maybe chmod 0755 'letsencrypt/csr' +maybe chown 'setroubleshoot' 'letsencrypt/csr/0000_csr-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr/0000_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0000_csr-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/csr/0001_csr-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr/0001_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0001_csr-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/csr/0002_csr-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr/0002_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0002_csr-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/csr/0003_csr-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr/0003_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0003_csr-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/csr/0004_csr-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr/0004_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0004_csr-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/csr/0005_csr-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr/0005_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0005_csr-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/csr/0006_csr-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr/0006_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0006_csr-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/csr/0007_csr-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr/0007_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0007_csr-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/csr/0008_csr-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr/0008_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0008_csr-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/csr/0009_csr-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr/0009_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0009_csr-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/csr/0010_csr-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr/0010_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0010_csr-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/csr/0011_csr-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr/0011_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0011_csr-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/csr/0012_csr-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr/0012_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0012_csr-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/csr/0013_csr-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr/0013_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0013_csr-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/csr/0014_csr-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr/0014_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0014_csr-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/csr/0015_csr-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/csr/0015_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0015_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0016_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0017_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0018_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0019_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0020_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0021_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0022_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0023_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0024_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0025_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0026_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0027_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0028_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0029_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0030_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0031_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0032_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0033_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0034_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0035_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0036_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0037_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0038_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0039_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0040_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0041_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0042_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0043_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0044_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0045_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0046_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0047_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0048_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0049_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0050_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0051_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0052_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0053_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0054_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0055_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0056_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0057_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0058_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0059_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0060_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0061_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0062_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0063_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0064_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0065_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0066_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0067_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0068_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0069_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0070_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0071_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0072_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0073_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0074_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0075_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0076_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0077_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0078_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0079_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0080_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0081_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0082_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0083_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0084_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0085_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0086_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0087_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0088_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0089_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0090_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0091_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0092_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0093_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0094_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0095_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0096_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0097_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0098_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0099_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0100_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0101_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0102_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0103_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0104_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0105_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0106_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0107_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0108_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0109_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0110_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0111_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0112_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0113_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0114_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0115_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0116_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0117_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0118_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0119_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0120_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0121_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0122_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0123_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0124_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0125_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0126_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0127_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0128_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0129_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0130_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0131_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0132_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0133_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0134_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0135_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0136_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0137_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0138_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0139_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0140_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0141_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0142_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0143_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0144_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0145_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0146_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0147_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0148_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0149_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0150_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0151_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0152_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0153_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0154_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0155_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0156_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0157_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0158_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0159_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0160_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0161_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0162_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0163_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0164_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0165_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0166_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0167_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0168_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0169_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0170_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0171_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0172_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0173_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0174_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0175_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0176_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0177_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0178_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0179_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0180_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0181_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0182_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0183_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0184_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0185_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0186_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0187_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0188_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0189_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0190_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0191_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0192_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0193_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0194_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0195_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0196_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0197_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0198_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0199_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0200_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0201_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0202_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0203_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0204_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0205_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0206_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0207_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0208_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0209_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0210_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0211_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0212_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0213_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0214_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0215_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0216_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0217_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0218_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0219_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0220_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0221_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0222_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0223_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0224_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0225_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0226_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0227_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0228_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0229_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0230_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0231_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0232_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0233_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0234_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0235_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0236_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0237_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0238_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0239_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0240_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0241_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0242_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0243_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0244_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0245_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0246_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0247_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0248_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0249_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0250_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0251_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0252_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0253_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0254_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0255_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0256_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0257_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0258_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0259_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0260_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0261_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0262_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0263_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0264_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0265_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0266_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0267_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0268_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0269_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0270_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0271_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0272_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0273_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0274_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0275_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0276_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0277_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0278_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0279_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0280_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0281_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0282_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0283_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0284_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0285_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0286_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0287_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0288_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0289_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0290_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0291_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0292_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0293_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0294_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0295_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0296_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0297_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0298_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0299_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0300_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0301_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0302_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0303_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0304_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0305_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0306_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0307_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0308_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0309_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0310_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0311_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0312_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0313_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0314_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0315_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0316_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0317_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0318_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0319_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0320_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0321_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0322_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0323_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0324_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0325_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0326_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0327_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0328_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0329_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0330_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0331_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0332_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0333_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0334_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0335_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0336_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0337_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0338_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0339_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0340_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0341_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0342_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0343_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0344_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0345_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/0346_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0347_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0348_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0349_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0350_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0351_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0352_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0353_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0354_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0355_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0356_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0357_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0358_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0359_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0360_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0361_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0362_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0363_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0364_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0365_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0366_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0367_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0368_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0369_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0370_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0371_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0372_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0373_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0374_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0375_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0376_csr-certbot.pem' +maybe chmod 0640 'letsencrypt/csr/0377_csr-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/keys' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys' +maybe chmod 0700 'letsencrypt/keys' +maybe chown 'setroubleshoot' 'letsencrypt/keys/0000_key-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys/0000_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0000_key-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/keys/0001_key-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys/0001_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0001_key-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/keys/0002_key-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys/0002_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0002_key-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/keys/0003_key-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys/0003_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0003_key-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/keys/0004_key-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys/0004_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0004_key-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/keys/0005_key-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys/0005_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0005_key-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/keys/0006_key-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys/0006_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0006_key-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/keys/0007_key-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys/0007_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0007_key-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/keys/0008_key-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys/0008_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0008_key-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/keys/0009_key-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys/0009_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0009_key-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/keys/0010_key-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys/0010_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0010_key-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/keys/0011_key-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys/0011_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0011_key-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/keys/0012_key-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys/0012_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0012_key-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/keys/0013_key-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys/0013_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0013_key-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/keys/0014_key-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys/0014_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0014_key-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/keys/0015_key-certbot.pem' +maybe chgrp 'setroubleshoot' 'letsencrypt/keys/0015_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0015_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0016_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0017_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0018_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0019_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0020_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0021_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0022_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0023_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0024_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0025_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0026_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0027_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0028_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0029_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0030_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0031_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0032_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0033_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0034_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0035_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0036_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0037_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0038_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0039_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0040_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0041_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0042_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0043_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0044_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0045_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0046_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0047_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0048_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0049_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0050_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0051_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0052_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0053_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0054_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0055_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0056_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0057_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0058_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0059_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0060_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0061_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0062_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0063_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0064_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0065_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0066_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0067_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0068_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0069_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0070_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0071_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0072_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0073_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0074_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0075_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0076_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0077_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0078_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0079_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0080_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0081_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0082_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0083_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0084_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0085_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0086_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0087_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0088_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0089_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0090_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0091_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0092_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0093_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0094_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0095_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0096_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0097_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0098_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0099_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0100_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0101_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0102_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0103_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0104_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0105_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0106_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0107_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0108_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0109_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0110_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0111_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0112_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0113_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0114_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0115_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0116_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0117_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0118_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0119_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0120_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0121_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0122_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0123_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0124_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0125_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0126_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0127_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0128_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0129_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0130_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0131_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0132_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0133_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0134_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0135_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0136_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0137_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0138_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0139_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0140_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0141_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0142_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0143_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0144_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0145_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0146_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0147_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0148_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0149_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0150_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0151_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0152_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0153_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0154_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0155_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0156_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0157_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0158_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0159_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0160_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0161_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0162_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0163_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0164_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0165_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0166_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0167_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0168_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0169_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0170_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0171_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0172_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0173_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0174_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0175_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0176_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0177_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0178_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0179_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0180_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0181_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0182_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0183_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0184_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0185_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0186_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0187_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0188_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0189_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0190_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0191_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0192_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0193_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0194_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0195_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0196_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0197_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0198_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0199_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0200_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0201_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0202_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0203_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0204_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0205_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0206_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0207_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0208_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0209_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0210_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0211_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0212_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0213_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0214_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0215_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0216_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0217_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0218_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0219_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0220_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0221_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0222_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0223_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0224_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0225_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0226_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0227_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0228_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0229_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0230_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0231_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0232_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0233_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0234_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0235_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0236_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0237_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0238_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0239_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0240_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0241_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0242_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0243_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0244_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0245_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0246_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0247_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0248_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0249_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0250_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0251_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0252_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0253_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0254_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0255_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0256_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0257_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0258_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0259_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0260_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0261_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0262_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0263_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0264_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0265_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0266_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0267_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0268_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0269_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0270_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0271_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0272_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0273_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0274_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0275_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0276_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0277_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0278_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0279_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0280_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0281_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0282_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0283_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0284_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0285_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0286_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0287_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0288_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0289_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0290_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0291_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0292_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0293_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0294_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0295_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0296_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0297_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0298_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0299_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0300_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0301_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0302_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0303_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0304_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0305_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0306_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0307_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0308_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0309_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0310_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0311_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0312_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0313_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0314_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0315_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0316_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0317_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0318_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0319_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0320_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0321_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0322_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0323_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0324_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0325_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0326_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0327_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0328_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0329_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0330_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0331_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0332_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0333_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0334_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0335_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0336_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0337_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0338_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0339_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0340_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0341_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0342_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0343_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0344_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0345_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0346_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0347_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0348_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0349_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0350_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0351_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0352_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0353_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0354_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0355_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0356_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0357_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0358_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0359_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0360_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0361_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0362_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0363_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0364_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0365_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0366_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0367_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0368_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0369_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0370_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0371_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0372_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0373_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0374_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0375_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0376_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/0377_key-certbot.pem' +maybe chown 'setroubleshoot' 'letsencrypt/live' +maybe chgrp 'setroubleshoot' 'letsencrypt/live' +maybe chmod 0700 'letsencrypt/live' +maybe chmod 0640 'letsencrypt/live/README' +maybe chown 'setroubleshoot' 'letsencrypt/live/club3d.ro' +maybe chgrp 'setroubleshoot' 'letsencrypt/live/club3d.ro' +maybe chmod 0755 'letsencrypt/live/club3d.ro' +maybe chmod 0750 'letsencrypt/live/club3d.ro-0001' +maybe chmod 0640 'letsencrypt/live/club3d.ro-0001/README' +maybe chown 'setroubleshoot' 'letsencrypt/live/club3d.ro/README' +maybe chgrp 'setroubleshoot' 'letsencrypt/live/club3d.ro/README' +maybe chmod 0644 'letsencrypt/live/club3d.ro/README' +maybe chmod 0750 'letsencrypt/live/files.898.ro' +maybe chmod 0640 'letsencrypt/live/files.898.ro/README' +maybe chmod 0750 'letsencrypt/live/git.898.ro' +maybe chmod 0640 'letsencrypt/live/git.898.ro/README' +maybe chmod 0750 'letsencrypt/live/jekyll.club3d.ro' +maybe chmod 0640 'letsencrypt/live/jekyll.club3d.ro/README' +maybe chmod 0755 'letsencrypt/live/mail.898.ro' +maybe chmod 0644 'letsencrypt/live/mail.898.ro/README' +maybe chmod 0750 'letsencrypt/live/mail.anywhere.ro' +maybe chmod 0640 'letsencrypt/live/mail.anywhere.ro/README' +maybe chmod 0750 'letsencrypt/live/mail.club3d.ro' +maybe chmod 0640 'letsencrypt/live/mail.club3d.ro/README' +maybe chmod 0750 'letsencrypt/live/rspamd.club3d.ro' +maybe chmod 0640 'letsencrypt/live/rspamd.club3d.ro/README' +maybe chown 'setroubleshoot' 'letsencrypt/live/sumo.898.ro' +maybe chgrp 'setroubleshoot' 'letsencrypt/live/sumo.898.ro' +maybe chmod 0755 'letsencrypt/live/sumo.898.ro' +maybe chown 'setroubleshoot' 'letsencrypt/live/sumo.898.ro/README' +maybe chgrp 'setroubleshoot' 'letsencrypt/live/sumo.898.ro/README' +maybe chmod 0644 'letsencrypt/live/sumo.898.ro/README' +maybe chmod 0750 'letsencrypt/live/trtlexplorer.gocrypto.ro' +maybe chmod 0640 'letsencrypt/live/trtlexplorer.gocrypto.ro/README' +maybe chmod 0750 'letsencrypt/live/zira.898.ro' +maybe chmod 0640 'letsencrypt/live/zira.898.ro/README' +maybe chmod 0755 'letsencrypt/live/zira.go.ro' +maybe chmod 0644 'letsencrypt/live/zira.go.ro/README' +maybe chown 'setroubleshoot' 'letsencrypt/options-ssl-apache.conf' +maybe chgrp 'setroubleshoot' 'letsencrypt/options-ssl-apache.conf' +maybe chmod 0644 'letsencrypt/options-ssl-apache.conf' +maybe chown 'setroubleshoot' 'letsencrypt/options-ssl-nginx.conf' +maybe chgrp 'setroubleshoot' 'letsencrypt/options-ssl-nginx.conf' +maybe chmod 0644 'letsencrypt/options-ssl-nginx.conf' +maybe chown 'setroubleshoot' 'letsencrypt/renewal' +maybe chgrp 'setroubleshoot' 'letsencrypt/renewal' +maybe chmod 0755 'letsencrypt/renewal' +maybe chown 'setroubleshoot' 'letsencrypt/renewal-hooks' +maybe chgrp 'setroubleshoot' 'letsencrypt/renewal-hooks' +maybe chmod 0755 'letsencrypt/renewal-hooks' +maybe chown 'setroubleshoot' 'letsencrypt/renewal-hooks/deploy' +maybe chgrp 'setroubleshoot' 'letsencrypt/renewal-hooks/deploy' +maybe chmod 0755 'letsencrypt/renewal-hooks/deploy' +maybe chown 'setroubleshoot' 'letsencrypt/renewal-hooks/post' +maybe chgrp 'setroubleshoot' 'letsencrypt/renewal-hooks/post' +maybe chmod 0755 'letsencrypt/renewal-hooks/post' +maybe chown 'setroubleshoot' 'letsencrypt/renewal-hooks/pre' +maybe chgrp 'setroubleshoot' 'letsencrypt/renewal-hooks/pre' +maybe chmod 0755 'letsencrypt/renewal-hooks/pre' +maybe chmod 0640 'letsencrypt/renewal/club3d.ro-0001.conf' +maybe chmod 0640 'letsencrypt/renewal/files.898.ro.conf' +maybe chmod 0640 'letsencrypt/renewal/git.898.ro.conf' +maybe chmod 0644 'letsencrypt/renewal/mail.898.ro.conf' +maybe chmod 0640 'letsencrypt/renewal/mail.anywhere.ro.conf' +maybe chmod 0640 'letsencrypt/renewal/mail.club3d.ro.conf' +maybe chmod 0640 'letsencrypt/renewal/rspamd.club3d.ro.conf' +maybe chmod 0640 'letsencrypt/renewal/zira.898.ro.conf' +maybe chmod 0644 'letsencrypt/renewal/zira.go.ro.conf' +maybe chmod 0640 'letsencrypt/ssl-dhparams.pem' +maybe chmod 0640 'libaudit.conf' +maybe chmod 0755 'libnl' +maybe chmod 0644 'libnl/classid' +maybe chmod 0644 'libnl/pktloc' +maybe chmod 0755 'libpaper.d' +maybe chmod 0755 'libreport' +maybe chmod 0755 'libreport/events' +maybe chmod 0755 'libreport/events.d' +maybe chmod 0644 'libreport/events.d/collect_dnf.conf' +maybe chmod 0755 'libreport/plugins' +maybe chmod 0755 'libreport/workflows.d' +maybe chmod 0755 'libssh' +maybe chmod 0644 'libssh/libssh_client.config' +maybe chmod 0644 'libssh/libssh_server.config' +maybe chmod 0644 'libuser.conf' +maybe chmod 0644 'locale.conf' +maybe chmod 0644 'login.defs' +maybe chmod 0644 'logrotate.conf' +maybe chmod 0755 'logrotate.d' +maybe chmod 0644 'logrotate.d/aide' +maybe chmod 0644 'logrotate.d/btmp' +maybe chmod 0644 'logrotate.d/chrony' +maybe chmod 0644 'logrotate.d/clamav-unofficial-sigs' +maybe chmod 0644 'logrotate.d/clamav-update' +maybe chmod 0644 'logrotate.d/dnf' +maybe chmod 0644 'logrotate.d/fail2ban' +maybe chmod 0644 'logrotate.d/firewalld' +maybe chmod 0644 'logrotate.d/httpd' +maybe chmod 0644 'logrotate.d/iptraf-ng' +maybe chmod 0644 'logrotate.d/lfd' +maybe chmod 0644 'logrotate.d/mysql' +maybe chgrp 'named' 'logrotate.d/named' +maybe chmod 0640 'logrotate.d/named' +maybe chmod 0644 'logrotate.d/nginx' +maybe chmod 0644 'logrotate.d/php-fpm' +maybe chmod 0644 'logrotate.d/ppp' +maybe chmod 0644 'logrotate.d/psacct' +maybe chmod 0644 'logrotate.d/redis' +maybe chmod 0644 'logrotate.d/rkhunter' +maybe chmod 0644 'logrotate.d/rspamd' +maybe chmod 0644 'logrotate.d/sa-update' +maybe chmod 0644 'logrotate.d/sssd' +maybe chmod 0644 'logrotate.d/subscription-manager' +maybe chmod 0644 'logrotate.d/syslog' +maybe chmod 0644 'logrotate.d/up2date' +maybe chmod 0644 'logrotate.d/vsftpd' +maybe chmod 0644 'logrotate.d/wtmp' +maybe chmod 0755 'lsb-release.d' +maybe chmod 0644 'lsb-release.d/core-4.1-amd64' +maybe chmod 0644 'lsb-release.d/core-4.1-noarch' +maybe chmod 0755 'lynis' +maybe chmod 0644 'lynis/default.prf' +maybe chmod 0644 'lynx-site.cfg' +maybe chmod 0644 'lynx.cfg' +maybe chmod 0644 'lynx.lss' +maybe chmod 0444 'machine-id' +maybe chmod 0644 'machine-info' +maybe chmod 0644 'magic' +maybe chmod 0755 'mail' +maybe chmod 0644 'mail.rc' +maybe chmod 0755 'mail/spamassassin' +maybe chmod 0755 'mail/spamassassin/.pyzor' +maybe chmod 0755 'mail/spamassassin/.razor' +maybe chmod 0644 'mail/spamassassin/.razor/identity-ru5QBQp4Pq' +maybe chmod 0644 'mail/spamassassin/.razor/identity-ruD5ziim06' +maybe chmod 0644 'mail/spamassassin/.razor/razor-agent.conf' +maybe chmod 0644 'mail/spamassassin/.razor/razor-agent.log' +maybe chmod 0644 'mail/spamassassin/.razor/server.c301.cloudmark.com.conf' +maybe chmod 0644 'mail/spamassassin/.razor/server.c302.cloudmark.com.conf' +maybe chmod 0644 'mail/spamassassin/.razor/server.c303.cloudmark.com.conf' +maybe chmod 0644 'mail/spamassassin/.razor/server.n001.cloudmark.com.conf' +maybe chmod 0644 'mail/spamassassin/.razor/servers.catalogue.lst' +maybe chmod 0644 'mail/spamassassin/.razor/servers.discovery.lst' +maybe chmod 0644 'mail/spamassassin/.razor/servers.nomination.lst' +maybe chmod 0644 'mail/spamassassin/30_uribl_black.cf' +maybe chmod 0644 'mail/spamassassin/36_local_disclaimer.cf' +maybe chmod 0644 'mail/spamassassin/99_struction_DNSRBL.cf' +maybe chmod 0644 'mail/spamassassin/99_struction_EXIM.cf' +maybe chmod 0644 'mail/spamassassin/99_struction_IXHASH.cf' +maybe chmod 0644 'mail/spamassassin/BayesOCR_PLG.cf' +maybe chmod 0644 'mail/spamassassin/BayesOCR_PLG.pm' +maybe chmod 0644 'mail/spamassassin/DNSWLh.pm' +maybe chmod 0644 'mail/spamassassin/DecodeShortURLs.cf' +maybe chmod 0644 'mail/spamassassin/DecodeShortURLs.pm' +maybe chmod 0644 'mail/spamassassin/GPG.KEY' +maybe chmod 0644 'mail/spamassassin/MTX.pm' +maybe chmod 0644 'mail/spamassassin/PhishTag.cf' +maybe chmod 0644 'mail/spamassassin/PhishTag.pm' +maybe chmod 0644 'mail/spamassassin/SaveHits.pm' +maybe chmod 0755 'mail/spamassassin/abc' +maybe chmod 0644 'mail/spamassassin/abc/99_struction_IXHASH.cf' +maybe chmod 0644 'mail/spamassassin/abc/BayesOCR_PLG.cf' +maybe chmod 0644 'mail/spamassassin/abc/BayesOCR_PLG.pm' +maybe chmod 0644 'mail/spamassassin/abc/DNSWLh.pm' +maybe chmod 0644 'mail/spamassassin/abc/DecodeShortURLs.cf' +maybe chmod 0644 'mail/spamassassin/abc/DecodeShortURLs.pm' +maybe chmod 0644 'mail/spamassassin/abc/dnswlh.cf' +maybe chmod 0644 'mail/spamassassin/abc/iXhash.pm' +maybe chmod 0755 'mail/spamassassin/bin' +maybe chmod 0644 'mail/spamassassin/bin/pyzor' +maybe chmod 0644 'mail/spamassassin/bin/pyzord' +maybe chmod 0755 'mail/spamassassin/channel.d' +maybe chmod 0644 'mail/spamassassin/channel.d/spamassassin-official.conf' +maybe chmod 0644 'mail/spamassassin/dnswlh.cf.disabled' +maybe chmod 0644 'mail/spamassassin/iXhash.pm' +maybe chmod 0644 'mail/spamassassin/init.pre' +maybe chmod 0644 'mail/spamassassin/init.pre.rpmnew' +maybe chmod 0644 'mail/spamassassin/learn_spam.sh' +maybe chmod 0755 'mail/spamassassin/lib' +maybe chmod 0755 'mail/spamassassin/lib/python' +maybe chmod 0755 'mail/spamassassin/lib/python/pyzor' +maybe chmod 0644 'mail/spamassassin/lib/python/pyzor/__init__.py' +maybe chmod 0644 'mail/spamassassin/lib/python/pyzor/client.py' +maybe chmod 0644 'mail/spamassassin/lib/python/pyzor/server.py' +maybe chmod 0644 'mail/spamassassin/local.cf' +maybe chmod 0644 'mail/spamassassin/manual.cf' +maybe chmod 0644 'mail/spamassassin/mtx.cf' +maybe chmod 0644 'mail/spamassassin/mtx_blacklist.cf' +maybe chmod 0644 'mail/spamassassin/mtx_blacklist.gz' +maybe chmod 0644 'mail/spamassassin/mtx_blacklist.pl' +maybe chmod 0644 'mail/spamassassin/pub.gpg' +maybe chmod 0755 'mail/spamassassin/pyzor-0.7.0' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0.tar.bz2' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/.cvsignore' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/COPYING' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/INSTALL' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/MANIFEST.in' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/NEWS' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/README.txt' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/THANKS' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/UPGRADING' +maybe chmod 0755 'mail/spamassassin/pyzor-0.7.0/config' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/config/accounts.sample' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/config/config.sample' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/config/pyzord.access.sample' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/config/pyzord.paswd.sample' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/config/servers.sample' +maybe chmod 0755 'mail/spamassassin/pyzor-0.7.0/pyzor' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/pyzor/.cvsignore' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/pyzor/__init__.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/pyzor/account.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/pyzor/client.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/pyzor/config.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/pyzor/digest.py' +maybe chmod 0755 'mail/spamassassin/pyzor-0.7.0/pyzor/engines' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/pyzor/engines/__init__.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/pyzor/engines/common.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/pyzor/engines/gdbm_.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/pyzor/engines/mysql.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/pyzor/engines/redis_.py' +maybe chmod 0755 'mail/spamassassin/pyzor-0.7.0/pyzor/hacks' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/pyzor/hacks/__init__.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/pyzor/hacks/py26.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/pyzor/message.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/pyzor/server.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/requirements.txt' +maybe chmod 0755 'mail/spamassassin/pyzor-0.7.0/scripts' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/scripts/.cvsignore' +maybe chmod 0755 'mail/spamassassin/pyzor-0.7.0/scripts/pyzor' +maybe chmod 0755 'mail/spamassassin/pyzor-0.7.0/scripts/pyzord' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/setup.py' +maybe chmod 0755 'mail/spamassassin/pyzor-0.7.0/tests' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/__init__.py' +maybe chmod 0755 'mail/spamassassin/pyzor-0.7.0/tests/functional' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/functional/__init__.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/functional/test_account.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/functional/test_digest.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/functional/test_gdbm.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/functional/test_mysql.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/functional/test_pyzor.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/functional/test_redis.py' +maybe chmod 0755 'mail/spamassassin/pyzor-0.7.0/tests/unit' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/unit/__init__.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/unit/test_account.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/unit/test_client.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/unit/test_digest.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/unit/test_gdbm.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/unit/test_mysql.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/unit/test_redis.py' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/unit/test_server.py' +maybe chmod 0755 'mail/spamassassin/pyzor-0.7.0/tests/util' +maybe chmod 0644 'mail/spamassassin/pyzor-0.7.0/tests/util/__init__.py' +maybe chmod 0644 'mail/spamassassin/readyexecd.py' +maybe chmod 0644 'mail/spamassassin/sa-train.pl' +maybe chmod 0700 'mail/spamassassin/sa-update-keys' +maybe chmod 0644 'mail/spamassassin/sa-update-keys/.gpg-v21-migrated' +maybe chmod 0700 'mail/spamassassin/sa-update-keys/private-keys-v1.d' +maybe chmod 0600 'mail/spamassassin/sa-update-keys/pubring.gpg' +maybe chmod 0600 'mail/spamassassin/sa-update-keys/secring.gpg' +maybe chmod 0600 'mail/spamassassin/sa-update-keys/trustdb.gpg' +maybe chmod 0644 'mail/spamassassin/savehits.cf.disabled' +maybe chmod 0644 'mail/spamassassin/servers' +maybe chmod 0755 'mail/spamassassin/share' +maybe chmod 0755 'mail/spamassassin/share/doc' +maybe chmod 0755 'mail/spamassassin/share/doc/pyzor' +maybe chmod 0644 'mail/spamassassin/share/doc/pyzor/usage.html' +maybe chmod 0644 'mail/spamassassin/spamassassin-default.rc' +maybe chmod 0755 'mail/spamassassin/spamassassin-helper.sh' +maybe chmod 0644 'mail/spamassassin/spamassassin-spamc.rc' +maybe chmod 0644 'mail/spamassassin/v310.pre' +maybe chmod 0644 'mail/spamassassin/v312.pre' +maybe chmod 0644 'mail/spamassassin/v320.pre' +maybe chmod 0644 'mail/spamassassin/v330.pre' +maybe chmod 0644 'mail/spamassassin/v340.pre' +maybe chmod 0644 'mail/spamassassin/v341.pre' +maybe chmod 0644 'mail/spamassassin/v342.pre' +maybe chmod 0644 'mail/spamassassin/wrongmx.pm' +maybe chmod 0644 'mailcap' +maybe chmod 0644 'man_db.conf' +maybe chmod 0755 'mc' +maybe chmod 0755 'mc/edit.indent.rc' +maybe chmod 0644 'mc/filehighlight.ini' +maybe chmod 0644 'mc/mc.default.keymap' +maybe chmod 0644 'mc/mc.emacs.keymap' +maybe chmod 0644 'mc/mc.ext' +maybe chmod 0644 'mc/mc.menu' +maybe chmod 0644 'mc/mcedit.menu' +maybe chmod 0644 'mc/sfs.ini' +maybe chmod 0644 'mime.types' +maybe chmod 0644 'mke2fs.conf' +maybe chmod 0755 'mock' +maybe chgrp 'mock' 'mock/almalinux-8-x86_64.cfg' +maybe chmod 0644 'mock/almalinux-8-x86_64.cfg' +maybe chgrp 'mock' 'mock/amazonlinux-2-aarch64.cfg' +maybe chmod 0644 'mock/amazonlinux-2-aarch64.cfg' +maybe chgrp 'mock' 'mock/amazonlinux-2-x86_64.cfg' +maybe chmod 0644 'mock/amazonlinux-2-x86_64.cfg' +maybe chgrp 'mock' 'mock/centos-7-aarch64.cfg' +maybe chmod 0644 'mock/centos-7-aarch64.cfg' +maybe chgrp 'mock' 'mock/centos-7-ppc64.cfg' +maybe chmod 0644 'mock/centos-7-ppc64.cfg' +maybe chgrp 'mock' 'mock/centos-7-ppc64le.cfg' +maybe chmod 0644 'mock/centos-7-ppc64le.cfg' +maybe chgrp 'mock' 'mock/centos-7-x86_64.cfg' +maybe chmod 0644 'mock/centos-7-x86_64.cfg' +maybe chgrp 'mock' 'mock/centos-8-aarch64.cfg' +maybe chmod 0644 'mock/centos-8-aarch64.cfg' +maybe chgrp 'mock' 'mock/centos-8-ppc64le.cfg' +maybe chmod 0644 'mock/centos-8-ppc64le.cfg' +maybe chgrp 'mock' 'mock/centos-8-x86_64.cfg' +maybe chmod 0644 'mock/centos-8-x86_64.cfg' +maybe chgrp 'mock' 'mock/centos-stream-8-aarch64.cfg' +maybe chmod 0644 'mock/centos-stream-8-aarch64.cfg' +maybe chgrp 'mock' 'mock/centos-stream-8-ppc64le.cfg' +maybe chmod 0644 'mock/centos-stream-8-ppc64le.cfg' +maybe chgrp 'mock' 'mock/centos-stream-8-x86_64.cfg' +maybe chmod 0644 'mock/centos-stream-8-x86_64.cfg' +maybe chgrp 'mock' 'mock/custom-1-aarch64.cfg' +maybe chmod 0644 'mock/custom-1-aarch64.cfg' +maybe chgrp 'mock' 'mock/custom-1-armhfp.cfg' +maybe chmod 0644 'mock/custom-1-armhfp.cfg' +maybe chgrp 'mock' 'mock/custom-1-i386.cfg' +maybe chmod 0644 'mock/custom-1-i386.cfg' +maybe chgrp 'mock' 'mock/custom-1-ppc64.cfg' +maybe chmod 0644 'mock/custom-1-ppc64.cfg' +maybe chgrp 'mock' 'mock/custom-1-ppc64le.cfg' +maybe chmod 0644 'mock/custom-1-ppc64le.cfg' +maybe chgrp 'mock' 'mock/custom-1-s390.cfg' +maybe chmod 0644 'mock/custom-1-s390.cfg' +maybe chgrp 'mock' 'mock/custom-1-s390x.cfg' +maybe chmod 0644 'mock/custom-1-s390x.cfg' +maybe chgrp 'mock' 'mock/custom-1-x86_64.cfg' +maybe chmod 0644 'mock/custom-1-x86_64.cfg' +maybe chmod 0755 'mock/eol' +maybe chgrp 'mock' 'mock/eol/centos-6-i386.cfg' +maybe chmod 0644 'mock/eol/centos-6-i386.cfg' +maybe chgrp 'mock' 'mock/eol/centos-6-x86_64.cfg' +maybe chmod 0644 'mock/eol/centos-6-x86_64.cfg' +maybe chgrp 'mock' 'mock/eol/epel-5-i386.cfg' +maybe chmod 0644 'mock/eol/epel-5-i386.cfg' +maybe chgrp 'mock' 'mock/eol/epel-5-x86_64.cfg' +maybe chmod 0644 'mock/eol/epel-5-x86_64.cfg' +maybe chgrp 'mock' 'mock/eol/epel-6-i386.cfg' +maybe chmod 0644 'mock/eol/epel-6-i386.cfg' +maybe chgrp 'mock' 'mock/eol/epel-6-x86_64.cfg' +maybe chmod 0644 'mock/eol/epel-6-x86_64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-25-aarch64.cfg' +maybe chmod 0644 'mock/eol/fedora-25-aarch64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-25-armhfp.cfg' +maybe chmod 0644 'mock/eol/fedora-25-armhfp.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-25-i386.cfg' +maybe chmod 0644 'mock/eol/fedora-25-i386.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-25-ppc64.cfg' +maybe chmod 0644 'mock/eol/fedora-25-ppc64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-25-ppc64le.cfg' +maybe chmod 0644 'mock/eol/fedora-25-ppc64le.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-25-s390x.cfg' +maybe chmod 0644 'mock/eol/fedora-25-s390x.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-25-x86_64.cfg' +maybe chmod 0644 'mock/eol/fedora-25-x86_64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-26-aarch64.cfg' +maybe chmod 0644 'mock/eol/fedora-26-aarch64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-26-armhfp.cfg' +maybe chmod 0644 'mock/eol/fedora-26-armhfp.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-26-i386.cfg' +maybe chmod 0644 'mock/eol/fedora-26-i386.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-26-ppc64.cfg' +maybe chmod 0644 'mock/eol/fedora-26-ppc64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-26-ppc64le.cfg' +maybe chmod 0644 'mock/eol/fedora-26-ppc64le.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-26-s390x.cfg' +maybe chmod 0644 'mock/eol/fedora-26-s390x.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-26-x86_64.cfg' +maybe chmod 0644 'mock/eol/fedora-26-x86_64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-27-aarch64.cfg' +maybe chmod 0644 'mock/eol/fedora-27-aarch64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-27-armhfp.cfg' +maybe chmod 0644 'mock/eol/fedora-27-armhfp.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-27-i386.cfg' +maybe chmod 0644 'mock/eol/fedora-27-i386.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-27-ppc64.cfg' +maybe chmod 0644 'mock/eol/fedora-27-ppc64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-27-ppc64le.cfg' +maybe chmod 0644 'mock/eol/fedora-27-ppc64le.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-27-s390x.cfg' +maybe chmod 0644 'mock/eol/fedora-27-s390x.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-27-x86_64.cfg' +maybe chmod 0644 'mock/eol/fedora-27-x86_64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-28-aarch64.cfg' +maybe chmod 0644 'mock/eol/fedora-28-aarch64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-28-armhfp.cfg' +maybe chmod 0644 'mock/eol/fedora-28-armhfp.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-28-i386.cfg' +maybe chmod 0644 'mock/eol/fedora-28-i386.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-28-ppc64.cfg' +maybe chmod 0644 'mock/eol/fedora-28-ppc64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-28-ppc64le.cfg' +maybe chmod 0644 'mock/eol/fedora-28-ppc64le.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-28-s390x.cfg' +maybe chmod 0644 'mock/eol/fedora-28-s390x.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-28-x86_64.cfg' +maybe chmod 0644 'mock/eol/fedora-28-x86_64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-29-aarch64.cfg' +maybe chmod 0644 'mock/eol/fedora-29-aarch64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-29-armhfp.cfg' +maybe chmod 0644 'mock/eol/fedora-29-armhfp.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-29-i386.cfg' +maybe chmod 0644 'mock/eol/fedora-29-i386.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-29-ppc64le.cfg' +maybe chmod 0644 'mock/eol/fedora-29-ppc64le.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-29-s390x.cfg' +maybe chmod 0644 'mock/eol/fedora-29-s390x.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-29-x86_64.cfg' +maybe chmod 0644 'mock/eol/fedora-29-x86_64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-30-aarch64.cfg' +maybe chmod 0644 'mock/eol/fedora-30-aarch64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-30-armhfp.cfg' +maybe chmod 0644 'mock/eol/fedora-30-armhfp.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-30-i386.cfg' +maybe chmod 0644 'mock/eol/fedora-30-i386.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-30-ppc64le.cfg' +maybe chmod 0644 'mock/eol/fedora-30-ppc64le.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-30-s390x.cfg' +maybe chmod 0644 'mock/eol/fedora-30-s390x.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-30-x86_64.cfg' +maybe chmod 0644 'mock/eol/fedora-30-x86_64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-31-aarch64.cfg' +maybe chmod 0644 'mock/eol/fedora-31-aarch64.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-31-armhfp.cfg' +maybe chmod 0644 'mock/eol/fedora-31-armhfp.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-31-i386.cfg' +maybe chmod 0644 'mock/eol/fedora-31-i386.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-31-ppc64le.cfg' +maybe chmod 0644 'mock/eol/fedora-31-ppc64le.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-31-s390x.cfg' +maybe chmod 0644 'mock/eol/fedora-31-s390x.cfg' +maybe chgrp 'mock' 'mock/eol/fedora-31-x86_64.cfg' +maybe chmod 0644 'mock/eol/fedora-31-x86_64.cfg' +maybe chgrp 'mock' 'mock/eol/mageia-6-armv5tl.cfg' +maybe chmod 0644 'mock/eol/mageia-6-armv5tl.cfg' +maybe chgrp 'mock' 'mock/eol/mageia-6-armv7hl.cfg' +maybe chmod 0644 'mock/eol/mageia-6-armv7hl.cfg' +maybe chgrp 'mock' 'mock/eol/mageia-6-i586.cfg' +maybe chmod 0644 'mock/eol/mageia-6-i586.cfg' +maybe chgrp 'mock' 'mock/eol/mageia-6-x86_64.cfg' +maybe chmod 0644 'mock/eol/mageia-6-x86_64.cfg' +maybe chgrp 'mock' 'mock/eol/openmandriva-4.0-aarch64.cfg' +maybe chmod 0644 'mock/eol/openmandriva-4.0-aarch64.cfg' +maybe chgrp 'mock' 'mock/eol/openmandriva-4.0-armv7hnl.cfg' +maybe chmod 0644 'mock/eol/openmandriva-4.0-armv7hnl.cfg' +maybe chgrp 'mock' 'mock/eol/openmandriva-4.0-i686.cfg' +maybe chmod 0644 'mock/eol/openmandriva-4.0-i686.cfg' +maybe chgrp 'mock' 'mock/eol/openmandriva-4.0-x86_64.cfg' +maybe chmod 0644 'mock/eol/openmandriva-4.0-x86_64.cfg' +maybe chgrp 'mock' 'mock/eol/opensuse-leap-15.0-aarch64.cfg' +maybe chmod 0644 'mock/eol/opensuse-leap-15.0-aarch64.cfg' +maybe chgrp 'mock' 'mock/eol/opensuse-leap-15.0-x86_64.cfg' +maybe chmod 0644 'mock/eol/opensuse-leap-15.0-x86_64.cfg' +maybe chgrp 'mock' 'mock/eol/opensuse-leap-15.1-aarch64.cfg' +maybe chmod 0644 'mock/eol/opensuse-leap-15.1-aarch64.cfg' +maybe chgrp 'mock' 'mock/eol/opensuse-leap-15.1-x86_64.cfg' +maybe chmod 0644 'mock/eol/opensuse-leap-15.1-x86_64.cfg' +maybe chgrp 'mock' 'mock/eol/rhel-6-x86_64.cfg' +maybe chmod 0644 'mock/eol/rhel-6-x86_64.cfg' +maybe chmod 0755 'mock/eol/templates' +maybe chgrp 'mock' 'mock/eol/templates/centos-6.tpl' +maybe chmod 0644 'mock/eol/templates/centos-6.tpl' +maybe chgrp 'mock' 'mock/eol/templates/epel-6.tpl' +maybe chmod 0644 'mock/eol/templates/epel-6.tpl' +maybe chgrp 'mock' 'mock/eol/templates/fedora-29.tpl' +maybe chmod 0644 'mock/eol/templates/fedora-29.tpl' +maybe chgrp 'mock' 'mock/eol/templates/fedora-30.tpl' +maybe chmod 0644 'mock/eol/templates/fedora-30.tpl' +maybe chgrp 'mock' 'mock/eol/templates/mageia-6.tpl' +maybe chmod 0644 'mock/eol/templates/mageia-6.tpl' +maybe chgrp 'mock' 'mock/eol/templates/openmandriva-4.0.tpl' +maybe chmod 0644 'mock/eol/templates/openmandriva-4.0.tpl' +maybe chgrp 'mock' 'mock/eol/templates/rhel-6.tpl' +maybe chmod 0644 'mock/eol/templates/rhel-6.tpl' +maybe chgrp 'mock' 'mock/epel-7-aarch64.cfg' +maybe chmod 0644 'mock/epel-7-aarch64.cfg' +maybe chgrp 'mock' 'mock/epel-7-ppc64.cfg' +maybe chmod 0644 'mock/epel-7-ppc64.cfg' +maybe chgrp 'mock' 'mock/epel-7-ppc64le.cfg' +maybe chmod 0644 'mock/epel-7-ppc64le.cfg' +maybe chgrp 'mock' 'mock/epel-7-x86_64.cfg' +maybe chmod 0644 'mock/epel-7-x86_64.cfg' +maybe chgrp 'mock' 'mock/epel-8-aarch64.cfg' +maybe chmod 0644 'mock/epel-8-aarch64.cfg' +maybe chgrp 'mock' 'mock/epel-8-ppc64le.cfg' +maybe chmod 0644 'mock/epel-8-ppc64le.cfg' +maybe chgrp 'mock' 'mock/epel-8-x86_64.cfg' +maybe chmod 0644 'mock/epel-8-x86_64.cfg' +maybe chgrp 'mock' 'mock/epelplayground-8-aarch64.cfg' +maybe chmod 0644 'mock/epelplayground-8-aarch64.cfg' +maybe chgrp 'mock' 'mock/epelplayground-8-ppc64le.cfg' +maybe chmod 0644 'mock/epelplayground-8-ppc64le.cfg' +maybe chgrp 'mock' 'mock/epelplayground-8-x86_64.cfg' +maybe chmod 0644 'mock/epelplayground-8-x86_64.cfg' +maybe chgrp 'mock' 'mock/fedora-32-aarch64.cfg' +maybe chmod 0644 'mock/fedora-32-aarch64.cfg' +maybe chgrp 'mock' 'mock/fedora-32-armhfp.cfg' +maybe chmod 0644 'mock/fedora-32-armhfp.cfg' +maybe chgrp 'mock' 'mock/fedora-32-i386.cfg' +maybe chmod 0644 'mock/fedora-32-i386.cfg' +maybe chgrp 'mock' 'mock/fedora-32-ppc64le.cfg' +maybe chmod 0644 'mock/fedora-32-ppc64le.cfg' +maybe chgrp 'mock' 'mock/fedora-32-s390x.cfg' +maybe chmod 0644 'mock/fedora-32-s390x.cfg' +maybe chgrp 'mock' 'mock/fedora-32-x86_64.cfg' +maybe chmod 0644 'mock/fedora-32-x86_64.cfg' +maybe chgrp 'mock' 'mock/fedora-33-aarch64.cfg' +maybe chmod 0644 'mock/fedora-33-aarch64.cfg' +maybe chgrp 'mock' 'mock/fedora-33-armhfp.cfg' +maybe chmod 0644 'mock/fedora-33-armhfp.cfg' +maybe chgrp 'mock' 'mock/fedora-33-i386.cfg' +maybe chmod 0644 'mock/fedora-33-i386.cfg' +maybe chgrp 'mock' 'mock/fedora-33-ppc64le.cfg' +maybe chmod 0644 'mock/fedora-33-ppc64le.cfg' +maybe chgrp 'mock' 'mock/fedora-33-s390x.cfg' +maybe chmod 0644 'mock/fedora-33-s390x.cfg' +maybe chgrp 'mock' 'mock/fedora-33-x86_64.cfg' +maybe chmod 0644 'mock/fedora-33-x86_64.cfg' +maybe chgrp 'mock' 'mock/fedora-34-aarch64.cfg' +maybe chmod 0644 'mock/fedora-34-aarch64.cfg' +maybe chgrp 'mock' 'mock/fedora-34-armhfp.cfg' +maybe chmod 0644 'mock/fedora-34-armhfp.cfg' +maybe chgrp 'mock' 'mock/fedora-34-i386.cfg' +maybe chmod 0644 'mock/fedora-34-i386.cfg' +maybe chgrp 'mock' 'mock/fedora-34-ppc64le.cfg' +maybe chmod 0644 'mock/fedora-34-ppc64le.cfg' +maybe chgrp 'mock' 'mock/fedora-34-s390x.cfg' +maybe chmod 0644 'mock/fedora-34-s390x.cfg' +maybe chgrp 'mock' 'mock/fedora-34-x86_64.cfg' +maybe chmod 0644 'mock/fedora-34-x86_64.cfg' +maybe chgrp 'mock' 'mock/fedora-eln-aarch64.cfg' +maybe chmod 0644 'mock/fedora-eln-aarch64.cfg' +maybe chgrp 'mock' 'mock/fedora-eln-i386.cfg' +maybe chmod 0644 'mock/fedora-eln-i386.cfg' +maybe chgrp 'mock' 'mock/fedora-eln-ppc64le.cfg' +maybe chmod 0644 'mock/fedora-eln-ppc64le.cfg' +maybe chgrp 'mock' 'mock/fedora-eln-s390x.cfg' +maybe chmod 0644 'mock/fedora-eln-s390x.cfg' +maybe chgrp 'mock' 'mock/fedora-eln-x86_64.cfg' +maybe chmod 0644 'mock/fedora-eln-x86_64.cfg' +maybe chgrp 'mock' 'mock/fedora-rawhide-aarch64.cfg' +maybe chmod 0644 'mock/fedora-rawhide-aarch64.cfg' +maybe chgrp 'mock' 'mock/fedora-rawhide-armhfp.cfg' +maybe chmod 0644 'mock/fedora-rawhide-armhfp.cfg' +maybe chgrp 'mock' 'mock/fedora-rawhide-i386.cfg' +maybe chmod 0644 'mock/fedora-rawhide-i386.cfg' +maybe chgrp 'mock' 'mock/fedora-rawhide-ppc64le.cfg' +maybe chmod 0644 'mock/fedora-rawhide-ppc64le.cfg' +maybe chgrp 'mock' 'mock/fedora-rawhide-s390x.cfg' +maybe chmod 0644 'mock/fedora-rawhide-s390x.cfg' +maybe chgrp 'mock' 'mock/fedora-rawhide-x86_64.cfg' +maybe chmod 0644 'mock/fedora-rawhide-x86_64.cfg' +maybe chmod 0644 'mock/logging.ini' +maybe chgrp 'mock' 'mock/mageia-7-aarch64.cfg' +maybe chmod 0644 'mock/mageia-7-aarch64.cfg' +maybe chgrp 'mock' 'mock/mageia-7-armv7hl.cfg' +maybe chmod 0644 'mock/mageia-7-armv7hl.cfg' +maybe chgrp 'mock' 'mock/mageia-7-i586.cfg' +maybe chmod 0644 'mock/mageia-7-i586.cfg' +maybe chgrp 'mock' 'mock/mageia-7-x86_64.cfg' +maybe chmod 0644 'mock/mageia-7-x86_64.cfg' +maybe chgrp 'mock' 'mock/mageia-8-aarch64.cfg' +maybe chmod 0644 'mock/mageia-8-aarch64.cfg' +maybe chgrp 'mock' 'mock/mageia-8-armv7hl.cfg' +maybe chmod 0644 'mock/mageia-8-armv7hl.cfg' +maybe chgrp 'mock' 'mock/mageia-8-i586.cfg' +maybe chmod 0644 'mock/mageia-8-i586.cfg' +maybe chgrp 'mock' 'mock/mageia-8-x86_64.cfg' +maybe chmod 0644 'mock/mageia-8-x86_64.cfg' +maybe chgrp 'mock' 'mock/mageia-cauldron-aarch64.cfg' +maybe chmod 0644 'mock/mageia-cauldron-aarch64.cfg' +maybe chgrp 'mock' 'mock/mageia-cauldron-armv7hl.cfg' +maybe chmod 0644 'mock/mageia-cauldron-armv7hl.cfg' +maybe chgrp 'mock' 'mock/mageia-cauldron-i586.cfg' +maybe chmod 0644 'mock/mageia-cauldron-i586.cfg' +maybe chgrp 'mock' 'mock/mageia-cauldron-x86_64.cfg' +maybe chmod 0644 'mock/mageia-cauldron-x86_64.cfg' +maybe chgrp 'mock' 'mock/openmandriva-4.1-aarch64.cfg' +maybe chmod 0644 'mock/openmandriva-4.1-aarch64.cfg' +maybe chgrp 'mock' 'mock/openmandriva-4.1-armv7hnl.cfg' +maybe chmod 0644 'mock/openmandriva-4.1-armv7hnl.cfg' +maybe chgrp 'mock' 'mock/openmandriva-4.1-i686.cfg' +maybe chmod 0644 'mock/openmandriva-4.1-i686.cfg' +maybe chgrp 'mock' 'mock/openmandriva-4.1-x86_64.cfg' +maybe chmod 0644 'mock/openmandriva-4.1-x86_64.cfg' +maybe chgrp 'mock' 'mock/openmandriva-cooker-aarch64.cfg' +maybe chmod 0644 'mock/openmandriva-cooker-aarch64.cfg' +maybe chgrp 'mock' 'mock/openmandriva-cooker-armv7hnl.cfg' +maybe chmod 0644 'mock/openmandriva-cooker-armv7hnl.cfg' +maybe chgrp 'mock' 'mock/openmandriva-cooker-i686.cfg' +maybe chmod 0644 'mock/openmandriva-cooker-i686.cfg' +maybe chgrp 'mock' 'mock/openmandriva-cooker-x86_64.cfg' +maybe chmod 0644 'mock/openmandriva-cooker-x86_64.cfg' +maybe chgrp 'mock' 'mock/openmandriva-rolling-aarch64.cfg' +maybe chmod 0644 'mock/openmandriva-rolling-aarch64.cfg' +maybe chgrp 'mock' 'mock/openmandriva-rolling-armv7hnl.cfg' +maybe chmod 0644 'mock/openmandriva-rolling-armv7hnl.cfg' +maybe chgrp 'mock' 'mock/openmandriva-rolling-i686.cfg' +maybe chmod 0644 'mock/openmandriva-rolling-i686.cfg' +maybe chgrp 'mock' 'mock/openmandriva-rolling-x86_64.cfg' +maybe chmod 0644 'mock/openmandriva-rolling-x86_64.cfg' +maybe chgrp 'mock' 'mock/opensuse-leap-15.2-aarch64.cfg' +maybe chmod 0644 'mock/opensuse-leap-15.2-aarch64.cfg' +maybe chgrp 'mock' 'mock/opensuse-leap-15.2-x86_64.cfg' +maybe chmod 0644 'mock/opensuse-leap-15.2-x86_64.cfg' +maybe chgrp 'mock' 'mock/opensuse-leap-15.3-aarch64.cfg' +maybe chmod 0644 'mock/opensuse-leap-15.3-aarch64.cfg' +maybe chgrp 'mock' 'mock/opensuse-leap-15.3-ppc64le.cfg' +maybe chmod 0644 'mock/opensuse-leap-15.3-ppc64le.cfg' +maybe chgrp 'mock' 'mock/opensuse-leap-15.3-s390x.cfg' +maybe chmod 0644 'mock/opensuse-leap-15.3-s390x.cfg' +maybe chgrp 'mock' 'mock/opensuse-leap-15.3-x86_64.cfg' +maybe chmod 0644 'mock/opensuse-leap-15.3-x86_64.cfg' +maybe chgrp 'mock' 'mock/opensuse-tumbleweed-aarch64.cfg' +maybe chmod 0644 'mock/opensuse-tumbleweed-aarch64.cfg' +maybe chgrp 'mock' 'mock/opensuse-tumbleweed-i586.cfg' +maybe chmod 0644 'mock/opensuse-tumbleweed-i586.cfg' +maybe chgrp 'mock' 'mock/opensuse-tumbleweed-ppc64.cfg' +maybe chmod 0644 'mock/opensuse-tumbleweed-ppc64.cfg' +maybe chgrp 'mock' 'mock/opensuse-tumbleweed-ppc64le.cfg' +maybe chmod 0644 'mock/opensuse-tumbleweed-ppc64le.cfg' +maybe chgrp 'mock' 'mock/opensuse-tumbleweed-s390x.cfg' +maybe chmod 0644 'mock/opensuse-tumbleweed-s390x.cfg' +maybe chgrp 'mock' 'mock/opensuse-tumbleweed-x86_64.cfg' +maybe chmod 0644 'mock/opensuse-tumbleweed-x86_64.cfg' +maybe chgrp 'mock' 'mock/oraclelinux-7-aarch64.cfg' +maybe chmod 0644 'mock/oraclelinux-7-aarch64.cfg' +maybe chgrp 'mock' 'mock/oraclelinux-7-x86_64.cfg' +maybe chmod 0644 'mock/oraclelinux-7-x86_64.cfg' +maybe chgrp 'mock' 'mock/oraclelinux-8-aarch64.cfg' +maybe chmod 0644 'mock/oraclelinux-8-aarch64.cfg' +maybe chgrp 'mock' 'mock/oraclelinux-8-x86_64.cfg' +maybe chmod 0644 'mock/oraclelinux-8-x86_64.cfg' +maybe chgrp 'mock' 'mock/rhel-7-aarch64.cfg' +maybe chmod 0644 'mock/rhel-7-aarch64.cfg' +maybe chgrp 'mock' 'mock/rhel-7-ppc64.cfg' +maybe chmod 0644 'mock/rhel-7-ppc64.cfg' +maybe chgrp 'mock' 'mock/rhel-7-ppc64le.cfg' +maybe chmod 0644 'mock/rhel-7-ppc64le.cfg' +maybe chgrp 'mock' 'mock/rhel-7-s390x.cfg' +maybe chmod 0644 'mock/rhel-7-s390x.cfg' +maybe chgrp 'mock' 'mock/rhel-7-x86_64.cfg' +maybe chmod 0644 'mock/rhel-7-x86_64.cfg' +maybe chgrp 'mock' 'mock/rhel-8-aarch64.cfg' +maybe chmod 0644 'mock/rhel-8-aarch64.cfg' +maybe chgrp 'mock' 'mock/rhel-8-ppc64le.cfg' +maybe chmod 0644 'mock/rhel-8-ppc64le.cfg' +maybe chgrp 'mock' 'mock/rhel-8-s390x.cfg' +maybe chmod 0644 'mock/rhel-8-s390x.cfg' +maybe chgrp 'mock' 'mock/rhel-8-x86_64.cfg' +maybe chmod 0644 'mock/rhel-8-x86_64.cfg' +maybe chgrp 'mock' 'mock/rhelepel-8-aarch64.cfg' +maybe chmod 0644 'mock/rhelepel-8-aarch64.cfg' +maybe chgrp 'mock' 'mock/rhelepel-8-ppc64.cfg' +maybe chmod 0644 'mock/rhelepel-8-ppc64.cfg' +maybe chgrp 'mock' 'mock/rhelepel-8-ppc64le.cfg' +maybe chmod 0644 'mock/rhelepel-8-ppc64le.cfg' +maybe chgrp 'mock' 'mock/rhelepel-8-x86_64.cfg' +maybe chmod 0644 'mock/rhelepel-8-x86_64.cfg' +maybe chgrp 'mock' 'mock/site-defaults.cfg' +maybe chmod 0644 'mock/site-defaults.cfg' +maybe chmod 0755 'mock/templates' +maybe chgrp 'mock' 'mock/templates/almalinux-8.tpl' +maybe chmod 0644 'mock/templates/almalinux-8.tpl' +maybe chgrp 'mock' 'mock/templates/amazonlinux-2.tpl' +maybe chmod 0644 'mock/templates/amazonlinux-2.tpl' +maybe chgrp 'mock' 'mock/templates/centos-7.tpl' +maybe chmod 0644 'mock/templates/centos-7.tpl' +maybe chgrp 'mock' 'mock/templates/centos-8.tpl' +maybe chmod 0644 'mock/templates/centos-8.tpl' +maybe chgrp 'mock' 'mock/templates/centos-stream-8.tpl' +maybe chmod 0644 'mock/templates/centos-stream-8.tpl' +maybe chgrp 'mock' 'mock/templates/custom-1.tpl' +maybe chmod 0644 'mock/templates/custom-1.tpl' +maybe chgrp 'mock' 'mock/templates/epel-7.tpl' +maybe chmod 0644 'mock/templates/epel-7.tpl' +maybe chgrp 'mock' 'mock/templates/epel-8.tpl' +maybe chmod 0644 'mock/templates/epel-8.tpl' +maybe chgrp 'mock' 'mock/templates/epelplayground-8.tpl' +maybe chmod 0644 'mock/templates/epelplayground-8.tpl' +maybe chgrp 'mock' 'mock/templates/fedora-branched.tpl' +maybe chmod 0644 'mock/templates/fedora-branched.tpl' +maybe chgrp 'mock' 'mock/templates/fedora-eln.tpl' +maybe chmod 0644 'mock/templates/fedora-eln.tpl' +maybe chgrp 'mock' 'mock/templates/fedora-rawhide.tpl' +maybe chmod 0644 'mock/templates/fedora-rawhide.tpl' +maybe chgrp 'mock' 'mock/templates/mageia-7.tpl' +maybe chmod 0644 'mock/templates/mageia-7.tpl' +maybe chgrp 'mock' 'mock/templates/mageia-branched.tpl' +maybe chmod 0644 'mock/templates/mageia-branched.tpl' +maybe chgrp 'mock' 'mock/templates/mageia-cauldron.tpl' +maybe chmod 0644 'mock/templates/mageia-cauldron.tpl' +maybe chgrp 'mock' 'mock/templates/openmandriva-branched.tpl' +maybe chmod 0644 'mock/templates/openmandriva-branched.tpl' +maybe chgrp 'mock' 'mock/templates/openmandriva-cooker.tpl' +maybe chmod 0644 'mock/templates/openmandriva-cooker.tpl' +maybe chgrp 'mock' 'mock/templates/openmandriva-rolling.tpl' +maybe chmod 0644 'mock/templates/openmandriva-rolling.tpl' +maybe chgrp 'mock' 'mock/templates/opensuse-leap-15.3.tpl' +maybe chmod 0644 'mock/templates/opensuse-leap-15.3.tpl' +maybe chgrp 'mock' 'mock/templates/opensuse-tumbleweed.tpl' +maybe chmod 0644 'mock/templates/opensuse-tumbleweed.tpl' +maybe chgrp 'mock' 'mock/templates/oraclelinux-7.tpl' +maybe chmod 0644 'mock/templates/oraclelinux-7.tpl' +maybe chgrp 'mock' 'mock/templates/oraclelinux-8.tpl' +maybe chmod 0644 'mock/templates/oraclelinux-8.tpl' +maybe chgrp 'mock' 'mock/templates/rhel-7.tpl' +maybe chmod 0644 'mock/templates/rhel-7.tpl' +maybe chgrp 'mock' 'mock/templates/rhel-8.tpl' +maybe chmod 0644 'mock/templates/rhel-8.tpl' +maybe chmod 0755 'modprobe.d' +maybe chmod 0644 'modprobe.d/blacklist-firewire.conf' +maybe chmod 0640 'modprobe.d/cramfs.conf' +maybe chmod 0644 'modprobe.d/firewalld-sysctls.conf' +maybe chmod 0644 'modprobe.d/lockd.conf' +maybe chmod 0644 'modprobe.d/nodccp.conf' +maybe chmod 0644 'modprobe.d/rds.conf' +maybe chmod 0644 'modprobe.d/sctp.conf' +maybe chmod 0640 'modprobe.d/squashfs.conf' +maybe chmod 0644 'modprobe.d/tipc.conf' +maybe chmod 0644 'modprobe.d/tuned.conf' +maybe chmod 0640 'modprobe.d/udf.conf' +maybe chmod 0640 'modprobe.d/vfat.conf' +maybe chmod 0755 'modulefiles' +maybe chmod 0755 'modules-load.d' +maybe chmod 0644 'motd' +maybe chmod 0755 'motd.d' +maybe chmod 0755 'multitail' +maybe chmod 0644 'multitail.conf' +maybe chmod 0644 'multitail/convert-geoip.pl' +maybe chmod 0644 'multitail/convert-simple.pl' +maybe chmod 0644 'my.cnf' +maybe chmod 0755 'my.cnf.d' +maybe chmod 0644 'my.cnf.d/client.cnf' +maybe chmod 0644 'my.cnf.d/enable_encryption.preset' +maybe chmod 0644 'my.cnf.d/mysql-clients.cnf' +maybe chmod 0644 'my.cnf.d/server.cnf' +maybe chmod 0644 'my.cnf.d/spider.cnf' +maybe chmod 0775 'nagios' +maybe chmod 0644 'nagios/nrpe.cfg' +maybe chmod 0644 'nagios/nrpe.cfg.rpmnew' +maybe chgrp 'named' 'named' +maybe chmod 0750 'named' +maybe chgrp 'named' 'named.conf' +maybe chmod 0640 'named.conf' +maybe chgrp 'named' 'named.rfc1912.zones' +maybe chmod 0640 'named.rfc1912.zones' +maybe chgrp 'named' 'named.root.key' +maybe chmod 0644 'named.root.key' +maybe chmod 0644 'netconfig' +maybe chmod 0644 'networks' +maybe chmod 0755 'newrelic-infra' +maybe chmod 0644 'newrelic-infra.yml' +maybe chmod 0755 'newrelic-infra/integrations.d' +maybe chmod 0644 'newrelic-infra/integrations.d/docker-config.yml' +maybe chmod 0755 'newrelic-infra/logging.d' +maybe chmod 0644 'newrelic-infra/logging.d/file.yml.example' +maybe chmod 0644 'newrelic-infra/logging.d/fluentbit.yml.example' +maybe chmod 0644 'newrelic-infra/logging.d/postfix.yml' +maybe chmod 0644 'newrelic-infra/logging.d/syslog.yml.example' +maybe chmod 0644 'newrelic-infra/logging.d/systemd.yml.example' +maybe chmod 0644 'newrelic-infra/logging.d/tcp.yml.example' +maybe chmod 0644 'nfs.conf' +maybe chmod 0644 'nfsmount.conf' +maybe chmod 0700 'nftables' +maybe chmod 0600 'nftables/main.nft' +maybe chmod 0600 'nftables/nat.nft' +maybe chmod 0700 'nftables/osf' +maybe chmod 0600 'nftables/osf/pf.os' +maybe chmod 0600 'nftables/router.nft' +maybe chmod 0755 'nginx' +maybe chown 'nginx' 'nginx/.htpasswd' +maybe chgrp 'nginx' 'nginx/.htpasswd' +maybe chmod 0640 'nginx/.htpasswd' +maybe chown 'nginx' 'nginx/.passwd-madalin' +maybe chgrp 'nginx' 'nginx/.passwd-madalin' +maybe chmod 0640 'nginx/.passwd-madalin' +maybe chmod 0755 'nginx/conf.d' +maybe chown 'nginx' 'nginx/conf.d/anywhere.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/anywhere.ro.conf' +maybe chmod 0640 'nginx/conf.d/anywhere.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/blank.conf' +maybe chgrp 'nginx' 'nginx/conf.d/blank.conf' +maybe chmod 0644 'nginx/conf.d/blank.conf' +maybe chown 'nginx' 'nginx/conf.d/club3d.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/club3d.ro.conf' +maybe chmod 0644 'nginx/conf.d/club3d.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/default.conf' +maybe chgrp 'nginx' 'nginx/conf.d/default.conf' +maybe chmod 0644 'nginx/conf.d/default.conf' +maybe chown 'nginx' 'nginx/conf.d/default.conf.rpmnew' +maybe chgrp 'nginx' 'nginx/conf.d/default.conf.rpmnew' +maybe chmod 0644 'nginx/conf.d/default.conf.rpmnew' +maybe chown 'nginx' 'nginx/conf.d/files.898.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/files.898.ro.conf' +maybe chmod 0640 'nginx/conf.d/files.898.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/fl.898.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/fl.898.ro.conf' +maybe chmod 0640 'nginx/conf.d/fl.898.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool' +maybe chgrp 'nginx' 'nginx/conf.d/ganool' +maybe chmod 0750 'nginx/conf.d/ganool' +maybe chown 'nginx' 'nginx/conf.d/ganool.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool.conf' +maybe chmod 0640 'nginx/conf.d/ganool.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx' +maybe chmod 0755 'nginx/conf.d/ganool/nginx' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/conf.d' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/conf.d' +maybe chmod 0755 'nginx/conf.d/ganool/nginx/conf.d' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/conf.d/cdn_cloudflare.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/conf.d/cdn_cloudflare.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/conf.d/cdn_cloudflare.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/fastcgi.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/fastcgi.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/fastcgi.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/fastcgi_params' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/fastcgi_params' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/fastcgi_params' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/iptables' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/iptables' +maybe chmod 0600 'nginx/conf.d/ganool/nginx/iptables' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/koi-utf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/koi-utf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/koi-utf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/koi-win' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/koi-win' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/koi-win' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/mime.types' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/mime.types' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/mime.types' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/modules' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/modules' +maybe chmod 0755 'nginx/conf.d/ganool/nginx/modules' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/nginx.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/nginx.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/nginx.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/nginx.conf.bkp' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/nginx.conf.bkp' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/nginx.conf.bkp' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx.tgz' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx.tgz' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx.tgz' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1' +maybe chmod 0755 'nginx/conf.d/ganool/nginx/ngx1' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1.tgz' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1.tgz' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1.tgz' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/iptables' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/iptables' +maybe chmod 0600 'nginx/conf.d/ganool/nginx/ngx1/iptables' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx' +maybe chmod 0755 'nginx/conf.d/ganool/nginx/ngx1/nginx' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/conf.d' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/conf.d' +maybe chmod 0755 'nginx/conf.d/ganool/nginx/ngx1/nginx/conf.d' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/conf.d/cdn_cloudflare.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/conf.d/cdn_cloudflare.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/conf.d/cdn_cloudflare.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/fastcgi.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/fastcgi.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/fastcgi.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/fastcgi_params' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/fastcgi_params' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/fastcgi_params' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/koi-utf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/koi-utf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/koi-utf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/koi-win' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/koi-win' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/koi-win' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/mime.types' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/mime.types' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/mime.types' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/modules' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/modules' +maybe chmod 0755 'nginx/conf.d/ganool/nginx/ngx1/nginx/modules' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/nginx.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/nginx.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/nginx.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/nginx.conf.bkp' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/nginx.conf.bkp' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/nginx.conf.bkp' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/ngx.tgz' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/ngx.tgz' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/ngx.tgz' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/proxy.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/proxy.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/proxy.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/proxy.inc' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/proxy.inc' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/proxy.inc' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/scgi_params' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/scgi_params' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/scgi_params' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/uwsgi_params' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/uwsgi_params' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/uwsgi_params' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d' +maybe chmod 0755 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/blazefile.co.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/blazefile.co.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/blazefile.co.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/cmovieshd.ru.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/cmovieshd.ru.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/cmovieshd.ru.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/cokeandpopcorn.click.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/cokeandpopcorn.click.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/cokeandpopcorn.click.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/default.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/default.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/default.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/disabled' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/disabled' +maybe chmod 0755 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/disabled' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/disabled/goon.to.conf-old' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/disabled/goon.to.conf-old' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/disabled/goon.to.conf-old' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/disabled/goon.to.conf-port_fwd' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/disabled/goon.to.conf-port_fwd' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/disabled/goon.to.conf-port_fwd' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/disabled/linkgen.to.disabled' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/disabled/linkgen.to.disabled' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/disabled/linkgen.to.disabled' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/download.cokeandpopcorn.click.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/download.cokeandpopcorn.click.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/download.cokeandpopcorn.click.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/file.rocks.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/file.rocks.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/file.rocks.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/fmoviesfree.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/fmoviesfree.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/fmoviesfree.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.ag.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.ag.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.ag.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.com.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.com.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.com.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.ee.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.ee.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.ee.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.is.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.is.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.is.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.ph.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.ph.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.ph.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.sc.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.sc.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.sc.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.st.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.st.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/ganool.st.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/goodmovies.is.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/goodmovies.is.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/goodmovies.is.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/goody.to.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/goody.to.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/goody.to.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/goon.to.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/goon.to.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/goon.to.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/gostream.rs.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/gostream.rs.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/gostream.rs.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/hdwallpapers.live.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/hdwallpapers.live.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/hdwallpapers.live.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/huluwood.com.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/huluwood.com.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/huluwood.com.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/idup.to.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/idup.to.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/idup.to.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/linkgen.st.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/linkgen.st.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/linkgen.st.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/linkgen.to.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/linkgen.to.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/linkgen.to.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/localhost.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/localhost.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/localhost.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/mylinkgen.com.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/mylinkgen.com.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/mylinkgen.com.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/mylinkgen.ws.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/mylinkgen.ws.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/mylinkgen.ws.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/myna.rocks.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/myna.rocks.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/myna.rocks.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/new.ganool.st.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/new.ganool.st.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/new.ganool.st.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/onlinehdmoviez.com.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/onlinehdmoviez.com.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/onlinehdmoviez.com.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/phpadmin.goon.to.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/phpadmin.goon.to.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/phpadmin.goon.to.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/rockfile.to.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/rockfile.to.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/rockfile.to.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/short.cokeandpopcorn.click.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/short.cokeandpopcorn.click.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/short.cokeandpopcorn.click.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/shrink.ltd.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/shrink.ltd.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/shrink.ltd.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/vudumov.com.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/vudumov.com.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/vhosts.d/vudumov.com.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/win-utf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/nginx/win-utf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/nginx/win-utf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/sysctl.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/ngx1/sysctl.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/ngx1/sysctl.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/proxy.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/proxy.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/proxy.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/proxy.inc' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/proxy.inc' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/proxy.inc' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/scgi_params' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/scgi_params' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/scgi_params' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/uwsgi_params' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/uwsgi_params' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/uwsgi_params' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d' +maybe chmod 0755 'nginx/conf.d/ganool/nginx/vhosts.d' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/blazefile.co.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/blazefile.co.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/blazefile.co.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/cmovieshd.ru.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/cmovieshd.ru.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/cmovieshd.ru.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/cmovieshd.se.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/cmovieshd.se.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/cmovieshd.se.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/cokeandpopcorn.click.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/cokeandpopcorn.click.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/cokeandpopcorn.click.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/default.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/default.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/default.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/disabled' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/disabled' +maybe chmod 0755 'nginx/conf.d/ganool/nginx/vhosts.d/disabled' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/disabled/goon.to.conf-old' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/disabled/goon.to.conf-old' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/disabled/goon.to.conf-old' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/disabled/goon.to.conf-port_fwd' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/disabled/goon.to.conf-port_fwd' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/disabled/goon.to.conf-port_fwd' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/disabled/linkgen.to.disabled' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/disabled/linkgen.to.disabled' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/disabled/linkgen.to.disabled' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/download.cokeandpopcorn.click.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/download.cokeandpopcorn.click.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/download.cokeandpopcorn.click.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/escorte.pro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/escorte.pro.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/escorte.pro.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/escortereale.com.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/escortereale.com.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/escortereale.com.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/escortero.com.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/escortero.com.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/escortero.com.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/escorteromania.com.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/escorteromania.com.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/escorteromania.com.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/file.rocks.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/file.rocks.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/file.rocks.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/fmoviesfree.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/fmoviesfree.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/fmoviesfree.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.ag.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.ag.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.ag.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.com.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.com.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.com.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.ee.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.ee.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.ee.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.is.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.is.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.is.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.ph.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.ph.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.ph.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.sc.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.sc.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.sc.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.se.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.se.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.se.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.st.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.st.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/ganool.st.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/goodmovies.is.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/goodmovies.is.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/goodmovies.is.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/goody.to.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/goody.to.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/goody.to.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/goon.to.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/goon.to.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/goon.to.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/gostream.rs.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/gostream.rs.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/gostream.rs.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/hdwallpapers.live.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/hdwallpapers.live.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/hdwallpapers.live.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/huluwood.com.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/huluwood.com.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/huluwood.com.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/idup.to.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/idup.to.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/idup.to.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/linkgen.st.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/linkgen.st.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/linkgen.st.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/linkgen.to.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/linkgen.to.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/linkgen.to.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/localhost.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/localhost.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/localhost.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/mail.escorte.pro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/mail.escorte.pro.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/mail.escorte.pro.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/mylinkgen.com.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/mylinkgen.com.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/mylinkgen.com.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/mylinkgen.ws.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/mylinkgen.ws.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/mylinkgen.ws.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/myna.rocks.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/myna.rocks.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/myna.rocks.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/new.ganool.st.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/new.ganool.st.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/new.ganool.st.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/onlinehdmoviez.com.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/onlinehdmoviez.com.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/onlinehdmoviez.com.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/phpadmin.goon.to.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/phpadmin.goon.to.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/phpadmin.goon.to.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/rockfile.to.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/rockfile.to.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/rockfile.to.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/sd-1.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/sd-1.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/sd-1.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/sd-2.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/sd-2.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/sd-2.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/sd-3.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/sd-3.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/sd-3.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/sexescorte.net.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/sexescorte.net.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/sexescorte.net.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/short.cokeandpopcorn.click.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/short.cokeandpopcorn.click.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/short.cokeandpopcorn.click.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/shrink.ltd.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/shrink.ltd.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/shrink.ltd.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/vudumov.com.conf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/vhosts.d/vudumov.com.conf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/vhosts.d/vudumov.com.conf' +maybe chown 'nginx' 'nginx/conf.d/ganool/nginx/win-utf' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/nginx/win-utf' +maybe chmod 0644 'nginx/conf.d/ganool/nginx/win-utf' +maybe chown 'nginx' 'nginx/conf.d/ganool/ngx3.tgz' +maybe chgrp 'nginx' 'nginx/conf.d/ganool/ngx3.tgz' +maybe chmod 0640 'nginx/conf.d/ganool/ngx3.tgz' +maybe chown 'nginx' 'nginx/conf.d/git.898.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/git.898.ro.conf' +maybe chmod 0640 'nginx/conf.d/git.898.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/inactive' +maybe chgrp 'nginx' 'nginx/conf.d/inactive' +maybe chmod 0750 'nginx/conf.d/inactive' +maybe chown 'nginx' 'nginx/conf.d/inactive/cokeandpopcorn.click.conf_' +maybe chgrp 'nginx' 'nginx/conf.d/inactive/cokeandpopcorn.click.conf_' +maybe chmod 0640 'nginx/conf.d/inactive/cokeandpopcorn.click.conf_' +maybe chown 'nginx' 'nginx/conf.d/inactive/ganol.si.conf_' +maybe chgrp 'nginx' 'nginx/conf.d/inactive/ganol.si.conf_' +maybe chmod 0640 'nginx/conf.d/inactive/ganol.si.conf_' +maybe chown 'nginx' 'nginx/conf.d/inactive/ganool.ws.conf_' +maybe chgrp 'nginx' 'nginx/conf.d/inactive/ganool.ws.conf_' +maybe chmod 0640 'nginx/conf.d/inactive/ganool.ws.conf_' +maybe chown 'nginx' 'nginx/conf.d/jekyll.club3d.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/jekyll.club3d.ro.conf' +maybe chmod 0640 'nginx/conf.d/jekyll.club3d.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/login.898.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/login.898.ro.conf' +maybe chmod 0640 'nginx/conf.d/login.898.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/madalin.anywhere.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/madalin.anywhere.ro.conf' +maybe chmod 0640 'nginx/conf.d/madalin.anywhere.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/mail.898.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/mail.898.ro.conf' +maybe chmod 0640 'nginx/conf.d/mail.898.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/mail.898.ro.conf_' +maybe chgrp 'nginx' 'nginx/conf.d/mail.898.ro.conf_' +maybe chmod 0640 'nginx/conf.d/mail.898.ro.conf_' +maybe chown 'nginx' 'nginx/conf.d/mail.anywhere.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/mail.anywhere.ro.conf' +maybe chmod 0640 'nginx/conf.d/mail.anywhere.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/mail.club3d.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/mail.club3d.ro.conf' +maybe chmod 0644 'nginx/conf.d/mail.club3d.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/padmin.club3d.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/padmin.club3d.ro.conf' +maybe chmod 0640 'nginx/conf.d/padmin.club3d.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/php-fpm.conf' +maybe chgrp 'nginx' 'nginx/conf.d/php-fpm.conf' +maybe chmod 0644 'nginx/conf.d/php-fpm.conf' +maybe chown 'nginx' 'nginx/conf.d/rspamd.club3d.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/rspamd.club3d.ro.conf' +maybe chmod 0644 'nginx/conf.d/rspamd.club3d.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/storm.club3d.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/storm.club3d.ro.conf' +maybe chmod 0640 'nginx/conf.d/storm.club3d.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/support.898.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/support.898.ro.conf' +maybe chmod 0640 'nginx/conf.d/support.898.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/trtlexplorer.gocrypto.conf' +maybe chgrp 'nginx' 'nginx/conf.d/trtlexplorer.gocrypto.conf' +maybe chmod 0640 'nginx/conf.d/trtlexplorer.gocrypto.conf' +maybe chown 'nginx' 'nginx/conf.d/vd.club3d.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/vd.club3d.ro.conf' +maybe chmod 0640 'nginx/conf.d/vd.club3d.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/webmail.vrem.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/webmail.vrem.ro.conf' +maybe chmod 0640 'nginx/conf.d/webmail.vrem.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/wordpress.club3d.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/wordpress.club3d.ro.conf' +maybe chmod 0644 'nginx/conf.d/wordpress.club3d.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/zira.898.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/zira.898.ro.conf' +maybe chmod 0640 'nginx/conf.d/zira.898.ro.conf' +maybe chown 'nginx' 'nginx/conf.d/zira.go.ro.conf' +maybe chgrp 'nginx' 'nginx/conf.d/zira.go.ro.conf' +maybe chmod 0644 'nginx/conf.d/zira.go.ro.conf' +maybe chown 'nginx' 'nginx/default.d' +maybe chgrp 'nginx' 'nginx/default.d' +maybe chmod 0755 'nginx/default.d' +maybe chmod 0644 'nginx/default.d/php.conf' +maybe chown 'nginx' 'nginx/fastcgi.conf' +maybe chgrp 'nginx' 'nginx/fastcgi.conf' +maybe chmod 0644 'nginx/fastcgi.conf' +maybe chmod 0644 'nginx/fastcgi_params' +maybe chown 'nginx' 'nginx/html' +maybe chgrp 'nginx' 'nginx/html' +maybe chmod 0750 'nginx/html' +maybe chown 'nginx' 'nginx/html/.well-known' +maybe chgrp 'nginx' 'nginx/html/.well-known' +maybe chmod 0750 'nginx/html/.well-known' +maybe chown 'nginx' 'nginx/html/.well-known/acme-challenge' +maybe chgrp 'nginx' 'nginx/html/.well-known/acme-challenge' +maybe chmod 0750 'nginx/html/.well-known/acme-challenge' +maybe chmod 0644 'nginx/mime.types' +maybe chmod 0644 'nginx/nginx.conf' +maybe chmod 0644 'nginx/nginx.conf.cwaf_orig' +maybe chmod 0644 'nginx/nginx.conf.rpmnew' +maybe chown 'nginx' 'nginx/off' +maybe chgrp 'nginx' 'nginx/off' +maybe chmod 0644 'nginx/off' +maybe chown 'nginx' 'nginx/proxy.inc' +maybe chgrp 'nginx' 'nginx/proxy.inc' +maybe chmod 0640 'nginx/proxy.inc' +maybe chmod 0644 'nginx/scgi_params' +maybe chown 'nginx' 'nginx/sites-available' +maybe chgrp 'nginx' 'nginx/sites-available' +maybe chmod 0750 'nginx/sites-available' +maybe chown 'nginx' 'nginx/sites-available/blabla.com' +maybe chgrp 'nginx' 'nginx/sites-available/blabla.com' +maybe chmod 0640 'nginx/sites-available/blabla.com' +maybe chown 'nginx' 'nginx/sites-available/crm.thermographycloud.com' +maybe chgrp 'nginx' 'nginx/sites-available/crm.thermographycloud.com' +maybe chmod 0640 'nginx/sites-available/crm.thermographycloud.com' +maybe chmod 0640 'nginx/sites-available/crymogea14ce.exigo.is' +maybe chown 'nginx' 'nginx/sites-available/erp.juedt.law' +maybe chgrp 'nginx' 'nginx/sites-available/erp.juedt.law' +maybe chmod 0640 'nginx/sites-available/erp.juedt.law' +maybe chown 'nginx' 'nginx/sites-available/jsmal.co' +maybe chgrp 'nginx' 'nginx/sites-available/jsmal.co' +maybe chmod 0640 'nginx/sites-available/jsmal.co' +maybe chown 'nginx' 'nginx/sites-available/odoo.club3d.ro' +maybe chgrp 'nginx' 'nginx/sites-available/odoo.club3d.ro' +maybe chmod 0640 'nginx/sites-available/odoo.club3d.ro' +maybe chown 'nginx' 'nginx/sites-enabled' +maybe chgrp 'nginx' 'nginx/sites-enabled' +maybe chmod 0750 'nginx/sites-enabled' +maybe chown 'nginx' 'nginx/ssl' +maybe chgrp 'nginx' 'nginx/ssl' +maybe chmod 0750 'nginx/ssl' +maybe chown 'nginx' 'nginx/ssl/demo1.cpuburnin.com.ca_cert.crt' +maybe chgrp 'nginx' 'nginx/ssl/demo1.cpuburnin.com.ca_cert.crt' +maybe chmod 0640 'nginx/ssl/demo1.cpuburnin.com.ca_cert.crt' +maybe chown 'nginx' 'nginx/ssl/demo1.cpuburnin.com.key' +maybe chgrp 'nginx' 'nginx/ssl/demo1.cpuburnin.com.key' +maybe chmod 0640 'nginx/ssl/demo1.cpuburnin.com.key' +maybe chown 'nginx' 'nginx/ssl/demo1.cpuburnin.com.pem' +maybe chgrp 'nginx' 'nginx/ssl/demo1.cpuburnin.com.pem' +maybe chmod 0640 'nginx/ssl/demo1.cpuburnin.com.pem' +maybe chown 'nginx' 'nginx/ssl/dhparam.pem' +maybe chgrp 'nginx' 'nginx/ssl/dhparam.pem' +maybe chmod 0640 'nginx/ssl/dhparam.pem' +maybe chmod 0644 'nginx/uwsgi_params' +maybe chmod 0644 'npmrc' +maybe chmod 0755 'nrpe.d' +maybe chmod 0644 'nsswitch.conf' +maybe chmod 0755 'oddjob' +maybe chmod 0644 'oddjobd.conf' +maybe chmod 0755 'oddjobd.conf.d' +maybe chmod 0644 'oddjobd.conf.d/oddjobd-introspection.conf' +maybe chmod 0644 'oddjobd.conf.d/oddjobd-mkhomedir.conf' +maybe chmod 0755 'one-context.d' +maybe chmod 0755 'one-context.d/loc-05-grow-rootfs' +maybe chmod 0755 'one-context.d/loc-09-timezone' +maybe chmod 0755 'one-context.d/loc-10-network' +maybe chmod 0755 'one-context.d/loc-10-network-pci' +maybe chmod 0755 'one-context.d/loc-11-dns' +maybe chmod 0755 'one-context.d/loc-14-mount-swap' +maybe chmod 0755 'one-context.d/loc-16-gen-env' +maybe chmod 0755 'one-context.d/loc-20-set-username-password' +maybe chmod 0755 'one-context.d/loc-22-ssh_public_key' +maybe chmod 0755 'one-context.d/loc-30-console' +maybe chmod 0755 'one-context.d/loc-35-securetty' +maybe chmod 0755 'one-context.d/net-15-hostname' +maybe chmod 0755 'one-context.d/net-97-start-script' +maybe chmod 0755 'one-context.d/net-98-execute-scripts' +maybe chmod 0755 'one-context.d/net-99-report-ready' +maybe chgrp 'opendkim' 'opendkim' +maybe chmod 0755 'opendkim' +maybe chmod 0644 'opendkim.conf' +maybe chown 'opendkim' 'opendkim/KeyTable' +maybe chgrp 'opendkim' 'opendkim/KeyTable' +maybe chmod 0640 'opendkim/KeyTable' +maybe chown 'opendkim' 'opendkim/SigningTable' +maybe chgrp 'opendkim' 'opendkim/SigningTable' +maybe chmod 0640 'opendkim/SigningTable' +maybe chown 'opendkim' 'opendkim/TrustedHosts' +maybe chgrp 'opendkim' 'opendkim/TrustedHosts' +maybe chmod 0640 'opendkim/TrustedHosts' +maybe chgrp 'opendkim' 'opendkim/keys' +maybe chmod 0750 'opendkim/keys' +maybe chown 'opendkim' 'opendkim/keys/898.ro' +maybe chgrp 'opendkim' 'opendkim/keys/898.ro' +maybe chmod 0750 'opendkim/keys/898.ro' +maybe chown 'opendkim' 'opendkim/keys/898.ro/default' +maybe chgrp 'opendkim' 'opendkim/keys/898.ro/default' +maybe chmod 0640 'opendkim/keys/898.ro/default' +maybe chown 'opendkim' 'opendkim/keys/898.ro/default.private' +maybe chgrp 'opendkim' 'opendkim/keys/898.ro/default.private' +maybe chmod 0640 'opendkim/keys/898.ro/default.private' +maybe chown 'opendkim' 'opendkim/keys/898.ro/default.txt' +maybe chgrp 'opendkim' 'opendkim/keys/898.ro/default.txt' +maybe chmod 0640 'opendkim/keys/898.ro/default.txt' +maybe chown 'opendkim' 'opendkim/keys/default.private' +maybe chgrp 'opendkim' 'opendkim/keys/default.private' +maybe chmod 0640 'opendkim/keys/default.private' +maybe chown 'opendkim' 'opendkim/keys/vrem.ro' +maybe chgrp 'opendkim' 'opendkim/keys/vrem.ro' +maybe chmod 0750 'opendkim/keys/vrem.ro' +maybe chown 'opendkim' 'opendkim/keys/vrem.ro/default' +maybe chgrp 'opendkim' 'opendkim/keys/vrem.ro/default' +maybe chmod 0640 'opendkim/keys/vrem.ro/default' +maybe chown 'opendkim' 'opendkim/keys/vrem.ro/default.txt' +maybe chgrp 'opendkim' 'opendkim/keys/vrem.ro/default.txt' +maybe chmod 0640 'opendkim/keys/vrem.ro/default.txt' +maybe chown 'opendmarc' 'opendmarc' +maybe chgrp 'opendmarc' 'opendmarc' +maybe chmod 0755 'opendmarc' +maybe chmod 0644 'opendmarc.conf' +maybe chown 'pesign' 'opendmarc/public_suffix_list.dat' +maybe chgrp 'mail' 'opendmarc/public_suffix_list.dat' +maybe chmod 0640 'opendmarc/public_suffix_list.dat' +maybe chmod 0755 'openldap' +maybe chmod 0755 'openldap/certs' +maybe chmod 0644 'openldap/ldap.conf' +maybe chmod 0755 'opt' +maybe chmod 0755 'pam.d' +maybe chmod 0644 'pam.d/atd' +maybe chmod 0644 'pam.d/chfn' +maybe chmod 0644 'pam.d/chsh' +maybe chmod 0644 'pam.d/cockpit' +maybe chmod 0644 'pam.d/config-util' +maybe chmod 0644 'pam.d/crond' +maybe chmod 0644 'pam.d/dovecot' +maybe chmod 0644 'pam.d/fingerprint-auth' +maybe chmod 0644 'pam.d/login' +maybe chmod 0644 'pam.d/mock' +maybe chmod 0644 'pam.d/other' +maybe chmod 0644 'pam.d/passwd' +maybe chmod 0644 'pam.d/password-auth' +maybe chmod 0644 'pam.d/polkit-1' +maybe chmod 0644 'pam.d/postlogin' +maybe chmod 0644 'pam.d/ppp' +maybe chmod 0644 'pam.d/remote' +maybe chmod 0644 'pam.d/runuser' +maybe chmod 0644 'pam.d/runuser-l' +maybe chmod 0644 'pam.d/screen' +maybe chmod 0644 'pam.d/smartcard-auth' +maybe chmod 0644 'pam.d/smtp.postfix' +maybe chmod 0644 'pam.d/sshd' +maybe chmod 0644 'pam.d/sssd-shadowutils' +maybe chmod 0644 'pam.d/su' +maybe chmod 0644 'pam.d/su-l' +maybe chmod 0644 'pam.d/subscription-manager' +maybe chmod 0644 'pam.d/sudo' +maybe chmod 0644 'pam.d/sudo-i' +maybe chmod 0644 'pam.d/system-auth' +maybe chmod 0755 'pam.d/system-auth-ac' +maybe chmod 0644 'pam.d/systemd-user' +maybe chmod 0644 'pam.d/vlock' +maybe chmod 0644 'pam.d/vmtoolsd' +maybe chmod 0644 'pam.d/vsftpd' +maybe chmod 0644 'papersize' +maybe chmod 0644 'passwd' +maybe chmod 0644 'passwd-' +maybe chmod 0755 'pear' +maybe chmod 0644 'pear.conf' +maybe chmod 0755 'pesign' +maybe chmod 0600 'pesign/groups' +maybe chmod 0600 'pesign/users' +maybe chmod 0644 'php-fpm.conf' +maybe chmod 0755 'php-fpm.d' +maybe chmod 0644 'php-fpm.d/www.conf' +maybe chmod 0755 'php-zts.d' +maybe chmod 0644 'php-zts.d/10-opcache.ini' +maybe chmod 0644 'php-zts.d/20-bz2.ini' +maybe chmod 0644 'php-zts.d/20-calendar.ini' +maybe chmod 0644 'php-zts.d/20-ctype.ini' +maybe chmod 0644 'php-zts.d/20-curl.ini' +maybe chmod 0644 'php-zts.d/20-dom.ini' +maybe chmod 0644 'php-zts.d/20-exif.ini' +maybe chmod 0644 'php-zts.d/20-fileinfo.ini' +maybe chmod 0644 'php-zts.d/20-ftp.ini' +maybe chmod 0644 'php-zts.d/20-gd.ini' +maybe chmod 0644 'php-zts.d/20-gettext.ini' +maybe chmod 0644 'php-zts.d/20-iconv.ini' +maybe chmod 0644 'php-zts.d/20-intl.ini' +maybe chmod 0644 'php-zts.d/20-json.ini' +maybe chmod 0644 'php-zts.d/20-ldap.ini' +maybe chmod 0644 'php-zts.d/20-mbstring.ini' +maybe chmod 0644 'php-zts.d/20-mysqlnd.ini' +maybe chmod 0644 'php-zts.d/20-pdo.ini' +maybe chmod 0644 'php-zts.d/20-phar.ini' +maybe chmod 0644 'php-zts.d/20-posix.ini' +maybe chmod 0644 'php-zts.d/20-shmop.ini' +maybe chmod 0644 'php-zts.d/20-simplexml.ini' +maybe chmod 0644 'php-zts.d/20-soap.ini' +maybe chmod 0644 'php-zts.d/20-sockets.ini' +maybe chmod 0644 'php-zts.d/20-sodium.ini' +maybe chmod 0644 'php-zts.d/20-sqlite3.ini' +maybe chmod 0644 'php-zts.d/20-sysvmsg.ini' +maybe chmod 0644 'php-zts.d/20-sysvsem.ini' +maybe chmod 0644 'php-zts.d/20-sysvshm.ini' +maybe chmod 0644 'php-zts.d/20-tokenizer.ini' +maybe chmod 0644 'php-zts.d/20-xml.ini' +maybe chmod 0644 'php-zts.d/20-xmlwriter.ini' +maybe chmod 0644 'php-zts.d/20-xsl.ini' +maybe chmod 0644 'php-zts.d/30-mcrypt.ini' +maybe chmod 0644 'php-zts.d/30-mysqli.ini' +maybe chmod 0644 'php-zts.d/30-pdo_mysql.ini' +maybe chmod 0644 'php-zts.d/30-pdo_sqlite.ini' +maybe chmod 0644 'php-zts.d/30-xmlreader.ini' +maybe chmod 0644 'php-zts.d/40-zip.ini' +maybe chmod 0644 'php-zts.d/50-mysql.ini' +maybe chmod 0644 'php-zts.d/opcache-default.blacklist' +maybe chmod 0755 'php.d' +maybe chmod 0644 'php.d/10-opcache.ini' +maybe chmod 0644 'php.d/20-bz2.ini' +maybe chmod 0644 'php.d/20-calendar.ini' +maybe chmod 0644 'php.d/20-ctype.ini' +maybe chmod 0644 'php.d/20-curl.ini' +maybe chmod 0644 'php.d/20-dom.ini' +maybe chmod 0644 'php.d/20-exif.ini' +maybe chmod 0644 'php.d/20-fileinfo.ini' +maybe chmod 0644 'php.d/20-ftp.ini' +maybe chmod 0644 'php.d/20-gd.ini' +maybe chmod 0644 'php.d/20-gettext.ini' +maybe chmod 0644 'php.d/20-iconv.ini' +maybe chmod 0644 'php.d/20-intl.ini' +maybe chmod 0644 'php.d/20-json.ini' +maybe chmod 0644 'php.d/20-ldap.ini' +maybe chmod 0644 'php.d/20-mbstring.ini' +maybe chmod 0644 'php.d/20-mysqlnd.ini' +maybe chmod 0644 'php.d/20-pdo.ini' +maybe chmod 0644 'php.d/20-phar.ini' +maybe chmod 0644 'php.d/20-posix.ini' +maybe chmod 0644 'php.d/20-shmop.ini' +maybe chmod 0644 'php.d/20-simplexml.ini' +maybe chmod 0644 'php.d/20-soap.ini' +maybe chmod 0644 'php.d/20-sockets.ini' +maybe chmod 0644 'php.d/20-sodium.ini' +maybe chmod 0644 'php.d/20-sqlite3.ini' +maybe chmod 0644 'php.d/20-sysvmsg.ini' +maybe chmod 0644 'php.d/20-sysvsem.ini' +maybe chmod 0644 'php.d/20-sysvshm.ini' +maybe chmod 0644 'php.d/20-tokenizer.ini' +maybe chmod 0644 'php.d/20-xml.ini' +maybe chmod 0644 'php.d/20-xmlwriter.ini' +maybe chmod 0644 'php.d/20-xsl.ini' +maybe chmod 0644 'php.d/30-mcrypt.ini' +maybe chmod 0644 'php.d/30-mysqli.ini' +maybe chmod 0644 'php.d/30-pdo_mysql.ini' +maybe chmod 0644 'php.d/30-pdo_sqlite.ini' +maybe chmod 0644 'php.d/30-xmlreader.ini' +maybe chmod 0644 'php.d/40-zip.ini' +maybe chmod 0644 'php.d/50-mysql.ini' +maybe chmod 0644 'php.d/opcache-default.blacklist' +maybe chmod 0644 'php.ini' +maybe chmod 0755 'pkcs11' +maybe chmod 0755 'pkcs11/modules' +maybe chmod 0755 'pki' +maybe chmod 0755 'pki/ca-trust' +maybe chmod 0644 'pki/ca-trust/README' +maybe chmod 0644 'pki/ca-trust/ca-legacy.conf' +maybe chmod 0755 'pki/ca-trust/extracted' +maybe chmod 0644 'pki/ca-trust/extracted/README' +maybe chmod 0755 'pki/ca-trust/extracted/edk2' +maybe chmod 0644 'pki/ca-trust/extracted/edk2/README' +maybe chmod 0444 'pki/ca-trust/extracted/edk2/cacerts.bin' +maybe chmod 0755 'pki/ca-trust/extracted/java' +maybe chmod 0644 'pki/ca-trust/extracted/java/README' +maybe chmod 0444 'pki/ca-trust/extracted/java/cacerts' +maybe chmod 0755 'pki/ca-trust/extracted/openssl' +maybe chmod 0644 'pki/ca-trust/extracted/openssl/README' +maybe chmod 0444 'pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' +maybe chmod 0755 'pki/ca-trust/extracted/pem' +maybe chmod 0644 'pki/ca-trust/extracted/pem/README' +maybe chmod 0444 'pki/ca-trust/extracted/pem/email-ca-bundle.pem' +maybe chmod 0444 'pki/ca-trust/extracted/pem/objsign-ca-bundle.pem' +maybe chmod 0444 'pki/ca-trust/extracted/pem/tls-ca-bundle.pem' +maybe chmod 0755 'pki/ca-trust/source' +maybe chmod 0644 'pki/ca-trust/source/README' +maybe chmod 0755 'pki/ca-trust/source/anchors' +maybe chmod 0755 'pki/ca-trust/source/blacklist' +maybe chmod 0755 'pki/consumer' +maybe chmod 0755 'pki/dovecot' +maybe chmod 0755 'pki/dovecot/certs' +maybe chmod 0600 'pki/dovecot/certs/dovecot.pem' +maybe chmod 0644 'pki/dovecot/dovecot-openssl.cnf' +maybe chmod 0755 'pki/dovecot/private' +maybe chmod 0600 'pki/dovecot/private/dovecot.pem' +maybe chmod 0755 'pki/elrepo' +maybe chmod 0644 'pki/elrepo/SECURE-BOOT-KEY-elrepo.org.der' +maybe chmod 0755 'pki/entitlement' +maybe chmod 0755 'pki/java' +maybe chmod 0755 'pki/mock' +maybe chmod 0644 'pki/mock/README.txt' +maybe chmod 0755 'pki/nssdb' +maybe chmod 0644 'pki/nssdb/cert8.db' +maybe chmod 0644 'pki/nssdb/cert9.db' +maybe chmod 0644 'pki/nssdb/key3.db' +maybe chmod 0644 'pki/nssdb/key4.db' +maybe chmod 0644 'pki/nssdb/pkcs11.txt' +maybe chmod 0644 'pki/nssdb/secmod.db' +maybe chown 'pesign' 'pki/pesign' +maybe chgrp 'pesign' 'pki/pesign' +maybe chmod 0770 'pki/pesign' +maybe chown 'pesign' 'pki/pesign-rh-test' +maybe chgrp 'pesign' 'pki/pesign-rh-test' +maybe chmod 0775 'pki/pesign-rh-test' +maybe chown 'pesign' 'pki/pesign-rh-test/cert8.db' +maybe chgrp 'pesign' 'pki/pesign-rh-test/cert8.db' +maybe chmod 0664 'pki/pesign-rh-test/cert8.db' +maybe chown 'pesign' 'pki/pesign-rh-test/key3.db' +maybe chgrp 'pesign' 'pki/pesign-rh-test/key3.db' +maybe chmod 0664 'pki/pesign-rh-test/key3.db' +maybe chown 'pesign' 'pki/pesign-rh-test/secmod.db' +maybe chgrp 'pesign' 'pki/pesign-rh-test/secmod.db' +maybe chmod 0664 'pki/pesign-rh-test/secmod.db' +maybe chown 'pesign' 'pki/pesign/cert8.db' +maybe chgrp 'pesign' 'pki/pesign/cert8.db' +maybe chmod 0660 'pki/pesign/cert8.db' +maybe chown 'pesign' 'pki/pesign/key3.db' +maybe chgrp 'pesign' 'pki/pesign/key3.db' +maybe chmod 0660 'pki/pesign/key3.db' +maybe chown 'pesign' 'pki/pesign/secmod.db' +maybe chgrp 'pesign' 'pki/pesign/secmod.db' +maybe chmod 0660 'pki/pesign/secmod.db' +maybe chmod 0755 'pki/product' +maybe chmod 0755 'pki/product-default' +maybe chmod 0755 'pki/rpm-gpg' +maybe chmod 0644 'pki/rpm-gpg/RPM-GPG-KEY-EPEL-8' +maybe chmod 0644 'pki/rpm-gpg/RPM-GPG-KEY-Jetico' +maybe chmod 0644 'pki/rpm-gpg/RPM-GPG-KEY-centosofficial' +maybe chmod 0644 'pki/rpm-gpg/RPM-GPG-KEY-centostesting' +maybe chmod 0644 'pki/rpm-gpg/RPM-GPG-KEY-elrepo.org' +maybe chmod 0644 'pki/rpm-gpg/RPM-GPG-KEY-remi' +maybe chmod 0644 'pki/rpm-gpg/RPM-GPG-KEY-remi2017' +maybe chmod 0644 'pki/rpm-gpg/RPM-GPG-KEY-remi2018' +maybe chmod 0644 'pki/rpm-gpg/RPM-GPG-KEY-remi2019' +maybe chmod 0644 'pki/rpm-gpg/RPM-GPG-KEY-remi2020' +maybe chmod 0644 'pki/rpm-gpg/RPM-GPG-KEY-remi2021' +maybe chmod 0644 'pki/rpm-gpg/RPM-GPG-KEY.art.txt' +maybe chmod 0644 'pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt' +maybe chmod 0700 'pki/rsyslog' +maybe chmod 0755 'pki/tls' +maybe chmod 0755 'pki/tls/certs' +maybe chmod 0644 'pki/tls/certs/localhost.crt' +maybe chmod 0644 'pki/tls/certs/postfix.pem' +maybe chmod 0644 'pki/tls/ct_log_list.cnf' +maybe chmod 0755 'pki/tls/misc' +maybe chmod 0644 'pki/tls/openssl.cnf' +maybe chmod 0755 'pki/tls/private' +maybe chmod 0600 'pki/tls/private/localhost.key' +maybe chmod 0600 'pki/tls/private/postfix.key' +maybe chmod 0755 'pm' +maybe chmod 0755 'pm/config.d' +maybe chmod 0755 'pm/power.d' +maybe chmod 0755 'pm/sleep.d' +maybe chmod 0755 'polkit-1' +maybe chgrp 'polkitd' 'polkit-1/localauthority' +maybe chmod 0750 'polkit-1/localauthority' +maybe chmod 0755 'polkit-1/localauthority.conf.d' +maybe chmod 0755 'polkit-1/localauthority/10-vendor.d' +maybe chmod 0755 'polkit-1/localauthority/20-org.d' +maybe chmod 0755 'polkit-1/localauthority/30-site.d' +maybe chmod 0755 'polkit-1/localauthority/50-local.d' +maybe chmod 0755 'polkit-1/localauthority/90-mandatory.d' +maybe chown 'polkitd' 'polkit-1/rules.d' +maybe chmod 0700 'polkit-1/rules.d' +maybe chmod 0644 'polkit-1/rules.d/49-polkit-pkla-compat.rules' +maybe chmod 0644 'polkit-1/rules.d/50-default.rules' +maybe chmod 0755 'popt.d' +maybe chmod 0644 'popt.d/pesign.popt' +maybe chmod 0755 'postfix' +maybe chgrp 'postfix' 'postfix/_sql' +maybe chmod 0750 'postfix/_sql' +maybe chgrp 'postfix' 'postfix/_sql/mysql_virtual_alias_domain_catchall_maps.cf' +maybe chmod 0640 'postfix/_sql/mysql_virtual_alias_domain_catchall_maps.cf' +maybe chgrp 'postfix' 'postfix/_sql/mysql_virtual_alias_domain_mailbox_maps.cf' +maybe chmod 0640 'postfix/_sql/mysql_virtual_alias_domain_mailbox_maps.cf' +maybe chgrp 'postfix' 'postfix/_sql/mysql_virtual_alias_domain_maps.cf' +maybe chmod 0640 'postfix/_sql/mysql_virtual_alias_domain_maps.cf' +maybe chgrp 'postfix' 'postfix/_sql/mysql_virtual_alias_maps.cf' +maybe chmod 0640 'postfix/_sql/mysql_virtual_alias_maps.cf' +maybe chgrp 'postfix' 'postfix/_sql/mysql_virtual_domains_maps.cf' +maybe chmod 0640 'postfix/_sql/mysql_virtual_domains_maps.cf' +maybe chgrp 'postfix' 'postfix/_sql/mysql_virtual_mailbox_limit_maps.cf' +maybe chmod 0640 'postfix/_sql/mysql_virtual_mailbox_limit_maps.cf' +maybe chgrp 'postfix' 'postfix/_sql/mysql_virtual_mailbox_maps.cf' +maybe chmod 0640 'postfix/_sql/mysql_virtual_mailbox_maps.cf' +maybe chmod 0644 'postfix/access' +maybe chgrp 'postfix' 'postfix/access.db' +maybe chmod 0640 'postfix/access.db' +maybe chgrp 'postfix' 'postfix/blacklist' +maybe chmod 0640 'postfix/blacklist' +maybe chgrp 'postfix' 'postfix/blacklist.db' +maybe chmod 0640 'postfix/blacklist.db' +maybe chgrp 'postfix' 'postfix/body_checks' +maybe chmod 0640 'postfix/body_checks' +maybe chgrp 'postfix' 'postfix/body_checks.db' +maybe chmod 0640 'postfix/body_checks.db' +maybe chmod 0640 'postfix/ca-certificates-2019.2.32-76.el7_7.noarch.rpm' +maybe chmod 0644 'postfix/canonical' +maybe chgrp 'postfix' 'postfix/check_client_access' +maybe chmod 0640 'postfix/check_client_access' +maybe chgrp 'postfix' 'postfix/check_client_access.db' +maybe chmod 0640 'postfix/check_client_access.db' +maybe chgrp 'postfix' 'postfix/check_sender_access' +maybe chmod 0640 'postfix/check_sender_access' +maybe chgrp 'postfix' 'postfix/check_sender_access.db' +maybe chmod 0640 'postfix/check_sender_access.db' +maybe chgrp 'postfix' 'postfix/dh1024_param.pem' +maybe chmod 0640 'postfix/dh1024_param.pem' +maybe chgrp 'postfix' 'postfix/dh2048_param.pem' +maybe chmod 0640 'postfix/dh2048_param.pem' +maybe chgrp 'postfix' 'postfix/dh512_param.pem' +maybe chmod 0640 'postfix/dh512_param.pem' +maybe chmod 0644 'postfix/dynamicmaps.cf' +maybe chmod 0755 'postfix/dynamicmaps.cf.d' +maybe chmod 0644 'postfix/dynamicmaps.cf.d/mysql' +maybe chmod 0644 'postfix/dynamicmaps.cf.d/pcre' +maybe chgrp 'postfix' 'postfix/enable-postscreen.sh' +maybe chmod 0750 'postfix/enable-postscreen.sh' +maybe chmod 0644 'postfix/generic' +maybe chmod 0644 'postfix/generic.db' +maybe chmod 0644 'postfix/header_checks' +maybe chgrp 'postfix' 'postfix/header_checks.db' +maybe chmod 0640 'postfix/header_checks.db' +maybe chgrp 'postfix' 'postfix/helo_access.pcre' +maybe chmod 0640 'postfix/helo_access.pcre' +maybe chgrp 'postfix' 'postfix/helo_access.pcre.db' +maybe chmod 0640 'postfix/helo_access.pcre.db' +maybe chmod 0644 'postfix/main.cf' +maybe chmod 0644 'postfix/main.cf.proto' +maybe chmod 0644 'postfix/master.cf' +maybe chmod 0644 'postfix/master.cf.bkp' +maybe chmod 0644 'postfix/master.cf.proto' +maybe chgrp 'postfix' 'postfix/mime_header_checks' +maybe chmod 0640 'postfix/mime_header_checks' +maybe chgrp 'postfix' 'postfix/mynetworks' +maybe chmod 0640 'postfix/mynetworks' +maybe chgrp 'postfix' 'postfix/mynetworks.db' +maybe chmod 0640 'postfix/mynetworks.db' +maybe chgrp 'postfix' 'postfix/mysql' +maybe chmod 0750 'postfix/mysql' +maybe chgrp 'postfix' 'postfix/mysql/virtual_alias_domain_catchall_maps.cf' +maybe chmod 0640 'postfix/mysql/virtual_alias_domain_catchall_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/virtual_alias_domain_mailbox_maps.cf' +maybe chmod 0640 'postfix/mysql/virtual_alias_domain_mailbox_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/virtual_alias_domain_maps.cf' +maybe chmod 0640 'postfix/mysql/virtual_alias_domain_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/virtual_alias_maps.cf' +maybe chmod 0640 'postfix/mysql/virtual_alias_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/virtual_domains_maps.cf' +maybe chmod 0640 'postfix/mysql/virtual_domains_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/virtual_mailbox_limit_maps.cf' +maybe chmod 0640 'postfix/mysql/virtual_mailbox_limit_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/virtual_mailbox_maps.cf' +maybe chmod 0640 'postfix/mysql/virtual_mailbox_maps.cf' +maybe chgrp 'postfix' 'postfix/nested_header_checks' +maybe chmod 0640 'postfix/nested_header_checks' +maybe chmod 0644 'postfix/office365_passwd' +maybe chmod 0640 'postfix/office365_passwd.db' +maybe chmod 0644 'postfix/postfix-files' +maybe chmod 0755 'postfix/postfix-files.d' +maybe chmod 0644 'postfix/postfix-files.d/mysql' +maybe chmod 0644 'postfix/postfix-files.d/pcre' +maybe chgrp 'postfix' 'postfix/postscreen_access.cidr' +maybe chmod 0640 'postfix/postscreen_access.cidr' +maybe chgrp 'postfix' 'postfix/postscreen_dnsbl_reply' +maybe chmod 0640 'postfix/postscreen_dnsbl_reply' +maybe chgrp 'postfix' 'postfix/rbl_override' +maybe chmod 0640 'postfix/rbl_override' +maybe chgrp 'postfix' 'postfix/rbl_override.db' +maybe chmod 0640 'postfix/rbl_override.db' +maybe chgrp 'postfix' 'postfix/relay_from_hosts' +maybe chmod 0640 'postfix/relay_from_hosts' +maybe chmod 0644 'postfix/relocated' +maybe chgrp 'postfix' 'postfix/sasl_passwd' +maybe chmod 0600 'postfix/sasl_passwd' +maybe chgrp 'postfix' 'postfix/sasl_passwd.db' +maybe chmod 0600 'postfix/sasl_passwd.db' +maybe chmod 0644 'postfix/sender_canonical' +maybe chmod 0640 'postfix/sender_canonical.db' +maybe chgrp 'postfix' 'postfix/skip_hello_hosts' +maybe chmod 0640 'postfix/skip_hello_hosts' +maybe chgrp 'postfix' 'postfix/skip_hello_hosts.db' +maybe chmod 0640 'postfix/skip_hello_hosts.db' +maybe chmod 0640 'postfix/smtp_dsn_filter' +maybe chmod 0640 'postfix/smtp_dsn_filter.db' +maybe chgrp 'postfix' 'postfix/sql' +maybe chmod 0750 'postfix/sql' +maybe chgrp 'postfix' 'postfix/sql/mysql-relay_domains_maps.cf' +maybe chmod 0640 'postfix/sql/mysql-relay_domains_maps.cf' +maybe chgrp 'postfix' 'postfix/sql/mysql-virtual_alias_domain_mailbox_maps.cf' +maybe chmod 0640 'postfix/sql/mysql-virtual_alias_domain_mailbox_maps.cf' +maybe chgrp 'postfix' 'postfix/sql/mysql-virtual_vacation.cf' +maybe chmod 0640 'postfix/sql/mysql-virtual_vacation.cf' +maybe chgrp 'postfix' 'postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf' +maybe chmod 0640 'postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf' +maybe chgrp 'postfix' 'postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf' +maybe chmod 0640 'postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf' +maybe chgrp 'postfix' 'postfix/sql/mysql_virtual_alias_domain_maps.cf' +maybe chmod 0640 'postfix/sql/mysql_virtual_alias_domain_maps.cf' +maybe chgrp 'postfix' 'postfix/sql/mysql_virtual_alias_maps.cf' +maybe chmod 0640 'postfix/sql/mysql_virtual_alias_maps.cf' +maybe chgrp 'postfix' 'postfix/sql/mysql_virtual_domains_maps.cf' +maybe chmod 0640 'postfix/sql/mysql_virtual_domains_maps.cf' +maybe chgrp 'postfix' 'postfix/sql/mysql_virtual_mailbox_limit_maps.cf' +maybe chmod 0640 'postfix/sql/mysql_virtual_mailbox_limit_maps.cf' +maybe chgrp 'postfix' 'postfix/sql/mysql_virtual_mailbox_maps.cf' +maybe chmod 0640 'postfix/sql/mysql_virtual_mailbox_maps.cf' +maybe chgrp 'postfix' 'postfix/submission_header_cleanup' +maybe chmod 0640 'postfix/submission_header_cleanup' +maybe chmod 0644 'postfix/transport' +maybe chgrp 'postfix' 'postfix/transport.db' +maybe chmod 0640 'postfix/transport.db' +maybe chmod 0644 'postfix/virtual' +maybe chgrp 'postfix' 'postfix/virtual.db' +maybe chmod 0640 'postfix/virtual.db' +maybe chgrp 'postfix' 'postfix/virtual_regexp' +maybe chmod 0640 'postfix/virtual_regexp' +maybe chmod 0755 'ppp' +maybe chmod 0600 'ppp/chap-secrets' +maybe chmod 0755 'ppp/check-vpn' +maybe chmod 0600 'ppp/eaptls-client' +maybe chmod 0600 'ppp/eaptls-server' +maybe chmod 0755 'ppp/ip-down' +maybe chmod 0755 'ppp/ip-down.ipv6to4' +maybe chmod 0755 'ppp/ip-up' +maybe chmod 0755 'ppp/ip-up.d' +maybe chmod 0755 'ppp/ip-up.d/route-traffic' +maybe chmod 0755 'ppp/ip-up.ipv6to4' +maybe chmod 0755 'ppp/ipv6-down' +maybe chmod 0755 'ppp/ipv6-up' +maybe chmod 0644 'ppp/options' +maybe chmod 0644 'ppp/options.pptp' +maybe chmod 0644 'ppp/options.pptp.rpmnew' +maybe chmod 0644 'ppp/options.pptpd' +maybe chmod 0600 'ppp/pap-secrets' +maybe chmod 0755 'ppp/peers' +maybe chmod 0644 'ppp/peers/vpn_gazduire.ro' +maybe chmod 0644 'pptpd.conf' +maybe chmod 0755 'prelink.conf.d' +maybe chmod 0644 'prelink.conf.d/grub2.conf' +maybe chmod 0644 'printcap' +maybe chmod 0644 'profile' +maybe chmod 0755 'profile.d' +maybe chmod 0644 'profile.d/bash_completion.sh' +maybe chmod 0644 'profile.d/colorgrep.csh' +maybe chmod 0644 'profile.d/colorgrep.sh' +maybe chmod 0644 'profile.d/colorls.csh' +maybe chmod 0644 'profile.d/colorls.sh' +maybe chmod 0644 'profile.d/colorxzgrep.csh' +maybe chmod 0644 'profile.d/colorxzgrep.sh' +maybe chmod 0644 'profile.d/colorzgrep.csh' +maybe chmod 0644 'profile.d/colorzgrep.sh' +maybe chmod 0644 'profile.d/csh.local' +maybe chmod 0644 'profile.d/gawk.csh' +maybe chmod 0644 'profile.d/gawk.sh' +maybe chmod 0640 'profile.d/grc.sh' +maybe chmod 0644 'profile.d/lang.csh' +maybe chmod 0644 'profile.d/lang.sh' +maybe chmod 0644 'profile.d/less.csh' +maybe chmod 0644 'profile.d/less.sh' +maybe chmod 0644 'profile.d/mc.csh' +maybe chmod 0644 'profile.d/mc.sh' +maybe chmod 0644 'profile.d/mingw64.sh' +maybe chmod 0644 'profile.d/scl-init.csh' +maybe chmod 0644 'profile.d/scl-init.sh' +maybe chmod 0644 'profile.d/sh.local' +maybe chmod 0644 'profile.d/snapd.sh' +maybe chmod 0644 'profile.d/vim.csh' +maybe chmod 0644 'profile.d/vim.sh' +maybe chmod 0644 'profile.d/which2.csh' +maybe chmod 0644 'profile.d/which2.sh' +maybe chmod 0644 'protocols' +maybe chmod 0700 'psad' +maybe chmod 0700 'psad/archive' +maybe chmod 0600 'psad/archive/ET-Block-IPs.old1.gz' +maybe chmod 0600 'psad/archive/ET-Compromised-IPs.old1.gz' +maybe chmod 0600 'psad/archive/signatures.old1.gz' +maybe chmod 0600 'psad/auto_dl' +maybe chmod 0600 'psad/icmp6_types' +maybe chmod 0600 'psad/icmp_types' +maybe chmod 0600 'psad/ip_options' +maybe chmod 0600 'psad/pf.os' +maybe chmod 0600 'psad/posf' +maybe chmod 0600 'psad/protocols' +maybe chmod 0640 'psad/psad.conf' +maybe chmod 0700 'psad/reputation_feeds' +maybe chmod 0600 'psad/reputation_feeds/ET-Block-IPs' +maybe chmod 0600 'psad/reputation_feeds/ET-Compromised-IPs' +maybe chmod 0600 'psad/signatures' +maybe chmod 0600 'psad/snort_rule_dl' +maybe chmod 0700 'psad/snort_rules' +maybe chmod 0600 'psad/snort_rules/attack-responses.rules' +maybe chmod 0600 'psad/snort_rules/backdoor.rules' +maybe chmod 0600 'psad/snort_rules/bad-traffic.rules' +maybe chmod 0600 'psad/snort_rules/chat.rules' +maybe chmod 0600 'psad/snort_rules/classification.config' +maybe chmod 0600 'psad/snort_rules/ddos.rules' +maybe chmod 0600 'psad/snort_rules/deleted.rules' +maybe chmod 0600 'psad/snort_rules/dns.rules' +maybe chmod 0600 'psad/snort_rules/dos.rules' +maybe chmod 0600 'psad/snort_rules/emerging-all.rules' +maybe chmod 0600 'psad/snort_rules/experimental.rules' +maybe chmod 0600 'psad/snort_rules/exploit.rules' +maybe chmod 0600 'psad/snort_rules/finger.rules' +maybe chmod 0600 'psad/snort_rules/ftp.rules' +maybe chmod 0600 'psad/snort_rules/icmp-info.rules' +maybe chmod 0600 'psad/snort_rules/icmp.rules' +maybe chmod 0600 'psad/snort_rules/imap.rules' +maybe chmod 0600 'psad/snort_rules/info.rules' +maybe chmod 0600 'psad/snort_rules/local.rules' +maybe chmod 0600 'psad/snort_rules/misc.rules' +maybe chmod 0600 'psad/snort_rules/multimedia.rules' +maybe chmod 0600 'psad/snort_rules/mysql.rules' +maybe chmod 0600 'psad/snort_rules/netbios.rules' +maybe chmod 0600 'psad/snort_rules/nntp.rules' +maybe chmod 0600 'psad/snort_rules/oracle.rules' +maybe chmod 0600 'psad/snort_rules/other-ids.rules' +maybe chmod 0600 'psad/snort_rules/p2p.rules' +maybe chmod 0600 'psad/snort_rules/policy.rules' +maybe chmod 0600 'psad/snort_rules/pop2.rules' +maybe chmod 0600 'psad/snort_rules/pop3.rules' +maybe chmod 0600 'psad/snort_rules/porn.rules' +maybe chmod 0600 'psad/snort_rules/reference.config' +maybe chmod 0600 'psad/snort_rules/rpc.rules' +maybe chmod 0600 'psad/snort_rules/rservices.rules' +maybe chmod 0600 'psad/snort_rules/scan.rules' +maybe chmod 0600 'psad/snort_rules/shellcode.rules' +maybe chmod 0600 'psad/snort_rules/smtp.rules' +maybe chmod 0600 'psad/snort_rules/snmp.rules' +maybe chmod 0600 'psad/snort_rules/sql.rules' +maybe chmod 0600 'psad/snort_rules/telnet.rules' +maybe chmod 0600 'psad/snort_rules/tftp.rules' +maybe chmod 0600 'psad/snort_rules/virus.rules' +maybe chmod 0600 'psad/snort_rules/web-attacks.rules' +maybe chmod 0600 'psad/snort_rules/web-cgi.rules' +maybe chmod 0600 'psad/snort_rules/web-client.rules' +maybe chmod 0600 'psad/snort_rules/web-coldfusion.rules' +maybe chmod 0600 'psad/snort_rules/web-frontpage.rules' +maybe chmod 0600 'psad/snort_rules/web-iis.rules' +maybe chmod 0600 'psad/snort_rules/web-misc.rules' +maybe chmod 0600 'psad/snort_rules/web-php.rules' +maybe chmod 0600 'psad/snort_rules/x11.rules' +maybe chmod 0755 'pyzor' +maybe chmod 0755 'qemu-ga' +maybe chmod 0755 'qemu-ga/fsfreeze-hook' +maybe chmod 0755 'qemu-ga/fsfreeze-hook.d' +maybe chmod 0755 'rc.d' +maybe chmod 0755 'rc.d/init.d' +maybe chmod 0644 'rc.d/init.d/README' +maybe chmod 0755 'rc.d/init.d/bestcrypt' +maybe chmod 0755 'rc.d/init.d/falco' +maybe chmod 0644 'rc.d/init.d/functions' +maybe chmod 0755 'rc.d/init.d/network' +maybe chmod 0755 'rc.d/init.d/vpn-gazduire' +maybe chmod 0755 'rc.d/rc.local' +maybe chmod 0755 'rc.d/rc0.d' +maybe chmod 0755 'rc.d/rc1.d' +maybe chmod 0755 'rc.d/rc2.d' +maybe chmod 0755 'rc.d/rc3.d' +maybe chmod 0755 'rc.d/rc4.d' +maybe chmod 0755 'rc.d/rc5.d' +maybe chmod 0755 'rc.d/rc6.d' +maybe chmod 0644 'rearj.cfg' +maybe chmod 0755 'redhat-lsb' +maybe chmod 0755 'redhat-lsb/lsb_killproc' +maybe chmod 0755 'redhat-lsb/lsb_log_message' +maybe chmod 0755 'redhat-lsb/lsb_pidofproc' +maybe chmod 0755 'redhat-lsb/lsb_start_daemon' +maybe chown 'redis' 'redis-sentinel.conf' +maybe chmod 0640 'redis-sentinel.conf' +maybe chown 'redis' 'redis.conf' +maybe chmod 0640 'redis.conf' +maybe chmod 0644 'request-key.conf' +maybe chmod 0755 'request-key.d' +maybe chmod 0644 'request-key.d/id_resolver.conf' +maybe chmod 0644 'resolv.conf' +maybe chmod 0644 'resolv.conf.save' +maybe chmod 0755 'rhsm' +maybe chmod 0755 'rhsm/ca' +maybe chmod 0755 'rhsm/facts' +maybe chmod 0644 'rhsm/logging.conf' +maybe chmod 0755 'rhsm/pluginconf.d' +maybe chmod 0644 'rhsm/rhsm.conf' +maybe chmod 0755 'rhsm/syspurpose' +maybe chmod 0644 'rhsm/syspurpose/valid_fields.json' +maybe chmod 0640 'rkhunter.conf' +maybe chmod 0640 'rkhunter.local.conf' +maybe chmod 0644 'rndc.conf' +maybe chmod 0644 'rpc' +maybe chmod 0755 'rpm' +maybe chmod 0644 'rpm/macros.dist' +maybe chmod 0755 'rpmlint' +maybe chmod 0644 'rpmlint/mingw-rpmlint.config' +maybe chmod 0755 'rspamd' +maybe chmod 0644 'rspamd/actions.conf' +maybe chmod 0644 'rspamd/cgp.inc' +maybe chmod 0644 'rspamd/common.conf' +maybe chmod 0644 'rspamd/composites.conf' +maybe chmod 0644 'rspamd/groups.conf' +maybe chmod 0755 'rspamd/local.d' +maybe chmod 0644 'rspamd/local.d/redis.conf' +maybe chmod 0644 'rspamd/local.d/worker-controller.inc' +maybe chmod 0644 'rspamd/logging.inc' +maybe chmod 0755 'rspamd/maps.d' +maybe chmod 0644 'rspamd/maps.d/dmarc_whitelist.inc' +maybe chmod 0644 'rspamd/maps.d/maillist.inc' +maybe chmod 0644 'rspamd/maps.d/mid.inc' +maybe chmod 0644 'rspamd/maps.d/mime_types.inc' +maybe chmod 0644 'rspamd/maps.d/redirectors.inc' +maybe chmod 0644 'rspamd/maps.d/spf_dkim_whitelist.inc' +maybe chmod 0644 'rspamd/maps.d/surbl-whitelist.inc' +maybe chmod 0644 'rspamd/metrics.conf' +maybe chmod 0644 'rspamd/modules.conf' +maybe chmod 0755 'rspamd/modules.d' +maybe chmod 0644 'rspamd/modules.d/antivirus.conf' +maybe chmod 0644 'rspamd/modules.d/arc.conf' +maybe chmod 0644 'rspamd/modules.d/asn.conf' +maybe chmod 0644 'rspamd/modules.d/chartable.conf' +maybe chmod 0644 'rspamd/modules.d/clickhouse.conf' +maybe chmod 0644 'rspamd/modules.d/dcc.conf' +maybe chmod 0644 'rspamd/modules.d/dkim.conf' +maybe chmod 0644 'rspamd/modules.d/dkim_signing.conf' +maybe chmod 0644 'rspamd/modules.d/dmarc.conf' +maybe chmod 0644 'rspamd/modules.d/elastic.conf' +maybe chmod 0644 'rspamd/modules.d/emails.conf' +maybe chmod 0644 'rspamd/modules.d/external_services.conf' +maybe chmod 0644 'rspamd/modules.d/force_actions.conf' +maybe chmod 0644 'rspamd/modules.d/forged_recipients.conf' +maybe chmod 0644 'rspamd/modules.d/fuzzy_check.conf' +maybe chmod 0644 'rspamd/modules.d/greylist.conf' +maybe chmod 0644 'rspamd/modules.d/hfilter.conf' +maybe chmod 0644 'rspamd/modules.d/history_redis.conf' +maybe chmod 0644 'rspamd/modules.d/http_headers.conf' +maybe chmod 0644 'rspamd/modules.d/maillist.conf' +maybe chmod 0644 'rspamd/modules.d/metadata_exporter.conf' +maybe chmod 0644 'rspamd/modules.d/metric_exporter.conf' +maybe chmod 0644 'rspamd/modules.d/mid.conf' +maybe chmod 0644 'rspamd/modules.d/milter_headers.conf' +maybe chmod 0644 'rspamd/modules.d/mime_types.conf' +maybe chmod 0644 'rspamd/modules.d/multimap.conf' +maybe chmod 0644 'rspamd/modules.d/mx_check.conf' +maybe chmod 0644 'rspamd/modules.d/neural.conf' +maybe chmod 0644 'rspamd/modules.d/once_received.conf' +maybe chmod 0644 'rspamd/modules.d/p0f.conf' +maybe chmod 0644 'rspamd/modules.d/phishing.conf' +maybe chmod 0644 'rspamd/modules.d/ratelimit.conf' +maybe chmod 0644 'rspamd/modules.d/rbl.conf' +maybe chmod 0644 'rspamd/modules.d/redis.conf' +maybe chmod 0644 'rspamd/modules.d/regexp.conf' +maybe chmod 0644 'rspamd/modules.d/replies.conf' +maybe chmod 0644 'rspamd/modules.d/reputation.conf' +maybe chmod 0644 'rspamd/modules.d/rspamd_update.conf' +maybe chmod 0644 'rspamd/modules.d/spamassassin.conf' +maybe chmod 0644 'rspamd/modules.d/spamtrap.conf' +maybe chmod 0644 'rspamd/modules.d/spf.conf' +maybe chmod 0644 'rspamd/modules.d/surbl.conf' +maybe chmod 0644 'rspamd/modules.d/trie.conf' +maybe chmod 0644 'rspamd/modules.d/url_redirector.conf' +maybe chmod 0644 'rspamd/modules.d/whitelist.conf' +maybe chmod 0644 'rspamd/options.inc' +maybe chmod 0755 'rspamd/override.d' +maybe chmod 0644 'rspamd/rspamd.conf' +maybe chmod 0755 'rspamd/scores.d' +maybe chmod 0644 'rspamd/scores.d/content_group.conf' +maybe chmod 0644 'rspamd/scores.d/fuzzy_group.conf' +maybe chmod 0644 'rspamd/scores.d/headers_group.conf' +maybe chmod 0644 'rspamd/scores.d/hfilter_group.conf' +maybe chmod 0644 'rspamd/scores.d/mime_types_group.conf' +maybe chmod 0644 'rspamd/scores.d/mua_group.conf' +maybe chmod 0644 'rspamd/scores.d/phishing_group.conf' +maybe chmod 0644 'rspamd/scores.d/policies_group.conf' +maybe chmod 0644 'rspamd/scores.d/rbl_group.conf' +maybe chmod 0644 'rspamd/scores.d/statistics_group.conf' +maybe chmod 0644 'rspamd/scores.d/subject_group.conf' +maybe chmod 0644 'rspamd/scores.d/surbl_group.conf' +maybe chmod 0644 'rspamd/scores.d/whitelist_group.conf' +maybe chmod 0644 'rspamd/settings.conf' +maybe chmod 0644 'rspamd/statistic.conf' +maybe chmod 0644 'rspamd/worker-controller.inc' +maybe chmod 0644 'rspamd/worker-fuzzy.inc' +maybe chmod 0644 'rspamd/worker-normal.inc' +maybe chmod 0644 'rspamd/worker-proxy.inc' +maybe chmod 0644 'rsyslog.conf' +maybe chmod 0644 'rsyslog.conf.rpmnew' +maybe chmod 0755 'rsyslog.d' +maybe chmod 0644 'rsyslog.d/ignore-systemd-session-slice.conf' +maybe chmod 0755 'rwtab.d' +maybe chmod 0644 'rwtab.d/logrotate' +maybe chmod 0644 'rwtab.d/named' +maybe chmod 0644 'rwtab.d/sssd' +maybe chmod 0755 'samba' +maybe chmod 0644 'samba/smb.conf.rpmsave' +maybe chmod 0755 'sasl2' +maybe chmod 0644 'sasl2/smtpd.conf' +maybe chmod 0755 'scl' +maybe chmod 0644 'scl/func_scl.csh' +maybe chmod 0755 'scl/modulefiles' +maybe chmod 0755 'scl/prefixes' +maybe chmod 0644 'scl/prefixes/gcc-toolset-9' +maybe chmod 0644 'screenrc' +maybe chmod 0755 'security' +maybe chmod 0644 'security/access.conf' +maybe chmod 0644 'security/capabilityRole.xml' +maybe chmod 0644 'security/chroot.conf' +maybe chmod 0755 'security/console.apps' +maybe chmod 0644 'security/console.apps/config-util' +maybe chmod 0644 'security/console.apps/mock' +maybe chmod 0644 'security/console.apps/subscription-manager' +maybe chmod 0644 'security/console.handlers' +maybe chmod 0644 'security/console.perms' +maybe chmod 0755 'security/console.perms.d' +maybe chmod 0644 'security/faillock.conf' +maybe chmod 0644 'security/group.conf' +maybe chmod 0644 'security/limits.conf' +maybe chmod 0755 'security/limits.d' +maybe chmod 0640 'security/limits.d/restrict-coredumps.conf' +maybe chmod 0644 'security/namespace.conf' +maybe chmod 0755 'security/namespace.d' +maybe chmod 0755 'security/namespace.init' +maybe chmod 0600 'security/opasswd' +maybe chmod 0644 'security/pam_env.conf' +maybe chmod 0644 'security/pwquality.conf' +maybe chmod 0755 'security/pwquality.conf.d' +maybe chmod 0644 'security/sepermit.conf' +maybe chmod 0644 'security/time.conf' +maybe chmod 0644 'security/user_map.conf' +maybe chmod 0755 'selinux' +maybe chmod 0644 'selinux/config' +maybe chmod 0644 'selinux/semanage.conf' +maybe chmod 0755 'selinux/targeted' +maybe chmod 0644 'selinux/targeted/.policy.sha512' +maybe chmod 0644 'selinux/targeted/booleans.subs_dist' +maybe chmod 0755 'selinux/targeted/contexts' +maybe chmod 0644 'selinux/targeted/contexts/customizable_types' +maybe chmod 0644 'selinux/targeted/contexts/dbus_contexts' +maybe chmod 0644 'selinux/targeted/contexts/default_contexts' +maybe chmod 0644 'selinux/targeted/contexts/default_type' +maybe chmod 0644 'selinux/targeted/contexts/failsafe_context' +maybe chmod 0755 'selinux/targeted/contexts/files' +maybe chmod 0644 'selinux/targeted/contexts/files/file_contexts' +maybe chmod 0644 'selinux/targeted/contexts/files/file_contexts.bin' +maybe chmod 0644 'selinux/targeted/contexts/files/file_contexts.homedirs' +maybe chmod 0644 'selinux/targeted/contexts/files/file_contexts.homedirs.bin' +maybe chmod 0644 'selinux/targeted/contexts/files/file_contexts.local' +maybe chmod 0644 'selinux/targeted/contexts/files/file_contexts.subs' +maybe chmod 0644 'selinux/targeted/contexts/files/file_contexts.subs_dist' +maybe chmod 0644 'selinux/targeted/contexts/files/media' +maybe chmod 0644 'selinux/targeted/contexts/initrc_context' +maybe chmod 0644 'selinux/targeted/contexts/lxc_contexts' +maybe chmod 0644 'selinux/targeted/contexts/openssh_contexts' +maybe chmod 0644 'selinux/targeted/contexts/removable_context' +maybe chmod 0644 'selinux/targeted/contexts/securetty_types' +maybe chmod 0644 'selinux/targeted/contexts/sepgsql_contexts' +maybe chmod 0644 'selinux/targeted/contexts/snapperd_contexts' +maybe chmod 0644 'selinux/targeted/contexts/systemd_contexts' +maybe chmod 0644 'selinux/targeted/contexts/userhelper_context' +maybe chmod 0755 'selinux/targeted/contexts/users' +maybe chmod 0644 'selinux/targeted/contexts/users/guest_u' +maybe chmod 0644 'selinux/targeted/contexts/users/root' +maybe chmod 0644 'selinux/targeted/contexts/users/staff_u' +maybe chmod 0644 'selinux/targeted/contexts/users/sysadm_u' +maybe chmod 0644 'selinux/targeted/contexts/users/unconfined_u' +maybe chmod 0644 'selinux/targeted/contexts/users/user_u' +maybe chmod 0644 'selinux/targeted/contexts/users/xguest_u' +maybe chmod 0644 'selinux/targeted/contexts/virtual_domain_context' +maybe chmod 0644 'selinux/targeted/contexts/virtual_image_context' +maybe chmod 0644 'selinux/targeted/contexts/x_contexts' +maybe chmod 0755 'selinux/targeted/logins' +maybe chmod 0755 'selinux/targeted/policy' +maybe chmod 0644 'selinux/targeted/policy/policy.31' +maybe chmod 0644 'selinux/targeted/setrans.conf' +maybe chmod 0644 'selinux/targeted/seusers' +maybe chmod 0644 'services' +maybe chmod 0644 'sestatus.conf' +maybe chmod 0755 'sgml' +maybe chmod 0644 'sgml/catalog' +maybe chmod 0755 'sgml/docbook' +maybe chmod 0644 'sgml/docbook/xmlcatalog' +maybe chmod 0644 'sgml/sgml-docbook-3.0.cat' +maybe chmod 0644 'sgml/sgml-docbook-3.1.cat' +maybe chmod 0644 'sgml/sgml-docbook-4.0.cat' +maybe chmod 0644 'sgml/sgml-docbook-4.1.cat' +maybe chmod 0644 'sgml/sgml-docbook-4.2.cat' +maybe chmod 0644 'sgml/sgml-docbook-4.3.cat' +maybe chmod 0644 'sgml/sgml-docbook-4.4.cat' +maybe chmod 0644 'sgml/sgml-docbook-4.5.cat' +maybe chmod 0644 'sgml/sgml.conf' +maybe chmod 0644 'sgml/xml-docbook-4.1.2.cat' +maybe chmod 0644 'sgml/xml-docbook-4.2.cat' +maybe chmod 0644 'sgml/xml-docbook-4.3.cat' +maybe chmod 0644 'sgml/xml-docbook-4.4.cat' +maybe chmod 0644 'sgml/xml-docbook-4.5.cat' +maybe chmod 0000 'shadow' +maybe chmod 0000 'shadow-' +maybe chmod 0644 'shells' +maybe chmod 0755 'skel' +maybe chmod 0644 'skel/.bash_logout' +maybe chmod 0644 'skel/.bash_profile' +maybe chmod 0644 'skel/.bashrc' +maybe chmod 0755 'snmp' +maybe chmod 0755 'snmp/bind' +maybe chmod 0644 'snmp/bind.config' +maybe chmod 0750 'snmp/fail2ban' +maybe chmod 0755 'snmp/mysql' +maybe chmod 0755 'snmp/mysql-stats' +maybe chmod 0644 'snmp/mysql.cnf' +maybe chmod 0755 'snmp/nginx-nms' +maybe chmod 0755 'snmp/os-updates' +maybe chmod 0755 'snmp/phpfpm-sp' +maybe chmod 0755 'snmp/postfix-queues' +maybe chmod 0755 'snmp/postfixdetailed' +maybe chmod 0640 'snmp/snmpd.conf' +maybe chmod 0600 'snmp/snmptrapd.conf' +maybe chown 'sqlgrey' 'sqlgrey' +maybe chgrp 'sqlgrey' 'sqlgrey' +maybe chmod 0755 'sqlgrey' +maybe chown 'sqlgrey' 'sqlgrey/README' +maybe chgrp 'sqlgrey' 'sqlgrey/README' +maybe chmod 0644 'sqlgrey/README' +maybe chown 'sqlgrey' 'sqlgrey/clients_fqdn_whitelist' +maybe chgrp 'sqlgrey' 'sqlgrey/clients_fqdn_whitelist' +maybe chmod 0644 'sqlgrey/clients_fqdn_whitelist' +maybe chown 'sqlgrey' 'sqlgrey/clients_fqdn_whitelist.local' +maybe chgrp 'sqlgrey' 'sqlgrey/clients_fqdn_whitelist.local' +maybe chmod 0640 'sqlgrey/clients_fqdn_whitelist.local' +maybe chown 'sqlgrey' 'sqlgrey/clients_ip_whitelist' +maybe chgrp 'sqlgrey' 'sqlgrey/clients_ip_whitelist' +maybe chmod 0644 'sqlgrey/clients_ip_whitelist' +maybe chown 'sqlgrey' 'sqlgrey/clients_ip_whitelist.local' +maybe chgrp 'sqlgrey' 'sqlgrey/clients_ip_whitelist.local' +maybe chmod 0640 'sqlgrey/clients_ip_whitelist.local' +maybe chown 'sqlgrey' 'sqlgrey/discrimination.regexp' +maybe chgrp 'sqlgrey' 'sqlgrey/discrimination.regexp' +maybe chmod 0644 'sqlgrey/discrimination.regexp' +maybe chown 'sqlgrey' 'sqlgrey/dyn_fqdn.regexp' +maybe chgrp 'sqlgrey' 'sqlgrey/dyn_fqdn.regexp' +maybe chmod 0644 'sqlgrey/dyn_fqdn.regexp' +maybe chown 'sqlgrey' 'sqlgrey/smtp_server.regexp' +maybe chgrp 'sqlgrey' 'sqlgrey/smtp_server.regexp' +maybe chmod 0644 'sqlgrey/smtp_server.regexp' +maybe chown 'sqlgrey' 'sqlgrey/sqlgrey.conf' +maybe chgrp 'sqlgrey' 'sqlgrey/sqlgrey.conf' +maybe chmod 0644 'sqlgrey/sqlgrey.conf' +maybe chown 'sqlgrey' 'sqlgrey/sqlgrey.sql' +maybe chgrp 'sqlgrey' 'sqlgrey/sqlgrey.sql' +maybe chmod 0640 'sqlgrey/sqlgrey.sql' +maybe chmod 0755 'ssh' +maybe chmod 0644 'ssh/moduli' +maybe chmod 0644 'ssh/ssh_config' +maybe chmod 0755 'ssh/ssh_config.d' +maybe chmod 0644 'ssh/ssh_config.d/05-redhat.conf' +maybe chgrp 'ssh_keys' 'ssh/ssh_host_ecdsa_key' +maybe chmod 0640 'ssh/ssh_host_ecdsa_key' +maybe chmod 0644 'ssh/ssh_host_ecdsa_key.pub' +maybe chgrp 'ssh_keys' 'ssh/ssh_host_ed25519_key' +maybe chmod 0640 'ssh/ssh_host_ed25519_key' +maybe chmod 0644 'ssh/ssh_host_ed25519_key.pub' +maybe chgrp 'ssh_keys' 'ssh/ssh_host_rsa_key' +maybe chmod 0640 'ssh/ssh_host_rsa_key' +maybe chmod 0644 'ssh/ssh_host_rsa_key.pub' +maybe chmod 0600 'ssh/sshd_config' +maybe chmod 0600 'ssh/sshd_config.orig' +maybe chmod 0600 'ssh/sshd_config.rpmnew' +maybe chmod 0755 'ssl' +maybe chmod 0644 'sslh.cfg' +maybe chown 'sssd' 'sssd' +maybe chgrp 'sssd' 'sssd' +maybe chmod 0700 'sssd' +maybe chown 'sssd' 'sssd/conf.d' +maybe chgrp 'sssd' 'sssd/conf.d' +maybe chmod 0711 'sssd/conf.d' +maybe chmod 0711 'sssd/pki' +maybe chmod 0644 'subgid' +maybe chmod 0644 'subgid-' +maybe chmod 0644 'subuid' +maybe chmod 0644 'subuid-' +maybe chmod 0755 'subversion' +maybe chmod 0640 'sudo-ldap.conf' +maybe chmod 0640 'sudo.conf' +maybe chmod 0440 'sudoers' +maybe chmod 0750 'sudoers.d' +maybe chmod 0644 'sudoers.d/amavis' +maybe chmod 0644 'sudoers.d/bogdan' +maybe chmod 0644 'sudoers.d/nrpe' +maybe chmod 0640 'sudoers.d/vampi' +maybe chmod 0755 'sysconfig' +maybe chmod 0644 'sysconfig/anaconda' +maybe chmod 0644 'sysconfig/arpwatch' +maybe chmod 0644 'sysconfig/atd' +maybe chmod 0644 'sysconfig/authconfig' +maybe chmod 0755 'sysconfig/cbq' +maybe chmod 0644 'sysconfig/cbq/avpkt' +maybe chmod 0644 'sysconfig/cbq/cbq-0000.example' +maybe chmod 0644 'sysconfig/certbot' +maybe chmod 0644 'sysconfig/chronyd' +maybe chmod 0755 'sysconfig/console' +maybe chmod 0644 'sysconfig/cpupower' +maybe chmod 0644 'sysconfig/crond' +maybe chmod 0600 'sysconfig/ebtables-config' +maybe chmod 0644 'sysconfig/firewalld' +maybe chmod 0644 'sysconfig/firstboot' +maybe chmod 0644 'sysconfig/garb' +maybe chmod 0644 'sysconfig/htcacheclean' +maybe chmod 0600 'sysconfig/ip6tables-config' +maybe chmod 0600 'sysconfig/iptables-config' +maybe chmod 0644 'sysconfig/iptables.old-2020-10-20-17_37_02' +maybe chmod 0600 'sysconfig/iptables.rpmsave' +maybe chmod 0644 'sysconfig/irqbalance' +maybe chmod 0644 'sysconfig/kernel' +maybe chmod 0644 'sysconfig/maldet' +maybe chmod 0644 'sysconfig/man-db' +maybe chmod 0644 'sysconfig/memcached' +maybe chmod 0755 'sysconfig/modules' +maybe chmod 0644 'sysconfig/named' +maybe chmod 0644 'sysconfig/network' +maybe chmod 0755 'sysconfig/network-scripts' +maybe chmod 0644 'sysconfig/network-scripts/ifcfg-eth0' +maybe chmod 0644 'sysconfig/network-scripts/ifcfg-lo' +maybe chmod 0755 'sysconfig/network-scripts/ifdown' +maybe chmod 0755 'sysconfig/network-scripts/ifdown-Team' +maybe chmod 0755 'sysconfig/network-scripts/ifdown-TeamPort' +maybe chmod 0755 'sysconfig/network-scripts/ifdown-bnep' +maybe chmod 0755 'sysconfig/network-scripts/ifdown-eth' +maybe chmod 0755 'sysconfig/network-scripts/ifdown-ippp' +maybe chmod 0755 'sysconfig/network-scripts/ifdown-ipv6' +maybe chmod 0755 'sysconfig/network-scripts/ifdown-post' +maybe chmod 0755 'sysconfig/network-scripts/ifdown-routes' +maybe chmod 0755 'sysconfig/network-scripts/ifdown-sit' +maybe chmod 0755 'sysconfig/network-scripts/ifdown-tunnel' +maybe chmod 0755 'sysconfig/network-scripts/ifup' +maybe chmod 0755 'sysconfig/network-scripts/ifup-Team' +maybe chmod 0755 'sysconfig/network-scripts/ifup-TeamPort' +maybe chmod 0755 'sysconfig/network-scripts/ifup-aliases' +maybe chmod 0755 'sysconfig/network-scripts/ifup-bnep' +maybe chmod 0755 'sysconfig/network-scripts/ifup-eth' +maybe chmod 0755 'sysconfig/network-scripts/ifup-ippp' +maybe chmod 0755 'sysconfig/network-scripts/ifup-ipv6' +maybe chmod 0755 'sysconfig/network-scripts/ifup-plip' +maybe chmod 0755 'sysconfig/network-scripts/ifup-plusb' +maybe chmod 0755 'sysconfig/network-scripts/ifup-post' +maybe chmod 0755 'sysconfig/network-scripts/ifup-routes' +maybe chmod 0755 'sysconfig/network-scripts/ifup-sit' +maybe chmod 0755 'sysconfig/network-scripts/ifup-tunnel' +maybe chmod 0755 'sysconfig/network-scripts/ifup-wireless' +maybe chmod 0755 'sysconfig/network-scripts/init.ipv6-global' +maybe chmod 0644 'sysconfig/network-scripts/network-functions' +maybe chmod 0644 'sysconfig/network-scripts/network-functions-ipv6' +maybe chmod 0644 'sysconfig/network-scripts/route-eth0' +maybe chmod 0600 'sysconfig/nftables.conf' +maybe chmod 0644 'sysconfig/node_exporter' +maybe chmod 0644 'sysconfig/nrpe' +maybe chmod 0644 'sysconfig/opendkim' +maybe chmod 0644 'sysconfig/opendmarc' +maybe chmod 0644 'sysconfig/pptpd' +maybe chmod 0644 'sysconfig/qemu-ga' +maybe chmod 0755 'sysconfig/rhn' +maybe chmod 0755 'sysconfig/rhn/allowed-actions' +maybe chmod 0755 'sysconfig/rhn/allowed-actions/configfiles' +maybe chmod 0755 'sysconfig/rhn/allowed-actions/script' +maybe chmod 0755 'sysconfig/rhn/clientCaps.d' +maybe chmod 0644 'sysconfig/rhn/up2date' +maybe chmod 0640 'sysconfig/rkhunter' +maybe chmod 0644 'sysconfig/rpcbind' +maybe chmod 0644 'sysconfig/rsyslog' +maybe chmod 0644 'sysconfig/run-parts' +maybe chmod 0644 'sysconfig/sa-update' +maybe chmod 0644 'sysconfig/saslauthd' +maybe chmod 0644 'sysconfig/snapd' +maybe chmod 0644 'sysconfig/snmpd' +maybe chmod 0644 'sysconfig/snmptrapd' +maybe chmod 0644 'sysconfig/spamassassin' +maybe chmod 0640 'sysconfig/sshd' +maybe chmod 0644 'sysconfig/sslh' +maybe chmod 0644 'sysconfig/svnserve' +maybe chmod 0644 'sysctl.conf' +maybe chmod 0644 'sysctl.conf.old-2020-10-20-17_37_02' +maybe chmod 0755 'sysctl.d' +maybe chmod 0644 'system-fips' +maybe chmod 0644 'system-release-cpe' +maybe chmod 0755 'systemd' +maybe chmod 0644 'systemd/coredump.conf' +maybe chmod 0644 'systemd/journald.conf' +maybe chmod 0644 'systemd/logind.conf' +maybe chmod 0644 'systemd/resolved.conf' +maybe chmod 0755 'systemd/system' +maybe chmod 0644 'systemd/system.conf' +maybe chmod 0755 'systemd/system/getty.target.wants' +maybe chmod 0644 'systemd/system/immortaldir.service' +maybe chmod 0755 'systemd/system/local-fs.target.wants' +maybe chmod 0755 'systemd/system/mariadb.service.d' +maybe chmod 0644 'systemd/system/mariadb.service.d/migrated-from-my.cnf-settings.conf' +maybe chmod 0755 'systemd/system/multi-user.target.wants' +maybe chmod 0755 'systemd/system/network-online.target.wants' +maybe chmod 0644 'systemd/system/newrelic-infra.service' +maybe chmod 0755 'systemd/system/nfs-blkmap.service.requires' +maybe chmod 0755 'systemd/system/nfs-idmapd.service.requires' +maybe chmod 0755 'systemd/system/nfs-mountd.service.requires' +maybe chmod 0755 'systemd/system/nfs-server.service.requires' +maybe chmod 0755 'systemd/system/nginx.service.d' +maybe chmod 0755 'systemd/system/php-fpm.service.d' +maybe chmod 0755 'systemd/system/redis-sentinel.service.d' +maybe chmod 0644 'systemd/system/redis-sentinel.service.d/limit.conf' +maybe chmod 0755 'systemd/system/redis.service.d' +maybe chmod 0644 'systemd/system/redis.service.d/limit.conf' +maybe chmod 0755 'systemd/system/remote-fs.target.wants' +maybe chmod 0755 'systemd/system/rpc-gssd.service.requires' +maybe chmod 0755 'systemd/system/rpc-statd-notify.service.requires' +maybe chmod 0755 'systemd/system/rpc-statd.service.requires' +maybe chmod 0755 'systemd/system/sockets.target.wants' +maybe chmod 0755 'systemd/system/sysinit.target.wants' +maybe chmod 0755 'systemd/system/timers.target.wants' +maybe chmod 0644 'systemd/system/var-lib-snapd-snap-core18-1885.mount' +maybe chmod 0644 'systemd/system/var-lib-snapd-snap-snapd-9279.mount' +maybe chmod 0755 'systemd/system/vmtoolsd.service.requires' +maybe chmod 0755 'systemd/user' +maybe chmod 0644 'systemd/user.conf' +maybe chmod 0755 'systemd/user/sockets.target.wants' +maybe chown 'tss' 'tcsd.conf' +maybe chgrp 'tss' 'tcsd.conf' +maybe chmod 0600 'tcsd.conf' +maybe chmod 0755 'terminfo' +maybe chmod 0755 'tmpfiles.d' +maybe chmod 0644 'tmpfiles.d/clamav.conf' +maybe chmod 0644 'tmpfiles.d/opendmarc.conf' +maybe chmod 0644 'trusted-key.key' +maybe chmod 0755 'tuned' +maybe chmod 0644 'tuned/active_profile' +maybe chmod 0644 'tuned/bootcmdline' +maybe chmod 0644 'tuned/post_loaded_profile' +maybe chmod 0644 'tuned/profile_mode' +maybe chmod 0755 'tuned/recommend.d' +maybe chmod 0644 'tuned/tuned-main.conf' +maybe chmod 0755 'udev' +maybe chmod 0444 'udev/hwdb.bin' +maybe chmod 0755 'udev/hwdb.d' +maybe chmod 0755 'udev/rules.d' +maybe chmod 0644 'udev/rules.d/70-snap.snapd.rules' +maybe chmod 0644 'udev/rules.d/75-cd-aliases-generator.rules' +maybe chmod 0644 'udev/rules.d/75-persistent-net-generator.rules' +maybe chmod 0644 'udev/rules.d/90-bcrypt-device-permissions.rules' +maybe chmod 0644 'udev/udev.conf' +maybe chmod 0644 'updatedb.conf' +maybe chmod 0644 'vconsole.conf' +maybe chmod 0644 'vimrc' +maybe chmod 0644 'virc' +maybe chmod 0755 'vmware-tools' +maybe chmod 0755 'vmware-tools/poweroff-vm-default' +maybe chmod 0755 'vmware-tools/poweron-vm-default' +maybe chmod 0755 'vmware-tools/resume-vm-default' +maybe chmod 0755 'vmware-tools/scripts' +maybe chmod 0755 'vmware-tools/scripts/vmware' +maybe chmod 0755 'vmware-tools/scripts/vmware/network' +maybe chmod 0755 'vmware-tools/statechange.subr' +maybe chmod 0755 'vmware-tools/suspend-vm-default' +maybe chmod 0644 'vmware-tools/tools.conf.example' +maybe chmod 0755 'vmware-tools/vgauth' +maybe chmod 0644 'vmware-tools/vgauth.conf' +maybe chmod 0755 'vmware-tools/vgauth/schemas' +maybe chmod 0644 'vmware-tools/vgauth/schemas/XMLSchema-hasFacetAndProperty.xsd' +maybe chmod 0644 'vmware-tools/vgauth/schemas/XMLSchema-instance.xsd' +maybe chmod 0644 'vmware-tools/vgauth/schemas/XMLSchema.dtd' +maybe chmod 0644 'vmware-tools/vgauth/schemas/XMLSchema.xsd' +maybe chmod 0644 'vmware-tools/vgauth/schemas/catalog.xml' +maybe chmod 0644 'vmware-tools/vgauth/schemas/datatypes.dtd' +maybe chmod 0644 'vmware-tools/vgauth/schemas/saml-schema-assertion-2.0.xsd' +maybe chmod 0644 'vmware-tools/vgauth/schemas/xenc-schema.xsd' +maybe chmod 0644 'vmware-tools/vgauth/schemas/xml.xsd' +maybe chmod 0644 'vmware-tools/vgauth/schemas/xmldsig-core-schema.xsd' +maybe chmod 0755 'vpnc' +maybe chmod 0600 'vpnc/default.conf' +maybe chmod 0644 'vpnc/vpnc-0.5.3-27.svn550.fc24.src.rpm' +maybe chmod 0755 'vpnc/vpnc-script' +maybe chmod 0755 'vpnc/vpnc-script2' +maybe chmod 0755 'vpnc/vpnc.sh' +maybe chmod 0755 'vsftpd' +maybe chmod 0600 'vsftpd/ftpusers' +maybe chmod 0600 'vsftpd/user_list' +maybe chmod 0600 'vsftpd/vsftpd.conf' +maybe chmod 0744 'vsftpd/vsftpd_conf_migrate.sh' +maybe chmod 0644 'wgetrc' +maybe chmod 0644 'whois.conf' +maybe chmod 0700 'wireguard' +maybe chmod 0644 'wireguard/wg0.conf' +maybe chmod 0644 'xattr.conf' +maybe chmod 0755 'xdg' +maybe chmod 0755 'xdg/QtProject' +maybe chmod 0755 'xdg/autostart' +maybe chmod 0644 'xdg/autostart/bestcrypt-panel.desktop' +maybe chmod 0644 'xdg/autostart/snap-userd-autostart.desktop' +maybe chmod 0755 'xdg/qtchooser' +maybe chmod 0644 'xdg/qtchooser/5-64.conf' +maybe chmod 0755 'xdg/systemd' +maybe chmod 0600 'xinetd.conf' +maybe chmod 0755 'xinetd.d' +maybe chmod 0600 'xinetd.d/chargen-dgram' +maybe chmod 0600 'xinetd.d/chargen-stream' +maybe chmod 0600 'xinetd.d/daytime-dgram' +maybe chmod 0600 'xinetd.d/daytime-stream' +maybe chmod 0600 'xinetd.d/discard-dgram' +maybe chmod 0600 'xinetd.d/discard-stream' +maybe chmod 0600 'xinetd.d/echo-dgram' +maybe chmod 0600 'xinetd.d/echo-stream' +maybe chmod 0750 'xinetd.d/ntalk' +maybe chmod 0640 'xinetd.d/talk' +maybe chmod 0600 'xinetd.d/tcpmux-server' +maybe chmod 0600 'xinetd.d/time-dgram' +maybe chmod 0600 'xinetd.d/time-stream' +maybe chmod 0755 'xml' +maybe chmod 0644 'xml/catalog' +maybe chmod 0755 'yum' +maybe chmod 0755 'yum.repos.d' +maybe chmod 0640 'yum.repos.d/CentOS-Linux-AppStream.repo' +maybe chmod 0640 'yum.repos.d/CentOS-Linux-BaseOS.repo' +maybe chmod 0640 'yum.repos.d/CentOS-Linux-ContinuousRelease.repo' +maybe chmod 0640 'yum.repos.d/CentOS-Linux-Debuginfo.repo' +maybe chmod 0640 'yum.repos.d/CentOS-Linux-Devel.repo' +maybe chmod 0640 'yum.repos.d/CentOS-Linux-Extras.repo' +maybe chmod 0640 'yum.repos.d/CentOS-Linux-FastTrack.repo' +maybe chmod 0640 'yum.repos.d/CentOS-Linux-HighAvailability.repo' +maybe chmod 0640 'yum.repos.d/CentOS-Linux-Media.repo' +maybe chmod 0640 'yum.repos.d/CentOS-Linux-Plus.repo' +maybe chmod 0640 'yum.repos.d/CentOS-Linux-PowerTools.repo' +maybe chmod 0640 'yum.repos.d/CentOS-Linux-Sources.repo' +maybe chmod 0640 'yum.repos.d/atomic.repo' +maybe chmod 0640 'yum.repos.d/bestcrypt.repo' +maybe chmod 0640 'yum.repos.d/docker-ce.repo' +maybe chmod 0640 'yum.repos.d/elrepo.repo' +maybe chmod 0640 'yum.repos.d/epel-modular.repo' +maybe chmod 0640 'yum.repos.d/epel-playground.repo' +maybe chmod 0640 'yum.repos.d/epel-testing-modular.repo' +maybe chmod 0640 'yum.repos.d/epel-testing.repo' +maybe chmod 0644 'yum.repos.d/epel.repo' +maybe chmod 0640 'yum.repos.d/immortal_immortal.repo' +maybe chmod 0640 'yum.repos.d/lynis.repo' +maybe chmod 0640 'yum.repos.d/mariadb.repo' +maybe chmod 0640 'yum.repos.d/newrelic-infra.repo' +maybe chmod 0640 'yum.repos.d/nginx.repo' +maybe chmod 0640 'yum.repos.d/remi-modular.repo' +maybe chmod 0640 'yum.repos.d/remi-safe.repo' +maybe chmod 0640 'yum.repos.d/remi.repo' +maybe chmod 0640 'yum.repos.d/rspamd.repo' +maybe chmod 0640 'yum.repos.d/wazuh.repo' +maybe chmod 0755 'zmap' +maybe chmod 0644 'zmap/blocklist.conf' +maybe chmod 0644 'zmap/results.csv' +maybe chmod 0644 'zmap/zmap.conf' diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6b09c6b --- /dev/null +++ b/.gitignore @@ -0,0 +1,49 @@ +# begin section managed by etckeeper (do not edit this section by hand) + +# old versions of files +*.old + +# mount(8) records system state here, no need to store these +blkid.tab +blkid.tab.old + +# some other files in /etc that typically do not need to be tracked +nologin +ld.so.cache +prelink.cache +mtab +mtab.fuselock +.pwd.lock +*.LOCK +network/run +adjtime +lvm/cache +lvm/archive +X11/xdm/authdir/authfiles/* +ntp.conf.dhcp +.initctl +webmin/fsdump/*.status +webmin/webmin/oscache +apparmor.d/cache/* +service/*/supervise/* +service/*/log/supervise/* +sv/*/supervise/* +sv/*/log/supervise/* +*.elc +*.pyc +*.pyo +init.d/.depend.* +openvpn/openvpn-status.log +cups/subscriptions.conf +cups/subscriptions.conf.O +fake-hwclock.data +check_mk/logwatch.state + +# editor temp files +*~ +.*.sw? +.sw? +\#*\# +DEADJOE + +# end section managed by etckeeper diff --git a/.updated b/.updated new file mode 100644 index 0000000..7e3b92c --- /dev/null +++ b/.updated @@ -0,0 +1,4 @@ +# This file was created by systemd-update-done. Its only +# purpose is to hold a timestamp of the time this directory +# was updated. See man:systemd-update-done.service(8). +TIMESTAMP_NSEC=1614695289186707635 diff --git a/DIR_COLORS b/DIR_COLORS new file mode 100644 index 0000000..c7134a7 --- /dev/null +++ b/DIR_COLORS @@ -0,0 +1,211 @@ +# Configuration file for dircolors, a utility to help you set the +# LS_COLORS environment variable used by GNU ls with the --color option. + +# This file goes in the /etc directory, and must be world readable. +# You can copy this file to .dir_colors in your $HOME directory to override +# the system defaults. + +# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copying and distribution of this file, with or without modification, +# are permitted provided the copyright notice and this notice are preserved. + +# The keywords COLOR, OPTIONS, and EIGHTBIT (honored by the +# slackware version of dircolors) are recognized but ignored. + +# For compatibility, the pattern "^COLOR.*none" is recognized as a way to +# disable colorization. See https://bugzilla.redhat.com/1349579 for details. + +# Below are TERM entries, which can be a glob patterns, to match +# against the TERM environment variable to determine if it is colorizable. +TERM Eterm +TERM ansi +TERM *color* +TERM con[0-9]*x[0-9]* +TERM cons25 +TERM console +TERM cygwin +TERM dtterm +TERM gnome +TERM hurd +TERM jfbterm +TERM konsole +TERM kterm +TERM linux +TERM linux-c +TERM mlterm +TERM putty +TERM rxvt* +TERM screen* +TERM st +TERM terminator +TERM tmux* +TERM vt100 +TERM xterm* + +# Below are the color init strings for the basic file types. A color init +# string consists of one or more of the following numeric codes: +# Attribute codes: +# 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed +# Text color codes: +# 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white +# Background color codes: +# 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white +#NORMAL 00 # no color code at all +#FILE 00 # regular file: use no color at all +RESET 0 # reset to "normal" color +DIR 01;34 # directory +LINK 01;36 # symbolic link. (If you set this to 'target' instead of a + # numerical value, the color is as for the file pointed to.) +MULTIHARDLINK 00 # regular file with more than one link +FIFO 40;33 # pipe +SOCK 01;35 # socket +DOOR 01;35 # door +BLK 40;33;01 # block device driver +CHR 40;33;01 # character device driver +ORPHAN 40;31;01 # symlink to nonexistent file, or non-stat'able file ... +MISSING 01;05;37;41 # ... and the files they point to +SETUID 37;41 # file that is setuid (u+s) +SETGID 30;43 # file that is setgid (g+s) +CAPABILITY 30;41 # file with capability +STICKY_OTHER_WRITABLE 30;42 # dir that is sticky and other-writable (+t,o+w) +OTHER_WRITABLE 34;42 # dir that is other-writable (o+w) and not sticky +STICKY 37;44 # dir with the sticky bit set (+t) and not other-writable + +# This is for files with execute permission: +EXEC 01;32 + +# List any file extensions like '.gz' or '.tar' that you would like ls +# to colorize below. Put the extension, a space, and the color init string. +# (and any comments you want to add after a '#') + +# If you use DOS-style suffixes, you may want to uncomment the following: +#.cmd 01;32 # executables (bright green) +#.exe 01;32 +#.com 01;32 +#.btm 01;32 +#.bat 01;32 +# Or if you want to colorize scripts even if they do not have the +# executable bit actually set. +#.sh 01;32 +#.csh 01;32 + + # archives or compressed (bright red) +.tar 01;31 +.tgz 01;31 +.arc 01;31 +.arj 01;31 +.taz 01;31 +.lha 01;31 +.lz4 01;31 +.lzh 01;31 +.lzma 01;31 +.tlz 01;31 +.txz 01;31 +.tzo 01;31 +.t7z 01;31 +.zip 01;31 +.z 01;31 +.dz 01;31 +.gz 01;31 +.lrz 01;31 +.lz 01;31 +.lzo 01;31 +.xz 01;31 +.zst 01;31 +.tzst 01;31 +.bz2 01;31 +.bz 01;31 +.tbz 01;31 +.tbz2 01;31 +.tz 01;31 +.deb 01;31 +.rpm 01;31 +.jar 01;31 +.war 01;31 +.ear 01;31 +.sar 01;31 +.rar 01;31 +.alz 01;31 +.ace 01;31 +.zoo 01;31 +.cpio 01;31 +.7z 01;31 +.rz 01;31 +.cab 01;31 +.wim 01;31 +.swm 01;31 +.dwm 01;31 +.esd 01;31 + +# image formats +.jpg 01;35 +.jpeg 01;35 +.mjpg 01;35 +.mjpeg 01;35 +.gif 01;35 +.bmp 01;35 +.pbm 01;35 +.pgm 01;35 +.ppm 01;35 +.tga 01;35 +.xbm 01;35 +.xpm 01;35 +.tif 01;35 +.tiff 01;35 +.png 01;35 +.svg 01;35 +.svgz 01;35 +.mng 01;35 +.pcx 01;35 +.mov 01;35 +.mpg 01;35 +.mpeg 01;35 +.m2v 01;35 +.mkv 01;35 +.webm 01;35 +.ogm 01;35 +.mp4 01;35 +.m4v 01;35 +.mp4v 01;35 +.vob 01;35 +.qt 01;35 +.nuv 01;35 +.wmv 01;35 +.asf 01;35 +.rm 01;35 +.rmvb 01;35 +.flc 01;35 +.avi 01;35 +.fli 01;35 +.flv 01;35 +.gl 01;35 +.dl 01;35 +.xcf 01;35 +.xwd 01;35 +.yuv 01;35 +.cgm 01;35 +.emf 01;35 + +# https://wiki.xiph.org/MIME_Types_and_File_Extensions +.ogv 01;35 +.ogx 01;35 + +# audio formats +.aac 01;36 +.au 01;36 +.flac 01;36 +.m4a 01;36 +.mid 01;36 +.midi 01;36 +.mka 01;36 +.mp3 01;36 +.mpc 01;36 +.ogg 01;36 +.ra 01;36 +.wav 01;36 + +# https://wiki.xiph.org/MIME_Types_and_File_Extensions +.oga 01;36 +.opus 01;36 +.spx 01;36 +.xspf 01;36 diff --git a/DIR_COLORS.256color b/DIR_COLORS.256color new file mode 100644 index 0000000..241f6ab --- /dev/null +++ b/DIR_COLORS.256color @@ -0,0 +1,202 @@ +# Configuration file for the 256color ls utility + +# This file goes in the /etc directory, and must be world readable. +# You can copy this file to .dir_colors in your $HOME directory to override +# the system defaults. + +# Configuration file for dircolors, a utility to help you set the +# LS_COLORS environment variable used by GNU ls with the --color option. + +# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copying and distribution of this file, with or without modification, +# are permitted provided the copyright notice and this notice are preserved. + +# The keywords COLOR, OPTIONS, and EIGHTBIT (honored by the +# slackware version of dircolors) are recognized but ignored. + +# For compatibility, the pattern "^COLOR.*none" is recognized as a way to +# disable colorization. See https://bugzilla.redhat.com/1349579 for details. + +# Below are TERM entries, which can be a glob patterns, to match +# against the TERM environment variable to determine if it is colorizable. +TERM *256color* +TERM rxvt-unicode256 + +# Below are the color init strings for the basic file types. A color init +# string consists of one or more of the following numeric codes: +# Attribute codes: +# 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed +# Text color codes: +# 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white +# Background color codes: +# 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white +# Text color(256 colors mode) codes: +# Valid syntax for text 256color is 38;5; , where color number +# is number between 0 and 255. +# You may find following command useful to search the best one for you: +# for ((x=0; x<=255; x++));do echo -e "${x}:\033[38;5;${x}mcolor\033[000m";done +# Background color(256 colors mode) codes: +# Valid syntax for background 256color is 48;5; , where +# color number is number between 0 and 255. +# You may find following command useful to search the best one for you: +# for ((x=0; x<=255; x++));do echo -e "${x}:\033[48;5;${x}mcolor\033[000m";done + +#NORMAL 00 # no color code at all +#FILE 00 # regular file: use no color at all +RESET 0 # reset to "normal" color +DIR 38;5;33 # directory +LINK 38;5;51 # symbolic link. (If you set this to 'target' instead of a + # numerical value, the color is as for the file pointed to.) +MULTIHARDLINK 00 # regular file with more than one link +FIFO 40;38;5;11 # pipe +SOCK 38;5;13 # socket +DOOR 38;5;5 # door +BLK 48;5;232;38;5;11 # block device driver +CHR 48;5;232;38;5;3 # character device driver +ORPHAN 48;5;232;38;5;9 # symlink to nonexistent file, or non-stat'able file ... +MISSING 01;05;37;41 # ... and the files they point to +SETUID 48;5;196;38;5;15 # file that is setuid (u+s) +SETGID 48;5;11;38;5;16 # file that is setgid (g+s) +CAPABILITY 48;5;196;38;5;226 # file with capability +STICKY_OTHER_WRITABLE 48;5;10;38;5;16 # dir that is sticky and other-writable (+t,o+w) +OTHER_WRITABLE 48;5;10;38;5;21 # dir that is other-writable (o+w) and not sticky +STICKY 48;5;21;38;5;15 # dir with the sticky bit set (+t) and not other-writable + +# This is for files with execute permission: +EXEC 38;5;40 + +# List any file extensions like '.gz' or '.tar' that you would like ls +# to colorize below. Put the extension, a space, and the color init string. +# (and any comments you want to add after a '#') + +# If you use DOS-style suffixes, you may want to uncomment the following: +#.cmd 01;32 # executables (bright green) +#.exe 01;32 +#.com 01;32 +#.btm 01;32 +#.bat 01;32 +# Or if you want to colorize scripts even if they do not have the +# executable bit actually set. +#.sh 01;32 +#.csh 01;32 + + # archives or compressed (bright red) +.tar 38;5;9 +.tgz 38;5;9 +.arc 38;5;9 +.arj 38;5;9 +.taz 38;5;9 +.lha 38;5;9 +.lz4 38;5;9 +.lzh 38;5;9 +.lzma 38;5;9 +.tlz 38;5;9 +.txz 38;5;9 +.tzo 38;5;9 +.t7z 38;5;9 +.zip 38;5;9 +.z 38;5;9 +.dz 38;5;9 +.gz 38;5;9 +.lrz 38;5;9 +.lz 38;5;9 +.lzo 38;5;9 +.xz 38;5;9 +.zst 38;5;9 +.tzst 38;5;9 +.bz2 38;5;9 +.bz 38;5;9 +.tbz 38;5;9 +.tbz2 38;5;9 +.tz 38;5;9 +.deb 38;5;9 +.rpm 38;5;9 +.jar 38;5;9 +.war 38;5;9 +.ear 38;5;9 +.sar 38;5;9 +.rar 38;5;9 +.alz 38;5;9 +.ace 38;5;9 +.zoo 38;5;9 +.cpio 38;5;9 +.7z 38;5;9 +.rz 38;5;9 +.cab 38;5;9 +.wim 38;5;9 +.swm 38;5;9 +.dwm 38;5;9 +.esd 38;5;9 + +# image formats +.jpg 38;5;13 +.jpeg 38;5;13 +.mjpg 38;5;13 +.mjpeg 38;5;13 +.gif 38;5;13 +.bmp 38;5;13 +.pbm 38;5;13 +.pgm 38;5;13 +.ppm 38;5;13 +.tga 38;5;13 +.xbm 38;5;13 +.xpm 38;5;13 +.tif 38;5;13 +.tiff 38;5;13 +.png 38;5;13 +.svg 38;5;13 +.svgz 38;5;13 +.mng 38;5;13 +.pcx 38;5;13 +.mov 38;5;13 +.mpg 38;5;13 +.mpeg 38;5;13 +.m2v 38;5;13 +.mkv 38;5;13 +.webm 38;5;13 +.ogm 38;5;13 +.mp4 38;5;13 +.m4v 38;5;13 +.mp4v 38;5;13 +.vob 38;5;13 +.qt 38;5;13 +.nuv 38;5;13 +.wmv 38;5;13 +.asf 38;5;13 +.rm 38;5;13 +.rmvb 38;5;13 +.flc 38;5;13 +.avi 38;5;13 +.fli 38;5;13 +.flv 38;5;13 +.gl 38;5;13 +.dl 38;5;13 +.xcf 38;5;13 +.xwd 38;5;13 +.yuv 38;5;13 +.cgm 38;5;13 +.emf 38;5;13 + +# https://wiki.xiph.org/MIME_Types_and_File_Extensions +.ogv 38;5;13 +.ogx 38;5;13 + +# audio formats +.aac 38;5;45 +.au 38;5;45 +.flac 38;5;45 +.m4a 38;5;45 +.mid 38;5;45 +.midi 38;5;45 +.mka 38;5;45 +.mp3 38;5;45 +.mpc 38;5;45 +.ogg 38;5;45 +.ra 38;5;45 +.wav 38;5;45 + +# https://wiki.xiph.org/MIME_Types_and_File_Extensions +.oga 38;5;45 +.opus 38;5;45 +.spx 38;5;45 +.xspf 38;5;45 diff --git a/DIR_COLORS.lightbgcolor b/DIR_COLORS.lightbgcolor new file mode 100644 index 0000000..86e9ca5 --- /dev/null +++ b/DIR_COLORS.lightbgcolor @@ -0,0 +1,213 @@ +# Configuration file for the color ls utility - modified for lighter backgrounds + +# This file goes in the /etc directory, and must be world readable. +# You can copy this file to .dir_colors in your $HOME directory to override +# the system defaults. + +# Configuration file for dircolors, a utility to help you set the +# LS_COLORS environment variable used by GNU ls with the --color option. + +# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copying and distribution of this file, with or without modification, +# are permitted provided the copyright notice and this notice are preserved. + +# The keywords COLOR, OPTIONS, and EIGHTBIT (honored by the +# slackware version of dircolors) are recognized but ignored. + +# For compatibility, the pattern "^COLOR.*none" is recognized as a way to +# disable colorization. See https://bugzilla.redhat.com/1349579 for details. + +# Below are TERM entries, which can be a glob patterns, to match +# against the TERM environment variable to determine if it is colorizable. +TERM Eterm +TERM ansi +TERM *color* +TERM con[0-9]*x[0-9]* +TERM cons25 +TERM console +TERM cygwin +TERM dtterm +TERM gnome +TERM hurd +TERM jfbterm +TERM konsole +TERM kterm +TERM linux +TERM linux-c +TERM mlterm +TERM putty +TERM rxvt* +TERM screen* +TERM st +TERM terminator +TERM tmux* +TERM vt100 +TERM xterm* + +# Below are the color init strings for the basic file types. A color init +# string consists of one or more of the following numeric codes: +# Attribute codes: +# 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed +# Text color codes: +# 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white +# Background color codes: +# 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white +#NORMAL 00 # no color code at all +#FILE 00 # regular file: use no color at all +RESET 0 # reset to "normal" color +DIR 00;34 # directory +LINK 00;36 # symbolic link. (If you set this to 'target' instead of a + # numerical value, the color is as for the file pointed to.) +MULTIHARDLINK 00 # regular file with more than one link +FIFO 40;33 # pipe +SOCK 00;35 # socket +DOOR 00;35 # door +BLK 40;33;01 # block device driver +CHR 40;33;01 # character device driver +ORPHAN 40;31;01 # symlink to nonexistent file, or non-stat'able file ... +MISSING 01;05;37;41 # ... and the files they point to +SETUID 37;41 # file that is setuid (u+s) +SETGID 30;43 # file that is setgid (g+s) +CAPABILITY 30;41 # file with capability +STICKY_OTHER_WRITABLE 30;42 # dir that is sticky and other-writable (+t,o+w) +OTHER_WRITABLE 34;42 # dir that is other-writable (o+w) and not sticky +STICKY 37;44 # dir with the sticky bit set (+t) and not other-writable + +# This is for files with execute permission: +EXEC 00;32 + +# List any file extensions like '.gz' or '.tar' that you would like ls +# to colorize below. Put the extension, a space, and the color init string. +# (and any comments you want to add after a '#') + +# If you use DOS-style suffixes, you may want to uncomment the following: +#.cmd 01;32 # executables (bright green) +#.exe 01;32 +#.com 01;32 +#.btm 01;32 +#.bat 01;32 +# Or if you want to colorize scripts even if they do not have the +# executable bit actually set. +#.sh 01;32 +#.csh 01;32 + + # archives or compressed (bright red) +.tar 00;31 +.tgz 00;31 +.arc 00;31 +.arj 00;31 +.taz 00;31 +.lha 00;31 +.lz4 00;31 +.lzh 00;31 +.lzma 00;31 +.tlz 00;31 +.txz 00;31 +.tzo 00;31 +.t7z 00;31 +.zip 00;31 +.z 00;31 +.dz 00;31 +.gz 00;31 +.lrz 00;31 +.lz 00;31 +.lzo 00;31 +.xz 00;31 +.zst 00;31 +.tzst 00;31 +.bz2 00;31 +.bz 00;31 +.tbz 00;31 +.tbz2 00;31 +.tz 00;31 +.deb 00;31 +.rpm 00;31 +.jar 00;31 +.war 00;31 +.ear 00;31 +.sar 00;31 +.rar 00;31 +.alz 00;31 +.ace 00;31 +.zoo 00;31 +.cpio 00;31 +.7z 00;31 +.rz 00;31 +.cab 00;31 +.wim 00;31 +.swm 00;31 +.dwm 00;31 +.esd 00;31 + +# image formats +.jpg 00;35 +.jpeg 00;35 +.mjpg 00;35 +.mjpeg 00;35 +.gif 00;35 +.bmp 00;35 +.pbm 00;35 +.pgm 00;35 +.ppm 00;35 +.tga 00;35 +.xbm 00;35 +.xpm 00;35 +.tif 00;35 +.tiff 00;35 +.png 00;35 +.svg 00;35 +.svgz 00;35 +.mng 00;35 +.pcx 00;35 +.mov 00;35 +.mpg 00;35 +.mpeg 00;35 +.m2v 00;35 +.mkv 00;35 +.webm 00;35 +.ogm 00;35 +.mp4 00;35 +.m4v 00;35 +.mp4v 00;35 +.vob 00;35 +.qt 00;35 +.nuv 00;35 +.wmv 00;35 +.asf 00;35 +.rm 00;35 +.rmvb 00;35 +.flc 00;35 +.avi 00;35 +.fli 00;35 +.flv 00;35 +.gl 00;35 +.dl 00;35 +.xcf 00;35 +.xwd 00;35 +.yuv 00;35 +.cgm 00;35 +.emf 00;35 + +# https://wiki.xiph.org/MIME_Types_and_File_Extensions +.ogv 00;35 +.ogx 00;35 + +# audio formats +.aac 00;36 +.au 00;36 +.flac 00;36 +.m4a 00;36 +.mid 00;36 +.midi 00;36 +.mka 00;36 +.mp3 00;36 +.mpc 00;36 +.ogg 00;36 +.ra 00;36 +.wav 00;36 + +# https://wiki.xiph.org/MIME_Types_and_File_Extensions +.oga 00;36 +.opus 00;36 +.spx 00;36 +.xspf 00;36 diff --git a/GREP_COLORS b/GREP_COLORS new file mode 100644 index 0000000..1ef53a6 --- /dev/null +++ b/GREP_COLORS @@ -0,0 +1,4 @@ +# Configuration file for the color grep utility + +# 'none' shuts colorization off. +#COLOR none diff --git a/ImageMagick-6/coder.xml b/ImageMagick-6/coder.xml new file mode 100644 index 0000000..4d2394f --- /dev/null +++ b/ImageMagick-6/coder.xml @@ -0,0 +1,23 @@ + + + + + +]> + + + + + + diff --git a/ImageMagick-6/colors.xml b/ImageMagick-6/colors.xml new file mode 100644 index 0000000..55bfb5d --- /dev/null +++ b/ImageMagick-6/colors.xml @@ -0,0 +1,28 @@ + + + + + + +]> + + + + + + + + + + + + diff --git a/ImageMagick-6/delegates.xml b/ImageMagick-6/delegates.xml new file mode 100644 index 0000000..00a47fb --- /dev/null +++ b/ImageMagick-6/delegates.xml @@ -0,0 +1,123 @@ + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/ImageMagick-6/log.xml b/ImageMagick-6/log.xml new file mode 100644 index 0000000..8a29099 --- /dev/null +++ b/ImageMagick-6/log.xml @@ -0,0 +1,80 @@ + + + + + + + + + +]> + + + + + + + + + diff --git a/ImageMagick-6/magic.xml b/ImageMagick-6/magic.xml new file mode 100644 index 0000000..7f17731 --- /dev/null +++ b/ImageMagick-6/magic.xml @@ -0,0 +1,23 @@ + + + + + + +]> + + + + + + + diff --git a/ImageMagick-6/mime.xml b/ImageMagick-6/mime.xml new file mode 100644 index 0000000..9530fc8 --- /dev/null +++ b/ImageMagick-6/mime.xml @@ -0,0 +1,1145 @@ + + + + + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/ImageMagick-6/policy.xml b/ImageMagick-6/policy.xml new file mode 100644 index 0000000..8083d3d --- /dev/null +++ b/ImageMagick-6/policy.xml @@ -0,0 +1,78 @@ + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/ImageMagick-6/quantization-table.xml b/ImageMagick-6/quantization-table.xml new file mode 100644 index 0000000..fb71874 --- /dev/null +++ b/ImageMagick-6/quantization-table.xml @@ -0,0 +1,68 @@ + + + + + + + + + + + + + + +]> + + + + Luma Quantization Table + + 16, 16, 16, 18, 25, 37, 56, 85, + 16, 17, 20, 27, 34, 40, 53, 75, + 16, 20, 24, 31, 43, 62, 91, 135, + 18, 27, 31, 40, 53, 74, 106, 156, + 25, 34, 43, 53, 69, 94, 131, 189, + 37, 40, 62, 74, 94, 124, 169, 238, + 56, 53, 91, 106, 131, 169, 226, 311, + 85, 75, 135, 156, 189, 238, 311, 418 + +
+ + + diff --git a/ImageMagick-6/thresholds.xml b/ImageMagick-6/thresholds.xml new file mode 100644 index 0000000..02b96a8 --- /dev/null +++ b/ImageMagick-6/thresholds.xml @@ -0,0 +1,336 @@ + + + + + + + + + +]> + + + + + + Threshold 1x1 (non-dither) + + 1 + + + + + Checkerboard 2x1 (dither) + + 1 2 + 2 1 + + + + + + Ordered 2x2 (dispersed) + + 1 3 + 4 2 + + + + + Ordered 3x3 (dispersed) + + 3 7 4 + 6 1 9 + 2 8 5 + + + + + + Ordered 4x4 (dispersed) + + 1 9 3 11 + 13 5 15 7 + 4 12 2 10 + 16 8 14 6 + + + + + + Ordered 8x8 (dispersed) + + 1 49 13 61 4 52 16 64 + 33 17 45 29 36 20 48 32 + 9 57 5 53 12 60 8 56 + 41 25 37 21 44 28 40 24 + 3 51 15 63 2 50 14 62 + 35 19 47 31 34 18 46 30 + 11 59 7 55 10 58 6 54 + 43 27 39 23 42 26 38 22 + + + + + + Halftone 4x4 (angled) + + 4 2 7 5 + 3 1 8 6 + 7 5 4 2 + 8 6 3 1 + + + + + Halftone 6x6 (angled) + + 14 13 10 8 2 3 + 16 18 12 7 1 4 + 15 17 11 9 6 5 + 8 2 3 14 13 10 + 7 1 4 16 18 12 + 9 6 5 15 17 11 + + + + + Halftone 8x8 (angled) + + 13 7 8 14 17 21 22 18 + 6 1 3 9 28 31 29 23 + 5 2 4 10 27 32 30 24 + 16 12 11 15 20 26 25 19 + 17 21 22 18 13 7 8 14 + 28 31 29 23 6 1 3 9 + 27 32 30 24 5 2 4 10 + 20 26 25 19 16 12 11 15 + + + + + + Halftone 4x4 (orthogonal) + + 7 13 11 4 + 12 16 14 8 + 10 15 6 2 + 5 9 3 1 + + + + + Halftone 6x6 (orthogonal) + + 7 17 27 14 9 4 + 21 29 33 31 18 11 + 24 32 36 34 25 22 + 19 30 35 28 20 10 + 8 15 26 16 6 2 + 5 13 23 12 3 1 + + + + + Halftone 8x8 (orthogonal) + + 7 21 33 43 36 19 9 4 + 16 27 51 55 49 29 14 11 + 31 47 57 61 59 45 35 23 + 41 53 60 64 62 52 40 38 + 37 44 58 63 56 46 30 22 + 15 28 48 54 50 26 17 10 + 8 18 34 42 32 20 6 2 + 5 13 25 39 24 12 3 1 + + + + + + Halftone 16x16 (orthogonal) + + 4 12 24 44 72 100 136 152 150 134 98 70 42 23 11 3 + 7 16 32 52 76 104 144 160 158 142 102 74 50 31 15 6 + 19 27 40 60 92 132 168 180 178 166 130 90 58 39 26 18 + 36 48 56 80 124 176 188 204 203 187 175 122 79 55 47 35 + 64 68 84 116 164 200 212 224 223 211 199 162 114 83 67 63 + 88 96 112 156 192 216 232 240 239 231 214 190 154 111 95 87 + 108 120 148 184 208 228 244 252 251 243 226 206 182 147 119 107 + 128 140 172 196 219 235 247 256 255 246 234 218 194 171 139 127 + 126 138 170 195 220 236 248 253 254 245 233 217 193 169 137 125 + 106 118 146 183 207 227 242 249 250 241 225 205 181 145 117 105 + 86 94 110 155 191 215 229 238 237 230 213 189 153 109 93 85 + 62 66 82 115 163 198 210 221 222 209 197 161 113 81 65 61 + 34 46 54 78 123 174 186 202 201 185 173 121 77 53 45 33 + 20 28 37 59 91 131 167 179 177 165 129 89 57 38 25 17 + 8 13 29 51 75 103 143 159 157 141 101 73 49 30 14 5 + 1 9 21 43 71 99 135 151 149 133 97 69 41 22 10 2 + + + + + + + Circles 5x5 (black) + + 1 21 16 15 4 + 5 17 20 19 14 + 6 21 25 24 12 + 7 18 22 23 11 + 2 8 9 10 3 + + + + + + Circles 5x5 (white) + + 25 21 10 11 22 + 20 9 6 7 12 + 19 5 1 2 13 + 18 8 4 3 14 + 24 17 16 15 23 + + + + + Circles 6x6 (black) + + 1 5 14 13 12 4 + 6 22 28 27 21 11 + 15 29 35 34 26 20 + 16 30 36 33 25 19 + 7 23 31 32 24 10 + 2 8 17 18 9 3 + + + + + Circles 6x6 (white) + + 36 32 23 24 25 33 + 31 15 9 10 16 26 + 22 8 2 3 11 17 + 21 7 1 4 12 18 + 30 14 6 5 13 27 + 35 29 20 19 28 34 + + + + + Circles 7x7 (black) + + 3 9 18 28 17 8 2 + 10 24 33 39 32 23 7 + 19 34 44 48 43 31 16 + 25 40 45 49 47 38 27 + 20 35 41 46 42 29 15 + 11 21 36 37 28 22 6 + 4 12 13 26 14 5 1 + + + + + + Circles 7x7 (white) + + 47 41 32 22 33 42 48 + 40 26 17 11 18 27 43 + 31 16 6 2 7 19 34 + 25 10 5 1 3 12 23 + 30 15 9 4 8 20 35 + 39 29 14 13 21 28 44 + 46 38 37 24 36 45 49 + + + + + + + diff --git a/ImageMagick-6/type-apple.xml b/ImageMagick-6/type-apple.xml new file mode 100644 index 0000000..57fe9d1 --- /dev/null +++ b/ImageMagick-6/type-apple.xml @@ -0,0 +1,1367 @@ + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/ImageMagick-6/type-dejavu.xml b/ImageMagick-6/type-dejavu.xml new file mode 100644 index 0000000..29b3c20 --- /dev/null +++ b/ImageMagick-6/type-dejavu.xml @@ -0,0 +1,58 @@ + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/ImageMagick-6/type-ghostscript.xml b/ImageMagick-6/type-ghostscript.xml new file mode 100644 index 0000000..6a8b715 --- /dev/null +++ b/ImageMagick-6/type-ghostscript.xml @@ -0,0 +1,50 @@ + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/ImageMagick-6/type-urw-base35.xml b/ImageMagick-6/type-urw-base35.xml new file mode 100644 index 0000000..7702481 --- /dev/null +++ b/ImageMagick-6/type-urw-base35.xml @@ -0,0 +1,50 @@ + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/ImageMagick-6/type-windows.xml b/ImageMagick-6/type-windows.xml new file mode 100644 index 0000000..621eec4 --- /dev/null +++ b/ImageMagick-6/type-windows.xml @@ -0,0 +1,105 @@ + + + + + + + + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/ImageMagick-6/type.xml b/ImageMagick-6/type.xml new file mode 100644 index 0000000..464cacc --- /dev/null +++ b/ImageMagick-6/type.xml @@ -0,0 +1,17 @@ + + + + + +]> + + + + diff --git a/NetworkManager/NetworkManager.conf b/NetworkManager/NetworkManager.conf new file mode 100644 index 0000000..6ee4797 --- /dev/null +++ b/NetworkManager/NetworkManager.conf @@ -0,0 +1,50 @@ +# Configuration file for NetworkManager. +# +# See "man 5 NetworkManager.conf" for details. +# +# The directories /usr/lib/NetworkManager/conf.d/ and /run/NetworkManager/conf.d/ +# can contain additional configuration snippets installed by packages. These files are +# read before NetworkManager.conf and have thus lowest priority. +# The directory /etc/NetworkManager/conf.d/ can contain additional configuration +# snippets. Those snippets are merged last and overwrite the settings from this main +# file. +# +# The files within one conf.d/ directory are read in asciibetical order. +# +# If /etc/NetworkManager/conf.d/ contains a file with the same name as +# /usr/lib/NetworkManager/conf.d/, the latter file is shadowed and thus ignored. +# Hence, to disable loading a file from /usr/lib/NetworkManager/conf.d/ you can +# put an empty file to /etc with the same name. The same applies with respect +# to the directory /run/NetworkManager/conf.d where files in /run shadow +# /usr/lib and are themselves shadowed by files under /etc. +# +# If two files define the same key, the one that is read afterwards will overwrite +# the previous one. + +[main] +#plugins=ifcfg-rh + + +[logging] +# When debugging NetworkManager, enabling debug logging is of great help. +# +# Logfiles contain no passwords and little sensitive information. But please +# check before posting the file online. You can also personally hand over the +# logfile to a NM developer to treat it confidential. Meet us on #nm on freenode. +# Please post full logfiles except minimal modifications of private data. +# +# You can also change the log-level at runtime via +# $ nmcli general logging level TRACE domains ALL +# However, usually it's cleaner to enable debug logging +# in the configuration and restart NetworkManager so that +# debug logging is enabled from the start. +# +# You will find the logfiles in syslog, for example via +# $ journalctl -u NetworkManager +# +# Note that debug logging of NetworkManager can be quite verbose. Some messages +# might be rate-limited by the logging daemon (see RateLimitIntervalSec, RateLimitBurst +# in man journald.conf). Please disable rate-limiting before collecting debug logs. +# +#level=TRACE +#domains=ALL diff --git a/NetworkManager/dispatcher.d/11-dhclient b/NetworkManager/dispatcher.d/11-dhclient new file mode 100755 index 0000000..8bd0c75 --- /dev/null +++ b/NetworkManager/dispatcher.d/11-dhclient @@ -0,0 +1,37 @@ +#!/bin/bash +# run dhclient.d scripts in an emulated environment + +PATH=/bin:/usr/bin:/sbin +ETCDIR=/etc/dhcp +SAVEDIR=/var/lib/dhclient +interface=$1 + +for optname in "${!DHCP4_@}"; do + newoptname=${optname,,}; + newoptname=new_${newoptname#dhcp4_}; + export "${newoptname}"="${!optname}"; +done + +[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network + +[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \ + . /etc/sysconfig/network-scripts/ifcfg-"${interface}" + +if [ -d $ETCDIR/dhclient.d ]; then + for f in $ETCDIR/dhclient.d/*.sh; do + if [ -x "${f}" ]; then + subsystem="${f%.sh}" + subsystem="${subsystem##*/}" + . "${f}" + if [ "$2" = "up" ]; then + "${subsystem}_config" + elif [ "$2" = "dhcp4-change" ]; then + if [ "$subsystem" = "chrony" -o "$subsystem" = "ntp" ]; then + "${subsystem}_config" + fi + elif [ "$2" = "down" ]; then + "${subsystem}_restore" + fi + fi + done +fi diff --git a/NetworkManager/dispatcher.d/20-chrony b/NetworkManager/dispatcher.d/20-chrony new file mode 100755 index 0000000..0b0c3e7 --- /dev/null +++ b/NetworkManager/dispatcher.d/20-chrony @@ -0,0 +1,15 @@ +#!/bin/sh +# This is a NetworkManager dispatcher / networkd-dispatcher script for +# chronyd to set its NTP sources online or offline when a network interface +# is configured or removed + +export LC_ALL=C + +# For NetworkManager consider only up/down events +[ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0 + +# Note: for networkd-dispatcher routable.d ~= on and off.d ~= off + +chronyc onoffline > /dev/null 2>&1 + +exit 0 diff --git a/README.md b/README.md new file mode 100644 index 0000000..677bb04 --- /dev/null +++ b/README.md @@ -0,0 +1,2 @@ +# zira + diff --git a/X11/fontpath.d/xorg-x11-fonts-100dpi:unscaled:pri=30 b/X11/fontpath.d/xorg-x11-fonts-100dpi:unscaled:pri=30 new file mode 120000 index 0000000..a6e10db --- /dev/null +++ b/X11/fontpath.d/xorg-x11-fonts-100dpi:unscaled:pri=30 @@ -0,0 +1 @@ +/usr/share/X11/fonts/100dpi \ No newline at end of file diff --git a/X11/fontpath.d/xorg-x11-fonts-Type1 b/X11/fontpath.d/xorg-x11-fonts-Type1 new file mode 120000 index 0000000..e0f28c7 --- /dev/null +++ b/X11/fontpath.d/xorg-x11-fonts-Type1 @@ -0,0 +1 @@ +/usr/share/X11/fonts/Type1 \ No newline at end of file diff --git a/X11/xinit/xinitrc.d/10-qt5-check-opengl2.sh b/X11/xinit/xinitrc.d/10-qt5-check-opengl2.sh new file mode 100755 index 0000000..57071d4 --- /dev/null +++ b/X11/xinit/xinitrc.d/10-qt5-check-opengl2.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +if [ -z "$QT_XCB_FORCE_SOFTWARE_OPENGL" ]; then + +QT5_CHECK_OPENGL_VERSION=`LANG=C glxinfo 2> /dev/null | grep '^OpenGL version string: ' | head -n 1 | sed -e 's/^OpenGL version string: \([0-9]\).*$/\1/g'` ||: + +if [ "$QT5_CHECK_OPENGL_VERSION" == "1" ]; then + QT_XCB_FORCE_SOFTWARE_OPENGL=1 + export QT_XCB_FORCE_SOFTWARE_OPENGL +fi + +unset QT5_CHECK_OPENGL_VERSION + +fi diff --git a/X11/xinit/xinitrc.d/50-systemd-user.sh b/X11/xinit/xinitrc.d/50-systemd-user.sh new file mode 100755 index 0000000..5588185 --- /dev/null +++ b/X11/xinit/xinitrc.d/50-systemd-user.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +systemctl --user import-environment DISPLAY XAUTHORITY + +if command -v dbus-update-activation-environment >/dev/null 2>&1; then + dbus-update-activation-environment DISPLAY XAUTHORITY +fi diff --git a/aide.conf b/aide.conf new file mode 100644 index 0000000..af4b2d3 --- /dev/null +++ b/aide.conf @@ -0,0 +1,321 @@ +# Example configuration file for AIDE. + +@@define DBDIR /var/lib/aide +@@define LOGDIR /var/log/aide + +# The location of the database to be read. +database=file:@@{DBDIR}/aide.db.gz + +# The location of the database to be written. +#database_out=sql:host:port:database:login_name:passwd:table +#database_out=file:aide.db.new +database_out=file:@@{DBDIR}/aide.db.new.gz + +# Whether to gzip the output to database +gzip_dbout=yes + +# Default. +verbose=5 + +report_url=file:@@{LOGDIR}/aide.log +report_url=stdout +#report_url=stderr +#NOT IMPLEMENTED report_url=mailto:root@foo.com +#NOT IMPLEMENTED report_url=syslog:LOG_AUTH + +# These are the default rules. +# +#p: permissions +#i: inode: +#n: number of links +#u: user +#g: group +#s: size +#b: block count +#m: mtime +#a: atime +#c: ctime +#S: check for growing size +#acl: Access Control Lists +#selinux SELinux security context +#xattrs: Extended file attributes +#md5: md5 checksum +#sha1: sha1 checksum +#sha256: sha256 checksum +#sha512: sha512 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum + +#haval: haval checksum (MHASH only) +#gost: gost checksum (MHASH only) +#crc32: crc32 checksum (MHASH only) +#whirlpool: whirlpool checksum (MHASH only) + +#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 +#L: p+i+n+u+g+acl+selinux+xattrs +#E: Empty group +#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs + +# You can create custom rules like this. +# With MHASH... +# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger +# Everything but access time (Ie. all changes) +EVERYTHING = R+ALLXTRAHASHES + +# Sane +# NORMAL = R+sha512 +NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512 + +# For directories, don't bother doing hashes +DIR = p+i+n+u+g+acl+selinux+xattrs + +# Access control only +PERMS = p+u+g+acl+selinux+xattrs + +# Logfile are special, in that they often change +LOG = p+u+g+n+S+acl+selinux+xattrs + +# Content + file type. +CONTENT = sha512+ftype + +# Extended content + file type + access. +CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs + +# Some files get updated automatically, so the inode/ctime/mtime change +# but we want to know when the data inside them changes +DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512 + +# Next decide what directories/files you want in the database. + +/boot CONTENT_EX +/opt CONTENT + +# Admins dot files constantly change, just check perms +/root/\..* PERMS +# Otherwise get all of /root. +/root CONTENT_EX + +# These are too volatile +!/usr/src +!/usr/tmp + +# Otherwise get all of /usr. +/usr CONTENT_EX + +# trusted databases +/etc/hosts$ CONTENT_EX +/etc/host.conf$ CONTENT_EX +/etc/hostname$ CONTENT_EX +/etc/issue$ CONTENT_EX +/etc/issue.net$ CONTENT_EX +/etc/protocols$ CONTENT_EX +/etc/services$ CONTENT_EX +/etc/localtime$ CONTENT_EX +/etc/alternatives CONTENT_EX +/etc/sysconfig CONTENT_EX +/etc/mime.types$ CONTENT_EX +/etc/terminfo CONTENT_EX +/etc/exports$ CONTENT_EX +/etc/fstab$ CONTENT_EX +/etc/passwd$ CONTENT_EX +/etc/group$ CONTENT_EX +/etc/gshadow$ CONTENT_EX +/etc/shadow$ CONTENT_EX +/etc/subgid$ CONTENT_EX +/etc/subuid$ CONTENT_EX +/etc/security/opasswd$ CONTENT_EX +/etc/skel CONTENT_EX +/etc/subuid$ CONTENT_EX +/etc/subgid$ CONTENT_EX +/etc/sssd CONTENT_EX +/etc/machine-id$ CONTENT_EX +/etc/swid CONTENT_EX +/etc/system-release-cpe$ CONTENT_EX +/etc/shells$ CONTENT_EX +/etc/tmux.conf$ CONTENT_EX +/etc/xattr.conf$ CONTENT_EX + + +# networking +/etc/hosts.allow$ CONTENT_EX +/etc/hosts.deny$ CONTENT_EX +/etc/firewalld CONTENT_EX +!/etc/NetworkManager/system-connections +/etc/NetworkManager CONTENT_EX +/etc/networks$ CONTENT_EX +/etc/dhcp CONTENT_EX +/etc/wpa_supplicant CONTENT_EX +/etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ CONTENT_EX + +# logins and accounts +/etc/login.defs$ CONTENT_EX +/etc/libuser.conf$ CONTENT_EX +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock PERMS +/etc/pam.d CONTENT_EX +/etc/security CONTENT_EX +/etc/securetty$ CONTENT_EX +/etc/polkit-1 CONTENT_EX +/etc/sudo.conf$ CONTENT_EX +/etc/sudoers$ CONTENT_EX +/etc/sudoers.d CONTENT_EX + +# Shell/X startup files +/etc/profile$ CONTENT_EX +/etc/profile.d CONTENT_EX +/etc/bashrc$ CONTENT_EX +/etc/bash_completion.d CONTENT_EX +/etc/zprofile$ CONTENT_EX +/etc/zshrc$ CONTENT_EX +/etc/zlogin$ CONTENT_EX +/etc/zlogout$ CONTENT_EX +/etc/X11 CONTENT_EX + +# Pkg manager +/etc/dnf CONTENT_EX +/etc/yum.conf$ CONTENT_EX +/etc/yum CONTENT_EX +/etc/yum.repos.d CONTENT_EX + +# This gets new/removes-old filenames daily +!/var/log/sa +# As we are checking it, we've truncated yesterdays size to zero. +!/var/log/aide.log + +# auditing +# AIDE produces an audit record, so this becomes perpetual motion. +/var/log/audit PERMS +/etc/audit CONTENT_EX +/etc/libaudit.conf$ CONTENT_EX +/etc/aide.conf$ CONTENT_EX + +# System logs +/etc/rsyslog.conf$ CONTENT_EX +/etc/rsyslog.d CONTENT_EX +/etc/logrotate.conf$ CONTENT_EX +/etc/logrotate.d CONTENT_EX +/etc/systemd/journald.conf$ CONTENT_EX +/var/log LOG+ANF+ARF +/var/run/utmp LOG + +# secrets +/etc/pkcs11 CONTENT_EX +/etc/pki CONTENT_EX +/etc/crypto-policies CONTENT_EX +/etc/certmonger CONTENT_EX +/var/lib/systemd/random-seed$ PERMS + +# init system +/etc/systemd CONTENT_EX +/etc/rc.d CONTENT_EX +/etc/tmpfiles.d CONTENT_EX + +# boot config +/etc/default CONTENT_EX +/etc/grub.d CONTENT_EX +/etc/dracut.conf$ CONTENT_EX +/etc/dracut.conf.d CONTENT_EX + +# glibc linker +/etc/ld.so.cache$ CONTENT_EX +/etc/ld.so.conf$ CONTENT_EX +/etc/ld.so.conf.d CONTENT_EX +/etc/ld.so.preload$ CONTENT_EX + +# kernel config +/etc/sysctl.conf$ CONTENT_EX +/etc/sysctl.d CONTENT_EX +/etc/modprobe.d CONTENT_EX +/etc/modules-load.d CONTENT_EX +/etc/depmod.d CONTENT_EX +/etc/udev CONTENT_EX +/etc/crypttab$ CONTENT_EX + +#### Daemons #### + +# cron jobs +/var/spool/at CONTENT +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/var/spool/anacron CONTENT +/etc/anacrontab$ CONTENT_EX +/etc/cron.allow$ CONTENT_EX +/etc/cron.deny$ CONTENT_EX +/etc/cron.d CONTENT_EX +/etc/cron.daily CONTENT_EX +/etc/cron.hourly CONTENT_EX +/etc/cron.monthly CONTENT_EX +/etc/cron.weekly CONTENT_EX +/etc/crontab$ CONTENT_EX +/var/spool/cron/root CONTENT + +# time keeping +/etc/chrony.conf$ CONTENT_EX +/etc/chrony.keys$ CONTENT_EX + +# mail +/etc/aliases$ CONTENT_EX +/etc/aliases.db$ CONTENT_EX +/etc/postfix CONTENT_EX + +# ssh +/etc/ssh/sshd_config$ CONTENT_EX +/etc/ssh/ssh_config$ CONTENT_EX + +# stunnel +/etc/stunnel CONTENT_EX + +# printing +/etc/cups CONTENT_EX +/etc/cupshelpers CONTENT_EX +/etc/avahi CONTENT_EX + +# web server +/etc/httpd CONTENT_EX + +# dns +/etc/named CONTENT_EX +/etc/named.conf$ CONTENT_EX +/etc/named.iscdlv.key$ CONTENT_EX +/etc/named.rfc1912.zones$ CONTENT_EX +/etc/named.root.key$ CONTENT_EX + +# xinetd +/etc/xinetd.conf$ CONTENT_EX +/etc/xinetd.d CONTENT_EX + +# IPsec +/etc/ipsec.conf$ CONTENT_EX +/etc/ipsec.secrets$ CONTENT_EX +/etc/ipsec.d CONTENT_EX + +# USB guard +/etc/usbguard CONTENT_EX + +# Ignore some files +!/etc/mtab$ +!/etc/.*~ + +# Now everything else +/etc PERMS + + +# With AIDE's default verbosity level of 5, these would give lots of +# warnings upon tree traversal. It might change with future version. +# +#=/lost\+found DIR +#=/home DIR + +# Ditto /var/log/sa reason... +!/var/log/and-httpd + +# Admins dot files constantly change, just check perms +/root/\..* PERMS +!/root/.xauth* + +# Exclude folders +!/root/.* +!/opt/.* diff --git a/aliases b/aliases new file mode 100644 index 0000000..5d7b9e2 --- /dev/null +++ b/aliases @@ -0,0 +1,97 @@ +# +# Aliases in this file will NOT be expanded in the header from +# Mail, but WILL be visible over networks or from /bin/mail. +# +# >>>>>>>>>> The program "newaliases" must be run after +# >> NOTE >> this file is updated for any changes to +# >>>>>>>>>> show through to sendmail. +# + +# Basic system aliases -- these MUST be present. +mailer-daemon: postmaster +postmaster: root + +# General redirections for pseudo accounts. +bin: root +daemon: root +adm: root +lp: root +sync: root +shutdown: root +halt: root +mail: root +news: root +uucp: root +operator: root +games: root +gopher: root +ftp: root +nobody: root +radiusd: root +nut: root +dbus: root +vcsa: root +canna: root +wnn: root +rpm: root +nscd: root +pcap: root +apache: root +webalizer: root +dovecot: root +fax: root +quagga: root +radvd: root +pvm: root +amandabackup: root +privoxy: root +ident: root +named: root +xfs: root +gdm: root +mailnull: root +postgres: root +sshd: root +smmsp: root +postfix: root +netdump: root +ldap: root +squid: root +ntp: root +mysql: root +desktop: root +rpcuser: root +rpc: root +nfsnobody: root +pcp: root + +ingres: root +system: root +toor: root +manager: root +dumper: root +abuse: root + +newsadm: news +newsadmin: news +usenet: news +ftpadm: ftp +ftpadmin: ftp +ftp-adm: ftp +ftp-admin: ftp +www: webmaster +webmaster: root +noc: root +security: root +hostmaster: root +info: postmaster +marketing: postmaster +sales: postmaster +support: postmaster + + +# trap decode to catch security attacks +decode: root + +# Person who should get root's mail +#root: marc diff --git a/aliases.db b/aliases.db new file mode 100644 index 0000000..4917640 Binary files /dev/null and b/aliases.db differ diff --git a/alternatives/alt-java b/alternatives/alt-java new file mode 120000 index 0000000..c21c515 --- /dev/null +++ b/alternatives/alt-java @@ -0,0 +1 @@ +/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/alt-java \ No newline at end of file diff --git a/alternatives/alt-java.1.gz b/alternatives/alt-java.1.gz new file mode 120000 index 0000000..700bf0d --- /dev/null +++ b/alternatives/alt-java.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/alt-java-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz \ No newline at end of file diff --git a/alternatives/cifs-idmap-plugin b/alternatives/cifs-idmap-plugin new file mode 120000 index 0000000..b301650 --- /dev/null +++ b/alternatives/cifs-idmap-plugin @@ -0,0 +1 @@ +/usr/lib64/cifs-utils/cifs_idmap_sss.so \ No newline at end of file diff --git a/alternatives/distribution_based_engine.json b/alternatives/distribution_based_engine.json new file mode 120000 index 0000000..2899ea1 --- /dev/null +++ b/alternatives/distribution_based_engine.json @@ -0,0 +1 @@ +/var/lib/docker-engine/distribution_based_engine-ce.json \ No newline at end of file diff --git a/alternatives/dockerd b/alternatives/dockerd new file mode 120000 index 0000000..91e5d1e --- /dev/null +++ b/alternatives/dockerd @@ -0,0 +1 @@ +/usr/bin/dockerd-ce \ No newline at end of file diff --git a/alternatives/easy_install-3 b/alternatives/easy_install-3 new file mode 120000 index 0000000..6e1d85b --- /dev/null +++ b/alternatives/easy_install-3 @@ -0,0 +1 @@ +/usr/bin/easy_install-3.6 \ No newline at end of file diff --git a/alternatives/ifdown b/alternatives/ifdown new file mode 120000 index 0000000..3c91979 --- /dev/null +++ b/alternatives/ifdown @@ -0,0 +1 @@ +/etc/sysconfig/network-scripts/ifdown \ No newline at end of file diff --git a/alternatives/ifup b/alternatives/ifup new file mode 120000 index 0000000..97f3a59 --- /dev/null +++ b/alternatives/ifup @@ -0,0 +1 @@ +/etc/sysconfig/network-scripts/ifup \ No newline at end of file diff --git a/alternatives/java b/alternatives/java new file mode 120000 index 0000000..2b69120 --- /dev/null +++ b/alternatives/java @@ -0,0 +1 @@ +/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/java \ No newline at end of file diff --git a/alternatives/java.1.gz b/alternatives/java.1.gz new file mode 120000 index 0000000..129ff22 --- /dev/null +++ b/alternatives/java.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/java-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz \ No newline at end of file diff --git a/alternatives/jjs b/alternatives/jjs new file mode 120000 index 0000000..c9db1ea --- /dev/null +++ b/alternatives/jjs @@ -0,0 +1 @@ +/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/jjs \ No newline at end of file diff --git a/alternatives/jjs.1.gz b/alternatives/jjs.1.gz new file mode 120000 index 0000000..2c228e5 --- /dev/null +++ b/alternatives/jjs.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/jjs-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz \ No newline at end of file diff --git a/alternatives/jre b/alternatives/jre new file mode 120000 index 0000000..66e10e4 --- /dev/null +++ b/alternatives/jre @@ -0,0 +1 @@ +/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre \ No newline at end of file diff --git a/alternatives/jre_1.8.0 b/alternatives/jre_1.8.0 new file mode 120000 index 0000000..66e10e4 --- /dev/null +++ b/alternatives/jre_1.8.0 @@ -0,0 +1 @@ +/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre \ No newline at end of file diff --git a/alternatives/jre_1.8.0_openjdk b/alternatives/jre_1.8.0_openjdk new file mode 120000 index 0000000..1bb90b6 --- /dev/null +++ b/alternatives/jre_1.8.0_openjdk @@ -0,0 +1 @@ +/usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64 \ No newline at end of file diff --git a/alternatives/jre_openjdk b/alternatives/jre_openjdk new file mode 120000 index 0000000..66e10e4 --- /dev/null +++ b/alternatives/jre_openjdk @@ -0,0 +1 @@ +/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre \ No newline at end of file diff --git a/alternatives/keytool b/alternatives/keytool new file mode 120000 index 0000000..8965e19 --- /dev/null +++ b/alternatives/keytool @@ -0,0 +1 @@ +/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/keytool \ No newline at end of file diff --git a/alternatives/keytool.1.gz b/alternatives/keytool.1.gz new file mode 120000 index 0000000..21a0cb6 --- /dev/null +++ b/alternatives/keytool.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/keytool-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz \ No newline at end of file diff --git a/alternatives/ld b/alternatives/ld new file mode 120000 index 0000000..08404ca --- /dev/null +++ b/alternatives/ld @@ -0,0 +1 @@ +/usr/bin/ld.bfd \ No newline at end of file diff --git a/alternatives/libnssckbi.so.x86_64 b/alternatives/libnssckbi.so.x86_64 new file mode 120000 index 0000000..c914916 --- /dev/null +++ b/alternatives/libnssckbi.so.x86_64 @@ -0,0 +1 @@ +/usr/lib64/pkcs11/p11-kit-trust.so \ No newline at end of file diff --git a/alternatives/module.1.gz b/alternatives/module.1.gz new file mode 120000 index 0000000..6474c97 --- /dev/null +++ b/alternatives/module.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/module-c.1.gz \ No newline at end of file diff --git a/alternatives/modulecmd b/alternatives/modulecmd new file mode 120000 index 0000000..9bc098f --- /dev/null +++ b/alternatives/modulecmd @@ -0,0 +1 @@ +/usr/share/Modules/libexec/modulecmd.tcl \ No newline at end of file diff --git a/alternatives/modulefile.4.gz b/alternatives/modulefile.4.gz new file mode 120000 index 0000000..f9011f5 --- /dev/null +++ b/alternatives/modulefile.4.gz @@ -0,0 +1 @@ +/usr/share/man/man4/modulefile-c.4.gz \ No newline at end of file diff --git a/alternatives/modules.csh b/alternatives/modules.csh new file mode 120000 index 0000000..34d0bc4 --- /dev/null +++ b/alternatives/modules.csh @@ -0,0 +1 @@ +/usr/share/Modules/init/profile.csh \ No newline at end of file diff --git a/alternatives/modules.sh b/alternatives/modules.sh new file mode 120000 index 0000000..74d03a2 --- /dev/null +++ b/alternatives/modules.sh @@ -0,0 +1 @@ +/usr/share/Modules/init/profile.sh \ No newline at end of file diff --git a/alternatives/mta b/alternatives/mta new file mode 120000 index 0000000..7399429 --- /dev/null +++ b/alternatives/mta @@ -0,0 +1 @@ +/usr/sbin/sendmail.postfix \ No newline at end of file diff --git a/alternatives/mta-aliasesman b/alternatives/mta-aliasesman new file mode 120000 index 0000000..c938ed8 --- /dev/null +++ b/alternatives/mta-aliasesman @@ -0,0 +1 @@ +/usr/share/man/man5/aliases.postfix.5.gz \ No newline at end of file diff --git a/alternatives/mta-mailq b/alternatives/mta-mailq new file mode 120000 index 0000000..feeaddc --- /dev/null +++ b/alternatives/mta-mailq @@ -0,0 +1 @@ +/usr/bin/mailq.postfix \ No newline at end of file diff --git a/alternatives/mta-mailqman b/alternatives/mta-mailqman new file mode 120000 index 0000000..15dafc0 --- /dev/null +++ b/alternatives/mta-mailqman @@ -0,0 +1 @@ +/usr/share/man/man1/mailq.postfix.1.gz \ No newline at end of file diff --git a/alternatives/mta-newaliases b/alternatives/mta-newaliases new file mode 120000 index 0000000..2e27e3e --- /dev/null +++ b/alternatives/mta-newaliases @@ -0,0 +1 @@ +/usr/bin/newaliases.postfix \ No newline at end of file diff --git a/alternatives/mta-newaliasesman b/alternatives/mta-newaliasesman new file mode 120000 index 0000000..5882c00 --- /dev/null +++ b/alternatives/mta-newaliasesman @@ -0,0 +1 @@ +/usr/share/man/man1/newaliases.postfix.1.gz \ No newline at end of file diff --git a/alternatives/mta-pam b/alternatives/mta-pam new file mode 120000 index 0000000..96e3fb7 --- /dev/null +++ b/alternatives/mta-pam @@ -0,0 +1 @@ +/etc/pam.d/smtp.postfix \ No newline at end of file diff --git a/alternatives/mta-rmail b/alternatives/mta-rmail new file mode 120000 index 0000000..985768e --- /dev/null +++ b/alternatives/mta-rmail @@ -0,0 +1 @@ +/usr/bin/rmail.postfix \ No newline at end of file diff --git a/alternatives/mta-sendmail b/alternatives/mta-sendmail new file mode 120000 index 0000000..36a9da6 --- /dev/null +++ b/alternatives/mta-sendmail @@ -0,0 +1 @@ +/usr/lib/sendmail.postfix \ No newline at end of file diff --git a/alternatives/mta-sendmailman b/alternatives/mta-sendmailman new file mode 120000 index 0000000..f652f73 --- /dev/null +++ b/alternatives/mta-sendmailman @@ -0,0 +1 @@ +/usr/share/man/man1/sendmail.postfix.1.gz \ No newline at end of file diff --git a/alternatives/mta-smtpdman b/alternatives/mta-smtpdman new file mode 120000 index 0000000..e118d3d --- /dev/null +++ b/alternatives/mta-smtpdman @@ -0,0 +1 @@ +/usr/share/man/man8/smtpd.postfix.8.gz \ No newline at end of file diff --git a/alternatives/ncman b/alternatives/ncman new file mode 120000 index 0000000..0460be3 --- /dev/null +++ b/alternatives/ncman @@ -0,0 +1 @@ +/usr/share/man/man1/ncat.1.gz \ No newline at end of file diff --git a/alternatives/nmap b/alternatives/nmap new file mode 120000 index 0000000..15f984a --- /dev/null +++ b/alternatives/nmap @@ -0,0 +1 @@ +/usr/bin/ncat \ No newline at end of file diff --git a/alternatives/orbd b/alternatives/orbd new file mode 120000 index 0000000..1f04e84 --- /dev/null +++ b/alternatives/orbd @@ -0,0 +1 @@ +/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/orbd \ No newline at end of file diff --git a/alternatives/orbd.1.gz b/alternatives/orbd.1.gz new file mode 120000 index 0000000..1ca3eb8 --- /dev/null +++ b/alternatives/orbd.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/orbd-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz \ No newline at end of file diff --git a/alternatives/pack200 b/alternatives/pack200 new file mode 120000 index 0000000..ffe71ca --- /dev/null +++ b/alternatives/pack200 @@ -0,0 +1 @@ +/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/pack200 \ No newline at end of file diff --git a/alternatives/pack200.1.gz b/alternatives/pack200.1.gz new file mode 120000 index 0000000..f2c34ec --- /dev/null +++ b/alternatives/pack200.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/pack200-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz \ No newline at end of file diff --git a/alternatives/pax b/alternatives/pax new file mode 120000 index 0000000..4a330f2 --- /dev/null +++ b/alternatives/pax @@ -0,0 +1 @@ +/usr/bin/spax \ No newline at end of file diff --git a/alternatives/pax-man b/alternatives/pax-man new file mode 120000 index 0000000..02de7ac --- /dev/null +++ b/alternatives/pax-man @@ -0,0 +1 @@ +/usr/share/man/man1/spax.1.gz \ No newline at end of file diff --git a/alternatives/pip-3 b/alternatives/pip-3 new file mode 120000 index 0000000..bf9527a --- /dev/null +++ b/alternatives/pip-3 @@ -0,0 +1 @@ +/usr/bin/pip-3.6 \ No newline at end of file diff --git a/alternatives/pip3 b/alternatives/pip3 new file mode 120000 index 0000000..f3605ff --- /dev/null +++ b/alternatives/pip3 @@ -0,0 +1 @@ +/usr/bin/pip3.6 \ No newline at end of file diff --git a/alternatives/policytool b/alternatives/policytool new file mode 120000 index 0000000..cccde7b --- /dev/null +++ b/alternatives/policytool @@ -0,0 +1 @@ +/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/policytool \ No newline at end of file diff --git a/alternatives/policytool.1.gz b/alternatives/policytool.1.gz new file mode 120000 index 0000000..397c014 --- /dev/null +++ b/alternatives/policytool.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/policytool-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz \ No newline at end of file diff --git a/alternatives/print b/alternatives/print new file mode 120000 index 0000000..688de13 --- /dev/null +++ b/alternatives/print @@ -0,0 +1 @@ +/usr/bin/lpr.cups \ No newline at end of file diff --git a/alternatives/print-cancel b/alternatives/print-cancel new file mode 120000 index 0000000..3575ebe --- /dev/null +++ b/alternatives/print-cancel @@ -0,0 +1 @@ +/usr/bin/cancel.cups \ No newline at end of file diff --git a/alternatives/print-cancelman b/alternatives/print-cancelman new file mode 120000 index 0000000..b881c58 --- /dev/null +++ b/alternatives/print-cancelman @@ -0,0 +1 @@ +/usr/share/man/man1/cancel-cups.1.gz \ No newline at end of file diff --git a/alternatives/print-lp b/alternatives/print-lp new file mode 120000 index 0000000..7d64c2d --- /dev/null +++ b/alternatives/print-lp @@ -0,0 +1 @@ +/usr/bin/lp.cups \ No newline at end of file diff --git a/alternatives/print-lpc b/alternatives/print-lpc new file mode 120000 index 0000000..f09b684 --- /dev/null +++ b/alternatives/print-lpc @@ -0,0 +1 @@ +/usr/sbin/lpc.cups \ No newline at end of file diff --git a/alternatives/print-lpcman b/alternatives/print-lpcman new file mode 120000 index 0000000..18a4379 --- /dev/null +++ b/alternatives/print-lpcman @@ -0,0 +1 @@ +/usr/share/man/man8/lpc-cups.8.gz \ No newline at end of file diff --git a/alternatives/print-lpman b/alternatives/print-lpman new file mode 120000 index 0000000..d9deb81 --- /dev/null +++ b/alternatives/print-lpman @@ -0,0 +1 @@ +/usr/share/man/man1/lp-cups.1.gz \ No newline at end of file diff --git a/alternatives/print-lpq b/alternatives/print-lpq new file mode 120000 index 0000000..68e3ae9 --- /dev/null +++ b/alternatives/print-lpq @@ -0,0 +1 @@ +/usr/bin/lpq.cups \ No newline at end of file diff --git a/alternatives/print-lpqman b/alternatives/print-lpqman new file mode 120000 index 0000000..049aa55 --- /dev/null +++ b/alternatives/print-lpqman @@ -0,0 +1 @@ +/usr/share/man/man1/lpq-cups.1.gz \ No newline at end of file diff --git a/alternatives/print-lprm b/alternatives/print-lprm new file mode 120000 index 0000000..2f45c6f --- /dev/null +++ b/alternatives/print-lprm @@ -0,0 +1 @@ +/usr/bin/lprm.cups \ No newline at end of file diff --git a/alternatives/print-lprman b/alternatives/print-lprman new file mode 120000 index 0000000..31cf0b5 --- /dev/null +++ b/alternatives/print-lprman @@ -0,0 +1 @@ +/usr/share/man/man1/lpr-cups.1.gz \ No newline at end of file diff --git a/alternatives/print-lprmman b/alternatives/print-lprmman new file mode 120000 index 0000000..5d5cc12 --- /dev/null +++ b/alternatives/print-lprmman @@ -0,0 +1 @@ +/usr/share/man/man1/lprm-cups.1.gz \ No newline at end of file diff --git a/alternatives/print-lpstat b/alternatives/print-lpstat new file mode 120000 index 0000000..984351f --- /dev/null +++ b/alternatives/print-lpstat @@ -0,0 +1 @@ +/usr/bin/lpstat.cups \ No newline at end of file diff --git a/alternatives/print-lpstatman b/alternatives/print-lpstatman new file mode 120000 index 0000000..99f0d27 --- /dev/null +++ b/alternatives/print-lpstatman @@ -0,0 +1 @@ +/usr/share/man/man1/lpstat-cups.1.gz \ No newline at end of file diff --git a/alternatives/pydoc-3 b/alternatives/pydoc-3 new file mode 120000 index 0000000..59e86f9 --- /dev/null +++ b/alternatives/pydoc-3 @@ -0,0 +1 @@ +/usr/bin/pydoc3.6 \ No newline at end of file diff --git a/alternatives/pydoc3 b/alternatives/pydoc3 new file mode 120000 index 0000000..59e86f9 --- /dev/null +++ b/alternatives/pydoc3 @@ -0,0 +1 @@ +/usr/bin/pydoc3.6 \ No newline at end of file diff --git a/alternatives/python b/alternatives/python new file mode 120000 index 0000000..c0026ee --- /dev/null +++ b/alternatives/python @@ -0,0 +1 @@ +/usr/libexec/no-python \ No newline at end of file diff --git a/alternatives/python3 b/alternatives/python3 new file mode 120000 index 0000000..6270541 --- /dev/null +++ b/alternatives/python3 @@ -0,0 +1 @@ +/usr/bin/python3.6 \ No newline at end of file diff --git a/alternatives/python3-config b/alternatives/python3-config new file mode 120000 index 0000000..561c73b --- /dev/null +++ b/alternatives/python3-config @@ -0,0 +1 @@ +/usr/bin/python3.6-config \ No newline at end of file diff --git a/alternatives/python3-man b/alternatives/python3-man new file mode 120000 index 0000000..cafa1c7 --- /dev/null +++ b/alternatives/python3-man @@ -0,0 +1 @@ +/usr/share/man/man1/python3.6.1.gz \ No newline at end of file diff --git a/alternatives/pyvenv-3 b/alternatives/pyvenv-3 new file mode 120000 index 0000000..86d4686 --- /dev/null +++ b/alternatives/pyvenv-3 @@ -0,0 +1 @@ +/usr/bin/pyvenv-3.6 \ No newline at end of file diff --git a/alternatives/qtchooser-5 b/alternatives/qtchooser-5 new file mode 120000 index 0000000..63fe123 --- /dev/null +++ b/alternatives/qtchooser-5 @@ -0,0 +1 @@ +/etc/xdg/qtchooser/5-64.conf \ No newline at end of file diff --git a/alternatives/qtchooser-default b/alternatives/qtchooser-default new file mode 120000 index 0000000..67538d6 --- /dev/null +++ b/alternatives/qtchooser-default @@ -0,0 +1 @@ +/etc/xdg/qtchooser/5.conf \ No newline at end of file diff --git a/alternatives/rmid b/alternatives/rmid new file mode 120000 index 0000000..8be4a98 --- /dev/null +++ b/alternatives/rmid @@ -0,0 +1 @@ +/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/rmid \ No newline at end of file diff --git a/alternatives/rmid.1.gz b/alternatives/rmid.1.gz new file mode 120000 index 0000000..a935cda --- /dev/null +++ b/alternatives/rmid.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/rmid-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz \ No newline at end of file diff --git a/alternatives/rmiregistry b/alternatives/rmiregistry new file mode 120000 index 0000000..2dbe6f5 --- /dev/null +++ b/alternatives/rmiregistry @@ -0,0 +1 @@ +/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/rmiregistry \ No newline at end of file diff --git a/alternatives/rmiregistry.1.gz b/alternatives/rmiregistry.1.gz new file mode 120000 index 0000000..3995e45 --- /dev/null +++ b/alternatives/rmiregistry.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/rmiregistry-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz \ No newline at end of file diff --git a/alternatives/servertool b/alternatives/servertool new file mode 120000 index 0000000..056c71a --- /dev/null +++ b/alternatives/servertool @@ -0,0 +1 @@ +/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/servertool \ No newline at end of file diff --git a/alternatives/servertool.1.gz b/alternatives/servertool.1.gz new file mode 120000 index 0000000..41d9cae --- /dev/null +++ b/alternatives/servertool.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/servertool-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz \ No newline at end of file diff --git a/alternatives/spf b/alternatives/spf new file mode 120000 index 0000000..92dd117 --- /dev/null +++ b/alternatives/spf @@ -0,0 +1 @@ +/usr/bin/spfquery.perl-Mail-SPF \ No newline at end of file diff --git a/alternatives/spf-daemon b/alternatives/spf-daemon new file mode 120000 index 0000000..684664e --- /dev/null +++ b/alternatives/spf-daemon @@ -0,0 +1 @@ +/usr/bin/spfd.perl-Mail-SPF \ No newline at end of file diff --git a/alternatives/spfquery-man-page b/alternatives/spfquery-man-page new file mode 120000 index 0000000..1a0d7a0 --- /dev/null +++ b/alternatives/spfquery-man-page @@ -0,0 +1 @@ +/usr/share/man/man1/spfquery-perl-Mail-SPF.1.gz \ No newline at end of file diff --git a/alternatives/tnameserv b/alternatives/tnameserv new file mode 120000 index 0000000..9190305 --- /dev/null +++ b/alternatives/tnameserv @@ -0,0 +1 @@ +/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/tnameserv \ No newline at end of file diff --git a/alternatives/tnameserv.1.gz b/alternatives/tnameserv.1.gz new file mode 120000 index 0000000..c125c3d --- /dev/null +++ b/alternatives/tnameserv.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/tnameserv-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz \ No newline at end of file diff --git a/alternatives/unpack200 b/alternatives/unpack200 new file mode 120000 index 0000000..4348fba --- /dev/null +++ b/alternatives/unpack200 @@ -0,0 +1 @@ +/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/unpack200 \ No newline at end of file diff --git a/alternatives/unpack200.1.gz b/alternatives/unpack200.1.gz new file mode 120000 index 0000000..6dd35e5 --- /dev/null +++ b/alternatives/unpack200.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/unpack200-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz \ No newline at end of file diff --git a/alternatives/unversioned-python-man b/alternatives/unversioned-python-man new file mode 120000 index 0000000..a564705 --- /dev/null +++ b/alternatives/unversioned-python-man @@ -0,0 +1 @@ +/usr/share/man/man1/unversioned-python.1.gz \ No newline at end of file diff --git a/alternatives/virtualenv b/alternatives/virtualenv new file mode 120000 index 0000000..edb3401 --- /dev/null +++ b/alternatives/virtualenv @@ -0,0 +1 @@ +/usr/bin/virtualenv-3 \ No newline at end of file diff --git a/alternatives/virtualenv-3 b/alternatives/virtualenv-3 new file mode 120000 index 0000000..1c78a2f --- /dev/null +++ b/alternatives/virtualenv-3 @@ -0,0 +1 @@ +/usr/bin/virtualenv-3.6 \ No newline at end of file diff --git a/alternatives/whois b/alternatives/whois new file mode 120000 index 0000000..c62f4d7 --- /dev/null +++ b/alternatives/whois @@ -0,0 +1 @@ +/usr/bin/whois.md \ No newline at end of file diff --git a/alternatives/whois-man b/alternatives/whois-man new file mode 120000 index 0000000..a56f28c --- /dev/null +++ b/alternatives/whois-man @@ -0,0 +1 @@ +/usr/share/man/man1/whois.md.1.gz \ No newline at end of file diff --git a/amavisd/amavisd.conf b/amavisd/amavisd.conf new file mode 100644 index 0000000..5ec867a --- /dev/null +++ b/amavisd/amavisd.conf @@ -0,0 +1,854 @@ +use strict; + +# a minimalistic configuration file for amavisd-new with all necessary settings +# +# see amavisd.conf-default for a list of all variables with their defaults; +# for more details see documentation in INSTALL, README_FILES/* +# and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html + + +# COMMONLY ADJUSTED SETTINGS: + +@bypass_virus_checks_maps = ( + \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); + +@bypass_spam_checks_maps = ( + \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); + +$bypass_decode_parts = 1; # controls running of decoders&dearchivers + +$max_servers = 1; # num of pre-forked children (2..30 is common), -m +$daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u +$daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g + +$mydomain = '898.ro'; # a convenient default for other settings + +$MYHOME = '/var/spool/amavisd'; # a convenient default for other settings, -H +$TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T +$ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc. +$QUARANTINEDIR = '/var/spool/amavisd/quarantine'; # -Q +#$quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine +$release_format = 'resend'; # 'attach', 'plain', 'resend' +# $report_format = 'arf'; # 'attach', 'plain', 'resend', 'arf' + +# $daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R + +$db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D +# $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S +$lock_file = "/var/run/amavisd/amavisd.lock"; # -L +$pid_file = "/var/run/amavisd/amavisd.pid"; # -P +#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually + +$log_level = 0; # verbosity 0..5, -d +$log_recip_templ = undef; # disable by-recipient level-0 log entries +$do_syslog = 1; # log via syslogd (preferred) +$syslog_facility = 'mail'; # Syslog facility as a string + # e.g.: mail, daemon, user, local0, ... local7 + +$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) +# $enable_zmq = 1; # enable use of ZeroMQ (SNMP and nanny) +$nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed +$enable_dkim_verification = 1; # enable DKIM signatures verification +$enable_dkim_signing = 0; # load DKIM signing code, keys defined by dkim_key + +### DKIM start ### +#dkim_key('898.ro', "dkim", "/etc/opendkim/keys/898.ro/default"); + +#@dkim_signature_options_bysender_maps = ( { +# "898.ro" => { d => "898.ro", a => 'rsa-sha256', ttl => 10*24*3600 }, +#}); + +### DKIM end ### + +@local_domains_maps = ( [".$mydomain"] ); # list of all local domains + +@mynetworks = qw( 127.0.0.0/8 10.208.1.69/32 10.208.1.31/32 192.168.1.2/32 89.121.131.74/32 86.104.210.218/32); + +$unix_socketname = "/var/run/amavisd/amavisd.sock"; # amavisd-release or amavis-milter + # option(s) -p overrides $inet_socket_port and $unix_socketname + +$inet_socket_port = 10024; # listen on this local TCP port(s) +# $inet_socket_port = [10024,10026]; # listen on multiple TCP ports + +$policy_bank{'MYNETS'} = { # mail originating from @mynetworks + originating => 1, # is true in MYNETS by default, but let's make it explicit + os_fingerprint_method => undef, # don't query p0f for internal clients +}; + +# it is up to MTA to re-route mail from authenticated roaming users or +# from internal hosts to a dedicated TCP port (such as 10026) for filtering +$interface_policy{'10026'} = 'ORIGINATING'; + +$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users + originating => 1, # declare that mail was submitted by our smtp client + allow_disclaimers => 1, # enables disclaimer insertion if available + # notify administrator of locally originating malware + virus_admin_maps => ["virusalert\@$mydomain"], + spam_admin_maps => ["virusalert\@$mydomain"], + warnbadhsender => 1, + # forward to a smtpd service providing DKIM signing service + forward_method => 'smtp:[127.0.0.1]:10027', + # force MTA conversion to 7-bit (e.g. before DKIM signing) + smtpd_discard_ehlo_keywords => ['8BITMIME'], + bypass_banned_checks_maps => [1], # allow sending any file names and types + terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option +}; + +$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname + +# Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c +# (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'): +$policy_bank{'AM.PDP-SOCK'} = { + protocol => 'AM.PDP', + auth_required_release => 0, # do not require secret_id for amavisd-release +}; + +$sa_tag_level_deflt = 5.0; # add spam info headers if at, or above that level +$sa_tag2_level_deflt = 6.2; # add 'spam detected' headers at that level +$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail) +$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent +$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From +$sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off +$penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database) +$penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam +$bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces + +$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger +$sa_local_tests_only = 0; # only tests which do not require internet access? + +# @lookup_sql_dsn = +# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], +# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], +# ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); +# @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database +# @storage_redis_dsn = ( {server=>'127.0.0.1:6379', db_id=>1} ); +# $redis_logging_key = 'amavis-log'; +# $redis_logging_queue_size_limit = 300000; # about 250 MB / 100000 + +# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP; +# defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16) + +$virus_admin = undef; # notifications recip. + +$mailfrom_notify_admin = undef; # notifications sender +$mailfrom_notify_recip = undef; # notifications sender +$mailfrom_notify_spamadmin = undef; # notifications sender +$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef + +@addr_extension_virus_maps = ('virus'); +@addr_extension_banned_maps = ('banned'); +@addr_extension_spam_maps = ('spam'); +@addr_extension_bad_header_maps = ('badh'); +# $recipient_delimiter = '+'; # undef disables address extensions altogether +# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+ + +$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; + +$MAXLEVELS = 14; +$MAXFILES = 3000; +$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) +$MAX_EXPANSION_QUOTA = 500*1024*1024; # bytes (default undef, not enforced) + +$sa_spam_subject_tag = '***Spam*** '; +$defang_virus = 1; # MIME-wrap passed infected mail +$defang_banned = 1; # MIME-wrap passed mail containing banned name +# for defanging bad headers only turn on certain minor contents categories: +$defang_by_ccat{CC_BADH.",3"} = 1; # NUL or CR character in header +$defang_by_ccat{CC_BADH.",5"} = 1; # header line longer than 998 characters +$defang_by_ccat{CC_BADH.",6"} = 1; # header field syntax error + + +# OTHER MORE COMMON SETTINGS (defaults may suffice): + +$myhostname = 'zira.898.ro'; # must be a fully-qualified domain name! + +$notify_method = 'smtp:[127.0.0.1]:10025'; +$forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter! + +$final_virus_destiny = D_DISCARD; +$final_banned_destiny = D_DISCARD; +$final_spam_destiny = D_DISCARD; #!!! D_DISCARD / D_REJECT +$final_bad_header_destiny = D_DISCARD; +# $bad_header_quarantine_method = undef; + +# $os_fingerprint_method = 'p0f:*:2345'; # to query p0f-analyzer.pl + +## hierarchy by which a final setting is chosen: +## policy bank (based on port or IP address) -> *_by_ccat +## *_by_ccat (based on mail contents) -> *_maps +## *_maps (based on recipient address) -> final configuration value + + +# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all) + +# $warnbadhsender, +# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps) +# +# @bypass_virus_checks_maps, @bypass_spam_checks_maps, +# @bypass_banned_checks_maps, @bypass_header_checks_maps, +# +# @virus_lovers_maps, @spam_lovers_maps, +# @banned_files_lovers_maps, @bad_header_lovers_maps, +# +# @blacklist_sender_maps, @score_sender_maps, +# +# $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to, +# $bad_header_quarantine_to, $spam_quarantine_to, +# +# $defang_bad_header, $defang_undecipherable, $defang_spam + +### WHITELIST SENDERS ### + +# This policy will perform virus checks only. +read_hash(\%whitelist_sender, '/etc/amavisd/whitelist'); + @whitelist_sender_maps = (\%whitelist_sender); + +$policy_bank{'WHITELIST'} = { + whitelist_sender_maps => [ read_hash('/etc/amavisd/whitelist') ], +}; + +$interface_policy{'10026'} = 'VIRUSONLY'; +$policy_bank{'VIRUSONLY'} = { # mail from the pickup daemon + bypass_spam_checks_maps => ['@whitelist_sender_maps'], # don't spam-check this mail + bypass_banned_checks_maps => ['@whitelist_sender_maps'], # don't banned-check this mail + bypass_header_checks_maps => ['@whitelist_sender_maps'], # don't header-check this mail +}; + +########################## + +# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS + +@keep_decoded_original_maps = (new_RE( + qr'^MAIL$', # let virus scanner see full original message + qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable + qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, +# qr'^Zip archive data', # don't trust Archive::Zip +)); + + +$banned_filename_re = new_RE( + +### BLOCKED ANYWHERE +# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components + qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary +# qr'^\.(exe|lha|cab|dll)$', # banned file(1) types + +### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: +# [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 + [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives + + qr'.\.(pif|scr)$'i, # banned extensions - rudimentary +# qr'^\.zip$', # block zip type + +### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES: +# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives + + qr'^application/x-msdownload$'i, # block these MIME types + qr'^application/x-msdos-program$'i, + qr'^application/hta$'i, + +# qr'^message/partial$'i, # rfc2046 MIME type +# qr'^message/external-body$'i, # rfc2046 MIME type + +# qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type +# qr'^\.wmf$', # Windows Metafile file(1) type + + # block certain double extensions in filenames + qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, + +# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict +# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose + + qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic +# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd +# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| +# inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi| +# msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd| +# wmf|wsc|wsf|wsh)$'ix, # banned extensions - long +# qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i, # consider also +# qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename +# qr'^\.ani$', # banned animated cursor file(1) type +# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. +); +# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 +# and http://www.cknow.com/vtutor/vtextensions.htm + + +# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING + +@score_sender_maps = ({ # a by-recipient hash lookup table, + # results from all matching recipient tables are summed + +# ## per-recipient personal tables (NOTE: positive: black, negative: white) +# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], +# 'user3@example.com' => [{'.ebay.com' => -3.0}], +# 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, +# '.cleargreen.com' => -5.0}], + + ## site-wide opinions about senders (the '.' matches any recipient) + '.' => [ # the _first_ matching sender determines the score boost + + new_RE( # regexp-type lookup table, just happens to be all soft-blacklist + [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], + [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], + [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], + [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], + [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], + [qr'^(your_friend|greatoffers)@'i => 5.0], + [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], + ), + +# read_hash("/var/amavis/sender_scores_sitewide"), + + { # a hash-type lookup table (associative array) + 'nobody@cert.org' => -3.0, + 'cert-advisory@us-cert.gov' => -3.0, + 'owner-alert@iss.net' => -3.0, + 'slashdot@slashdot.org' => -3.0, + 'securityfocus.com' => -3.0, + 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, + 'security-alerts@linuxsecurity.com' => -3.0, + 'mailman-announce-admin@python.org' => -3.0, + 'amavis-user-admin@lists.sourceforge.net'=> -3.0, + 'amavis-user-bounces@lists.sourceforge.net' => -3.0, + 'spamassassin.apache.org' => -3.0, + 'notification-return@lists.sophos.com' => -3.0, + 'owner-postfix-users@postfix.org' => -3.0, + 'owner-postfix-announce@postfix.org' => -3.0, + 'owner-sendmail-announce@lists.sendmail.org' => -3.0, + 'sendmail-announce-request@lists.sendmail.org' => -3.0, + 'donotreply@sendmail.org' => -3.0, + 'ca+envelope@sendmail.org' => -3.0, + 'noreply@freshmeat.net' => -3.0, + 'owner-technews@postel.acm.org' => -3.0, + 'ietf-123-owner@loki.ietf.org' => -3.0, + 'cvs-commits-list-admin@gnome.org' => -3.0, + 'rt-users-admin@lists.fsck.com' => -3.0, + 'clp-request@comp.nus.edu.sg' => -3.0, + 'surveys-errors@lists.nua.ie' => -3.0, + 'emailnews@genomeweb.com' => -5.0, + 'yahoo-dev-null@yahoo-inc.com' => -3.0, + 'returns.groups.yahoo.com' => -3.0, + 'clusternews@linuxnetworx.com' => -3.0, + lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, + lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, + + # soft-blacklisting (positive score) + 'sender@example.net' => 3.0, + '.example.net' => 1.0, + + }, + ], # end of site-wide tables +}); + + +@decoders = ( + ['mail', \&do_mime_decode], +# [[qw(asc uue hqx ync)], \&do_ascii], # not safe + ['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ], + ['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ], + ['gz', \&do_uncompress, 'gzip -d'], + ['gz', \&do_gunzip], + ['bz2', \&do_uncompress, 'bzip2 -d'], + ['xz', \&do_uncompress, + ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], + ['lzma', \&do_uncompress, + ['lzmadec', 'xz -dc --format=lzma', + 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], + ['lrz', \&do_uncompress, + ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], + ['lzo', \&do_uncompress, 'lzop -d'], + ['lz4', \&do_uncompress, ['lz4c -d'] ], + ['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ], + [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ], + # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio'] + ['deb', \&do_ar, 'ar'], +# ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill + ['rar', \&do_unrar, ['unrar', 'rar'] ], + ['arj', \&do_unarj, ['unarj', 'arj'] ], + ['arc', \&do_arc, ['nomarch', 'arc'] ], + ['zoo', \&do_zoo, ['zoo', 'unzoo'] ], +# ['doc', \&do_ole, 'ripole'], # no ripole package so far + ['cab', \&do_cabextract, 'cabextract'], +# ['tnef', \&do_tnef_ext, 'tnef'], # use internal do_tnef() instead + ['tnef', \&do_tnef], +# ['lha', \&do_lha, 'lha'], # not safe, use 7z instead +# ['sit', \&do_unstuff, 'unstuff'], # not safe + [['zip','kmz'], \&do_7zip, ['7za', '7z'] ], + [['zip','kmz'], \&do_unzip], + ['7z', \&do_7zip, ['7zr', '7za', '7z'] ], + [[qw(gz bz2 Z tar)], + \&do_7zip, ['7za', '7z'] ], + [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], + \&do_7zip, '7z' ], + ['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ], +); + +# EXCLUDE HEADER TEST + +# Duplicate or multiple occurrence of a header field +$allowed_header_tests{'multiple'} = 0; +# the infamous Date missing +$allowed_header_tests{'missing'} = 0; + +@av_scanners = ( + +# ### http://www.sophos.com/ +# ['Sophos-SSSP', # SAV Dynamic Interface +# \&ask_daemon, ["{}", 'sssp:/var/run/savdi/sssp.sock'], +# # or: ["{}", 'sssp:[127.0.0.1]:4010'], +# qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ], + +# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/) +# ['Sophie', +# \&ask_daemon, ["{}/\n", 'sophie:/var/run/sophie'], +# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, +# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], + +# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ +# ['Sophos SAVI', \&ask_daemon, ['{}','savi-perl:'] ], + +# ['Avira SAVAPI', +# \&ask_daemon, ["*", 'savapi:/var/tmp/.savapi3', 'product-id'], +# qr/^(200|210)/m, qr/^(310|420|319)/m, +# qr/^(?:310|420)[,\s]*(?:.* <<< )?(.+?)(?: ; |$)/m ], +# settings for the SAVAPI3.conf: ArchiveScan=1, HeurLevel=2, MailboxScan=1 + + ### http://www.clamav.net/ + ['ClamAV-clamd', + \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"], + qr/\bOK$/m, qr/\bFOUND$/m, + qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], + # NOTE: run clamd under the same user as amavisd - or run it under its own + # uid such as clamav, add user clamav to the amavis group, and then add + # AllowSupplementaryGroups to clamd.conf; + # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in + # this entry; when running chrooted one may prefer a socket under $MYHOME. + +# ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred) +# # note that Mail::ClamAV requires perl to be build with threading! +# ['Mail::ClamAV', \&ask_daemon, ['{}','clamav-perl:'], +# [0], [1], qr/^INFECTED: (.+)/m], + +# ### http://www.openantivirus.org/ +# ['OpenAntiVirus ScannerDaemon (OAV)', +# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'], +# qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ], + +# ### http://www.vanja.com/tools/trophie/ +# ['Trophie', +# \&ask_daemon, ["{}/\n", 'trophie:/var/run/trophie'], +# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m, +# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], + +# ### http://www.grisoft.com/ +# ['AVG Anti-Virus', +# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'], +# qr/^200/m, qr/^403/m, qr/^403[- ].*: ([^\r\n]+)/m ], + +# ### http://www.f-prot.com/ +# ['F-Prot fpscand', # F-PROT Antivirus for BSD/Linux/Solaris, version 6 +# \&ask_daemon, +# ["SCAN FILE {}/*\n", '127.0.0.1:10200'], +# qr/^(0|8|64) /m, +# qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m, +# qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ], + +# ### http://www.f-prot.com/ +# ['F-Prot f-protd', # old version +# \&ask_daemon, +# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", +# ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202', +# '127.0.0.1:10203', '127.0.0.1:10204'] ], +# qr/(?i)]*>clean<\/summary>/m, +# qr/(?i)]*>infected<\/summary>/m, +# qr/(?i)(.+)<\/name>/m ], + +# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ +# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later +# [pack('N',1). # DRWEBD_SCAN_CMD +# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES +# pack('N', # path length +# length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")). +# '{}/*'. # path +# pack('N',0). # content size +# pack('N',0), +# '/var/drweb/run/drwebd.sock', +# # '/var/amavis/var/run/drwebd.sock', # suitable for chroot +# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default +# # '127.0.0.1:3000', # or over an inet socket +# ], +# qr/\A\x00[\x10\x11][\x00\x10]\x00/sm, # IS_CLEAN,EVAL_KEY; SKIPPED +# qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF +# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm, +# ], +# # NOTE: If using amavis-milter, change length to: +# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx"). + + ### http://www.kaspersky.com/ (kav4mailservers) + ['KasperskyLab AVP - aveclient', + ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', + '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'], + '-p /var/run/aveserver -s {}/*', + [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m, + qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m, + ], + # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious, + # currupted or protected archives are to be handled + + ### http://www.kaspersky.com/ + ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], + '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? + qr/infected: (.+)/m, + sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, + sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, + ], + + ### The kavdaemon and AVPDaemonClient have been removed from Kasperky + ### products and replaced by aveserver and aveclient + ['KasperskyLab AVPDaemonClient', + [ '/opt/AVP/kavdaemon', 'kavdaemon', + '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', + '/opt/AVP/AvpTeamDream', 'AvpTeamDream', + '/opt/AVP/avpdc', 'avpdc' ], + "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ], + # change the startup-script in /etc/init.d/kavd to: + # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" + # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) + # adjusting /var/amavis above to match your $TEMPBASE. + # The '-f=/var/amavis' is needed if not running it as root, so it + # can find, read, and write its pid file, etc., see 'man kavdaemon'. + # defUnix.prf: there must be an entry "*/var/amavis" (or whatever + # directory $TEMPBASE specifies) in the 'Names=' section. + # cd /opt/AVP/DaemonClients; configure; cd Sample; make + # cp AvpDaemonClient /opt/AVP/ + # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" + + ### http://www.centralcommand.com/ + ['CentralCommand Vexira (new) vascan', + ['vascan','/usr/lib/Vexira/vascan'], + "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". + "--log=/var/log/vascan.log {}", + [0,3], [1,2,5], + qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ], + # Adjust the path of the binary and the virus database as needed. + # 'vascan' does not allow to have the temp directory to be the same as + # the quarantine directory, and the quarantine option can not be disabled. + # If $QUARANTINEDIR is not used, then another directory must be specified + # to appease 'vascan'. Move status 3 to the second list if password + # protected files are to be considered infected. + + ### http://www.avira.com/ + ### old Avira AntiVir 2.x (ex H+BEDV) or old CentralCommand Vexira Antivirus + ['Avira AntiVir', ['antivir','vexira'], + '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m, + qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | + (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ], + # NOTE: if you only have a demo version, remove -z and add 214, as in: + # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, + + ### http://www.avira.com/ + ### Avira for UNIX 3.x + ['Avira AntiVir', ['avscan'], + '-s --batch --alert-action=none {}', [0,4], qr/(?:ALERT|FUND):/m, + qr/(?:ALERT|FUND): (?:.* <<< )?(.+?)(?: ; |$)/m ], + + ### http://www.commandsoftware.com/ + ['Command AntiVirus for Linux', 'csav', + '-all -archive -packed {}', [50], [51,52,53], + qr/Infection: (.+)/m ], + + ### http://www.symantec.com/ + ['Symantec CarrierScan via Symantec CommandLineScanner', + 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', + qr/^Files Infected:\s+0$/m, qr/^Infected\b/m, + qr/^(?:Info|Virus Name):\s+(.+)/m ], + + ### http://www.symantec.com/ + ['Symantec AntiVirus Scan Engine', + 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', + [0], qr/^Infected\b/m, + qr/^(?:Info|Virus Name):\s+(.+)/m ], + # NOTE: check options and patterns to see which entry better applies + +# ### http://www.f-secure.com/products/anti-virus/ version 5.52 +# ['F-Secure Antivirus for Linux servers', +# ['/opt/f-secure/fsav/bin/fsav', 'fsav'], +# '--virus-action1=report --archive=yes --auto=yes '. +# '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8], +# qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ], +# # NOTE: internal archive handling may be switched off by '--archive=no' +# # to prevent fsav from exiting with status 9 on broken archives + + ### http://www.f-secure.com/ version 9.14 + ['F-Secure Linux Security', + ['/opt/f-secure/fsav/bin/fsav', 'fsav'], + '--virus-action1=report --archive=yes --auto=yes '. + '--list=no --nomimeerr {}', [0], [3,4,6,8], + qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ], + # NOTE: internal archive handling may be switched off by '--archive=no' + # to prevent fsav from exiting with status 9 on broken archives + +# ### http://www.avast.com/ +# ['avast! Antivirus daemon', +# \&ask_daemon, # greets with 220, terminate with QUIT +# ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'], +# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t[0-9]+\s+([^[ \t\015\012]+)/m ], + +# ### http://www.avast.com/ +# ['avast! Antivirus - Client/Server Version', 'avastlite', +# '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1], +# qr/\t\[L\]\t([^[ \t\015\012]+)/m ], + + ['CAI InoculateIT', 'inocucmd', # retired product + '-sec -nex {}', [0], [100], + qr/was infected by virus (.+)/m ], + # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html + + ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) + ['CAI eTrust Antivirus', 'etrust-wrapper', + '-arc -nex -spm h {}', [0], [101], + qr/is infected by virus: (.+)/m ], + # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer + # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 + + ### http://mks.com.pl/english.html + ['MkS_Vir for Linux (beta)', ['mks32','mks'], + '-s {}/*', [0], [1,2], + qr/--[ \t]*(.+)/m ], + + ### http://mks.com.pl/english.html + ['MkS_Vir daemon', 'mksscan', + '-s -q {}', [0], [1..7], + qr/^... (\S+)/m ], + +# ### http://www.nod32.com/, version v2.52 (old) +# ['ESET NOD32 for Linux Mail servers', +# ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'], +# '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '. +# '-w -a --action-on-infected=accept --action-on-uncleanable=accept '. +# '--action-on-notscanned=accept {}', +# [0,3], [1,2], qr/virus="([^"]+)"/m ], + +# ### http://www.eset.com/, version v2.7 (old) +# ['ESET NOD32 Linux Mail Server - command line interface', +# ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'], +# '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ], + +# ### http://www.eset.com/, version 2.71.12 +# ['ESET Software ESETS Command Line Interface', +# ['/usr/bin/esets_cli', 'esets_cli'], +# '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ], + + ### http://www.eset.com/, version 3.0 + ['ESET Software ESETS Command Line Interface', + ['/usr/bin/esets_cli', 'esets_cli'], + '--subdir {}', [0], [1,2,3], + qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ], + + ## http://www.nod32.com/, NOD32LFS version 2.5 and above + ['ESET NOD32 for Linux File servers', + ['/opt/eset/nod32/sbin/nod32','nod32'], + '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '. + '-w -a --action=1 -b {}', + [0], [1,10], qr/^object=.*, virus="(.*?)",/m ], + +# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31 +# ['ESET Software NOD32 Client/Server (NOD32SS)', +# \&ask_daemon2, # greets with 200, persistent, terminate with QUIT +# ["SCAN {}/*\r\n", '127.0.0.1:8448' ], +# qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ], + + ### http://www.norman.com/products_nvc.shtml + ['Norman Virus Control v5 / Linux', 'nvcc', + '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], + qr/(?i).* virus in .* -> \'(.+)\'/m ], + + ### http://www.pandasoftware.com/ + ['Panda CommandLineSecure 9 for Linux', + ['/opt/pavcl/usr/bin/pavcl','pavcl'], + '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}', + qr/Number of files infected[ .]*: 0+(?!\d)/m, + qr/Number of files infected[ .]*: 0*[1-9]/m, + qr/Found virus :\s*(\S+)/m ], + # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr' + # before starting amavisd - the bases are then loaded only once at startup. + # To reload bases in a signature update script: + # /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr + # Please review other options of pavcl, for example: + # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies + +# ### http://www.pandasoftware.com/ +# ['Panda Antivirus for Linux', ['pavcl'], +# '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}', +# [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0], +# qr/Found virus :\s*(\S+)/m ], + +# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. +# Check your RAV license terms before fiddling with the following two lines! +# ['GeCAD RAV AntiVirus 8', 'ravav', +# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ], +# # NOTE: the command line switches changed with scan engine 8.5 ! +# # (btw, assigning stdin to /dev/null causes RAV to fail) + + ### http://www.nai.com/ + ['NAI McAfee AntiVirus (uvscan)', 'uvscan', + '--secure -rv --mime --summary --noboot - {}', [0], [13], + qr/(?x) Found (?: + \ the\ (.+)\ (?:virus|trojan) | + \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | + :\ (.+)\ NOT\ a\ virus)/m, + # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, + # sub {delete $ENV{LD_PRELOAD}}, + ], + # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before + # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 + # and then clear it when finished to avoid confusing anything else. + # NOTE2: to treat encrypted files as viruses replace the [13] with: + # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/ + + ### http://www.virusbuster.hu/en/ + ['VirusBuster', ['vbuster', 'vbengcl'], + "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], + qr/: '(.*)' - Virus/m ], + # VirusBuster Ltd. does not support the daemon version for the workstation + # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of + # binaries, some parameters AND return codes have changed (from 3 to 1). + # See also the new Vexira entry 'vascan' which is possibly related. + +# ### http://www.virusbuster.hu/en/ +# ['VirusBuster (Client + Daemon)', 'vbengd', +# '-f -log scandir {}', [0], [3], +# qr/Virus found = (.*);/m ], +# # HINT: for an infected file it always returns 3, +# # although the man-page tells a different story + + ### http://www.cyber.com/ + ['CyberSoft VFind', 'vfind', + '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m, + # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, + ], + +# ### http://www.avast.com/ (old) +# ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'], +# '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ], + + ### http://www.avast.com/ + ['avast! Antivirus', '/bin/scan', '{}', [0], [1], qr/\t(.+)/m ], + + ### http://www.ikarus-software.com/ + ['Ikarus AntiVirus for Linux', 'ikarus', + '{}', [0], [40], qr/Signature (.+) found/m ], + + ### http://www.bitdefender.com/ + ['BitDefender', 'bdscan', # new version + '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m, + qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m, + qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ], + + ### http://www.bitdefender.com/ + ['BitDefender', 'bdc', # old version + '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m, + qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m, + qr/(?:suspected|infected): (.*)(?:\033|$)/m ], + # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may + # not apply to your version of bdc, check documentation and see 'bdc --help' + + ### ArcaVir for Linux and Unix http://www.arcabit.pl/ + ['ArcaVir for Linux', ['arcacmd','arcacmd.static'], + '-v 1 -summary 0 -s {}', [0], [1,2], + qr/(?:VIR|WIR):[ \t]*(.+)/m ], + +# ### a generic SMTP-client interface to a SMTP-based virus scanner +# ['av_smtp', \&ask_av_smtp, +# ['{}', 'smtp:[127.0.0.1]:5525', 'dummy@localhost'], +# qr/^2/, qr/^5/, qr/^\s*(.*?)\s*$/m ], + +# ['File::Scan', sub {Amavis::AV::ask_av(sub{ +# use File::Scan; my($fn)=@_; +# my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0); +# my($vname) = $f->scan($fn); +# $f->error ? (2,"Error: ".$f->error) +# : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) }, +# ["{}/*"], [0], [1], qr/^(.*) FOUND$/m ], + +# ### fully-fledged checker for JPEG marker segments of invalid length +# ['check-jpeg', +# sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) }, +# ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ], +# # NOTE: place file JpegTester.pm somewhere where Perl can find it, +# # for example in /usr/local/lib/perl5/site_perl + +); + + +@av_scanners_backup = ( + + ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV + ['ClamAV-clamscan', 'clamscan', + "--stdout --no-summary -r --tempdir=$TEMPBASE {}", + [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], + +# ### http://www.clamav.net/ - using remote clamd scanner as a backup +# ['ClamAV-clamdscan', 'clamdscan', +# "--stdout --no-summary --config-file=/etc/clamd-client.conf {}", +# [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], + +# ['ClamAV-clamd-stream', +# \&ask_daemon, ["*", 'clamd:/var/run/clamav/clamd.sock'], +# qr/\bOK$/m, qr/\bFOUND$/m, +# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], + + ### http://www.f-prot.com/ - backs up F-Prot Daemon, V6 + ['F-PROT Antivirus for UNIX', ['fpscan'], + '--report --mount --adware {}', # consider: --applications -s 4 -u 3 -z 10 + [0,8,64], [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3], + qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ], + + ### http://www.f-prot.com/ - backs up F-Prot Daemon (old) + ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], + '-dumb -archive -packed {}', [0,8], [3,6], # or: [0], [3,6,8], + qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ], + + ### http://www.trendmicro.com/ - backs up Trophie + ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], + '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ], + + ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD + ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier + ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], + '-path={} -al -go -ot -cn -upn -ok-', + [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ], + + ### http://www.kaspersky.com/ + ['Kaspersky Antivirus v5.5', + ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner', + '/opt/kav/5.5/kav4unix/bin/kavscanner', + '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'], + '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25], + qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m, +# sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, +# sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, + ], + + ### http://www.sophos.com/ + ['Sophos Anti Virus (savscan)', # formerly known as 'sweep' + ['/opt/sophos-av/bin/savscan', 'savscan'], # 'sweep' + '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '. + '--no-reset-atime {}', + [0,2], qr/Virus .*? found/m, + qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m, + ], + # other options to consider: -idedir=/usr/local/sav + # A name 'sweep' clashes with a name of an audio editor (Debian and FreeBSD). + # Make sure the correct 'sweep' is found in the path if using the old name. + +# Always succeeds and considers mail clean. +# Potentially useful when all other scanners fail and it is desirable +# to let mail continue to flow with no virus checking (when uncommented). +# ['always-clean', sub {0}], + +); + + +1; # insure a defined return value diff --git a/amavisd/amavisd.conf.rpmnew b/amavisd/amavisd.conf.rpmnew new file mode 100644 index 0000000..615a75a --- /dev/null +++ b/amavisd/amavisd.conf.rpmnew @@ -0,0 +1,828 @@ +use strict; + +# a minimalistic configuration file for amavisd-new with all necessary settings +# +# see amavisd.conf-default for a list of all variables with their defaults; +# for more details see documentation in INSTALL, README_FILES/* +# and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html + + +# COMMONLY ADJUSTED SETTINGS: + +# @bypass_virus_checks_maps = (1); # controls running of anti-virus code +# @bypass_spam_checks_maps = (1); # controls running of anti-spam code +# $bypass_decode_parts = 1; # controls running of decoders&dearchivers + +# $myprogram_name = $0; # set to 'amavisd' or similar to avoid process name + # truncation in /proc//stat and ps -e output + +$max_servers = 2; # num of pre-forked children (2..30 is common), -m +$daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u +$daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g + +$mydomain = 'example.com'; # a convenient default for other settings + +$MYHOME = '/var/spool/amavisd'; # a convenient default for other settings, -H +$TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T +$ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc. +$QUARANTINEDIR = undef; # -Q +# $quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine +# $release_format = 'resend'; # 'attach', 'plain', 'resend' +# $report_format = 'arf'; # 'attach', 'plain', 'resend', 'arf' + +# $daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R + +$db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D +# $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S +$lock_file = "/run/amavisd/amavisd.lock"; # -L +$pid_file = "/run/amavisd/amavisd.pid"; # -P +#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually + +$log_level = 0; # verbosity 0..5, -d +$log_recip_templ = undef; # disable by-recipient level-0 log entries +$do_syslog = 1; # log via syslogd (preferred) +$syslog_facility = 'mail'; # Syslog facility as a string + # e.g.: mail, daemon, user, local0, ... local7 + +$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) +# $enable_zmq = 1; # enable use of ZeroMQ (SNMP and nanny) +$nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed +$enable_dkim_verification = 1; # enable DKIM signatures verification +$enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key + +@local_domains_maps = ( [".$mydomain"] ); # list of all local domains + +@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 + 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); + +$unix_socketname = "/run/amavisd/amavisd.sock"; # amavisd-release or amavis-milter + # option(s) -p overrides $inet_socket_port and $unix_socketname + +# The default receiving port in the Fedora and RHEL SELinux policy is 10024. +# To allow additional ports you need to label them as 'amavisd_recv_port_t' +# For example: semanage port -a -t amavisd_recv_port_t -p tcp 10022 +$inet_socket_port = 10024; # listen on this local TCP port(s) +# $inet_socket_port = [10022,10024]; # listen on multiple TCP ports + +$policy_bank{'MYNETS'} = { # mail originating from @mynetworks + originating => 1, # is true in MYNETS by default, but let's make it explicit + os_fingerprint_method => undef, # don't query p0f for internal clients +}; + +# it is up to MTA to re-route mail from authenticated roaming users or +# from internal hosts to a dedicated TCP port (such as 10022) for filtering +$interface_policy{'10022'} = 'ORIGINATING'; + +$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users + originating => 1, # declare that mail was submitted by our smtp client + allow_disclaimers => 1, # enables disclaimer insertion if available + # notify administrator of locally originating malware + virus_admin_maps => ["virusalert\@$mydomain"], + spam_admin_maps => ["virusalert\@$mydomain"], + warnbadhsender => 1, + # forward to a smtpd service providing DKIM signing service + forward_method => 'smtp:[127.0.0.1]:10025', + # force MTA conversion to 7-bit (e.g. before DKIM signing) + smtpd_discard_ehlo_keywords => ['8BITMIME'], + bypass_banned_checks_maps => [1], # allow sending any file names and types + terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option +}; + +$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname + +# Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c +# (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'): +$policy_bank{'AM.PDP-SOCK'} = { + protocol => 'AM.PDP', + auth_required_release => 0, # do not require secret_id for amavisd-release +}; + +$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level +$sa_tag2_level_deflt = 6.2; # add 'spam detected' headers at that level +$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail) +$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is suppressed +$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From +# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off +$penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database) +$penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam +$bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces + +$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger +$sa_local_tests_only = 0; # only tests which do not require internet access? + +# @lookup_sql_dsn = +# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], +# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], +# ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); +# @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database +# @storage_redis_dsn = ( {server=>'127.0.0.1:6379', db_id=>1} ); +# $redis_logging_key = 'amavis-log'; +# $redis_logging_queue_size_limit = 300000; # about 250 MB / 100000 + +# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP; +# defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16) + +$virus_admin = undef; # notifications recip. + +$mailfrom_notify_admin = undef; # notifications sender +$mailfrom_notify_recip = undef; # notifications sender +$mailfrom_notify_spamadmin = undef; # notifications sender +$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef + +@addr_extension_virus_maps = ('virus'); +@addr_extension_banned_maps = ('banned'); +@addr_extension_spam_maps = ('spam'); +@addr_extension_bad_header_maps = ('badh'); +# $recipient_delimiter = '+'; # undef disables address extensions altogether +# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+ + +$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; +# $dspam = 'dspam'; + +$MAXLEVELS = 14; +$MAXFILES = 3000; +$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) +$MAX_EXPANSION_QUOTA = 500*1024*1024; # bytes (default undef, not enforced) + +$sa_spam_subject_tag = '***Spam*** '; +$defang_virus = 1; # MIME-wrap passed infected mail +$defang_banned = 1; # MIME-wrap passed mail containing banned name +# for defanging bad headers only turn on certain minor contents categories: +$defang_by_ccat{CC_BADH.",3"} = 1; # NUL or CR character in header +$defang_by_ccat{CC_BADH.",5"} = 1; # header line longer than 998 characters +$defang_by_ccat{CC_BADH.",6"} = 1; # header field syntax error + + +# OTHER MORE COMMON SETTINGS (defaults may suffice): + +# $myhostname = 'host.example.com'; # must be a fully-qualified domain name! + +# The default forwarding port in the Fedora and RHEL SELinux policy is 10025. +# To allow additional ports you need to label them as 'amavisd_send_port_t'. +# For example: semanage port -a -t amavisd_send_port_t -p tcp 10023 +# $notify_method = 'smtp:[127.0.0.1]:10023'; +# $forward_method = 'smtp:[127.0.0.1]:10023'; # set to undef with milter! + +$final_virus_destiny = D_DISCARD; +$final_banned_destiny = D_BOUNCE; +$final_spam_destiny = D_DISCARD; #!!! D_DISCARD / D_REJECT +$final_bad_header_destiny = D_BOUNCE; +# $bad_header_quarantine_method = undef; + +# $os_fingerprint_method = 'p0f:*:2345'; # to query p0f-analyzer.pl + +## hierarchy by which a final setting is chosen: +## policy bank (based on port or IP address) -> *_by_ccat +## *_by_ccat (based on mail contents) -> *_maps +## *_maps (based on recipient address) -> final configuration value + + +# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all) + +# $warnbadhsender, +# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps) +# +# @bypass_virus_checks_maps, @bypass_spam_checks_maps, +# @bypass_banned_checks_maps, @bypass_header_checks_maps, +# +# @virus_lovers_maps, @spam_lovers_maps, +# @banned_files_lovers_maps, @bad_header_lovers_maps, +# +# @blacklist_sender_maps, @score_sender_maps, +# +# $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to, +# $bad_header_quarantine_to, $spam_quarantine_to, +# +# $defang_bad_header, $defang_undecipherable, $defang_spam + + +# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS + +@keep_decoded_original_maps = (new_RE( + qr'^MAIL$', # let virus scanner see full original message + qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable + qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, +# qr'^Zip archive data', # don't trust Archive::Zip +)); + + +$banned_filename_re = new_RE( + +### BLOCKED ANYWHERE +# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components + qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary +# qr'^\.(exe|lha|cab|dll)$', # banned file(1) types + +### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: +# [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 + [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives + + qr'.\.(pif|scr)$'i, # banned extensions - rudimentary +# qr'^\.zip$', # block zip type + +### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES: +# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives + + qr'^application/x-msdownload$'i, # block these MIME types + qr'^application/x-msdos-program$'i, + qr'^application/hta$'i, + +# qr'^message/partial$'i, # rfc2046 MIME type +# qr'^message/external-body$'i, # rfc2046 MIME type + +# qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type +# qr'^\.wmf$', # Windows Metafile file(1) type + + # block certain double extensions in filenames + qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, + +# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict +# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose + + qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic +# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd +# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| +# inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi| +# msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd| +# wmf|wsc|wsf|wsh)$'ix, # banned extensions - long +# qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i, # consider also +# qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename +# qr'^\.ani$', # banned animated cursor file(1) type +# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. +); +# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 +# and http://www.cknow.com/vtutor/vtextensions.htm + + +# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING + +@score_sender_maps = ({ # a by-recipient hash lookup table, + # results from all matching recipient tables are summed + +# ## per-recipient personal tables (NOTE: positive: black, negative: white) +# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], +# 'user3@example.com' => [{'.ebay.com' => -3.0}], +# 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, +# '.cleargreen.com' => -5.0}], + + ## site-wide opinions about senders (the '.' matches any recipient) + '.' => [ # the _first_ matching sender determines the score boost + + new_RE( # regexp-type lookup table, just happens to be all soft-blacklist + [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], + [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], + [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], + [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], + [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], + [qr'^(your_friend|greatoffers)@'i => 5.0], + [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], + ), + +# read_hash("/var/amavis/sender_scores_sitewide"), + + { # a hash-type lookup table (associative array) + 'nobody@cert.org' => -3.0, + 'cert-advisory@us-cert.gov' => -3.0, + 'owner-alert@iss.net' => -3.0, + 'slashdot@slashdot.org' => -3.0, + 'securityfocus.com' => -3.0, + 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, + 'security-alerts@linuxsecurity.com' => -3.0, + 'mailman-announce-admin@python.org' => -3.0, + 'amavis-user-admin@lists.sourceforge.net'=> -3.0, + 'amavis-user-bounces@lists.sourceforge.net' => -3.0, + 'spamassassin.apache.org' => -3.0, + 'notification-return@lists.sophos.com' => -3.0, + 'owner-postfix-users@postfix.org' => -3.0, + 'owner-postfix-announce@postfix.org' => -3.0, + 'owner-sendmail-announce@lists.sendmail.org' => -3.0, + 'sendmail-announce-request@lists.sendmail.org' => -3.0, + 'donotreply@sendmail.org' => -3.0, + 'ca+envelope@sendmail.org' => -3.0, + 'noreply@freshmeat.net' => -3.0, + 'owner-technews@postel.acm.org' => -3.0, + 'ietf-123-owner@loki.ietf.org' => -3.0, + 'cvs-commits-list-admin@gnome.org' => -3.0, + 'rt-users-admin@lists.fsck.com' => -3.0, + 'clp-request@comp.nus.edu.sg' => -3.0, + 'surveys-errors@lists.nua.ie' => -3.0, + 'emailnews@genomeweb.com' => -5.0, + 'yahoo-dev-null@yahoo-inc.com' => -3.0, + 'returns.groups.yahoo.com' => -3.0, + 'clusternews@linuxnetworx.com' => -3.0, + lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, + lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, + + # soft-blacklisting (positive score) + 'sender@example.net' => 3.0, + '.example.net' => 1.0, + + }, + ], # end of site-wide tables +}); + + +@decoders = ( + ['mail', \&do_mime_decode], +# [[qw(asc uue hqx ync)], \&do_ascii], # not safe + ['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ], + ['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ], + ['gz', \&do_uncompress, 'gzip -d'], + ['gz', \&do_gunzip], + ['bz2', \&do_uncompress, 'bzip2 -d'], + ['xz', \&do_uncompress, + ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], + ['lzma', \&do_uncompress, + ['lzmadec', 'xz -dc --format=lzma', + 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], +# ['lrz', \&do_uncompress, +# ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], + ['lzo', \&do_uncompress, 'lzop -d'], + ['lz4', \&do_uncompress, ['lz4c -d'] ], + ['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ], + [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ], + # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio'] + ['deb', \&do_ar, 'ar'], +# ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill + ['rar', \&do_unrar, ['unrar', 'rar'] ], + ['arj', \&do_unarj, ['unarj', 'arj'] ], + ['arc', \&do_arc, ['nomarch', 'arc'] ], + ['zoo', \&do_zoo, ['zoo', 'unzoo'] ], +# ['doc', \&do_ole, 'ripole'], # no ripole package so far + ['cab', \&do_cabextract, 'cabextract'], +# ['tnef', \&do_tnef_ext, 'tnef'], # use internal do_tnef() instead + ['tnef', \&do_tnef], +# ['lha', \&do_lha, 'lha'], # not safe, use 7z instead +# ['sit', \&do_unstuff, 'unstuff'], # not safe + [['zip','kmz'], \&do_7zip, ['7za', '7z'] ], + [['zip','kmz'], \&do_unzip], + ['7z', \&do_7zip, ['7zr', '7za', '7z'] ], + [[qw(gz bz2 Z tar)], + \&do_7zip, ['7za', '7z'] ], + [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], + \&do_7zip, '7z' ], + ['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ], +); + + +@av_scanners = ( + +# ### http://www.sophos.com/ +# ['Sophos-SSSP', # SAV Dynamic Interface +# \&ask_daemon, ["{}", 'sssp:/run/savdi/sssp.sock'], +# # or: ["{}", 'sssp:[127.0.0.1]:4010'], +# qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ], + +# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/) +# ['Sophie', +# \&ask_daemon, ["{}/\n", 'sophie:/run/sophie'], +# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, +# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], + +# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ +# ['Sophos SAVI', \&ask_daemon, ['{}','savi-perl:'] ], + +# ['Avira SAVAPI', +# \&ask_daemon, ["*", 'savapi:/var/tmp/.savapi3', 'product-id'], +# qr/^(200|210)/m, qr/^(310|420|319)/m, +# qr/^(?:310|420)[,\s]*(?:.* <<< )?(.+?)(?: ; |$)/m ], +# settings for the SAVAPI3.conf: ArchiveScan=1, HeurLevel=2, MailboxScan=1 + + ### http://www.clamav.net/ + ['ClamAV-clamd', + \&ask_daemon, ["CONTSCAN {}\n", "/run/clamd.amavisd/clamd.sock"], + qr/\bOK$/m, qr/\bFOUND$/m, + qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], + # NOTE: run clamd under the same user as amavisd - or run it under its own + # uid such as clamav, add user clamav to the amavis group, and then add + # AllowSupplementaryGroups to clamd.conf; + # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in + # this entry; when running chrooted one may prefer a socket under $MYHOME. + +# ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred) +# # note that Mail::ClamAV requires perl to be build with threading! +# ['Mail::ClamAV', \&ask_daemon, ['{}','clamav-perl:'], +# [0], [1], qr/^INFECTED: (.+)/m], + +# ### http://www.openantivirus.org/ +# ['OpenAntiVirus ScannerDaemon (OAV)', +# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'], +# qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ], + +# ### http://www.vanja.com/tools/trophie/ +# ['Trophie', +# \&ask_daemon, ["{}/\n", 'trophie:/run/trophie'], +# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m, +# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], + +# ### http://www.grisoft.com/ +# ['AVG Anti-Virus', +# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'], +# qr/^200/m, qr/^403/m, qr/^403[- ].*: ([^\r\n]+)/m ], + +# ### http://www.f-prot.com/ +# ['F-Prot fpscand', # F-PROT Antivirus for BSD/Linux/Solaris, version 6 +# \&ask_daemon, +# ["SCAN FILE {}/*\n", '127.0.0.1:10200'], +# qr/^(0|8|64) /m, +# qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m, +# qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ], + +# ### http://www.f-prot.com/ +# ['F-Prot f-protd', # old version +# \&ask_daemon, +# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", +# ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202', +# '127.0.0.1:10203', '127.0.0.1:10204'] ], +# qr/(?i)]*>clean<\/summary>/m, +# qr/(?i)]*>infected<\/summary>/m, +# qr/(?i)(.+)<\/name>/m ], + +# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ +# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later +# [pack('N',1). # DRWEBD_SCAN_CMD +# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES +# pack('N', # path length +# length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")). +# '{}/*'. # path +# pack('N',0). # content size +# pack('N',0), +# '/var/drweb/run/drwebd.sock', +# # '/var/amavis/run/drwebd.sock', # suitable for chroot +# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default +# # '127.0.0.1:3000', # or over an inet socket +# ], +# qr/\A\x00[\x10\x11][\x00\x10]\x00/sm, # IS_CLEAN,EVAL_KEY; SKIPPED +# qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF +# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm, +# ], +# # NOTE: If using amavis-milter, change length to: +# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx"). + + ### http://www.kaspersky.com/ (kav4mailservers) + ['KasperskyLab AVP - aveclient', + ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', + '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'], + '-p /run/aveserver -s {}/*', + [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m, + qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m, + ], + # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious, + # currupted or protected archives are to be handled + + ### http://www.kaspersky.com/ + ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], + '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? + qr/infected: (.+)/m, + sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, + sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, + ], + + ### The kavdaemon and AVPDaemonClient have been removed from Kasperky + ### products and replaced by aveserver and aveclient + ['KasperskyLab AVPDaemonClient', + [ '/opt/AVP/kavdaemon', 'kavdaemon', + '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', + '/opt/AVP/AvpTeamDream', 'AvpTeamDream', + '/opt/AVP/avpdc', 'avpdc' ], + "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ], + # change the startup-script in /etc/init.d/kavd to: + # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" + # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) + # adjusting /var/amavis above to match your $TEMPBASE. + # The '-f=/var/amavis' is needed if not running it as root, so it + # can find, read, and write its pid file, etc., see 'man kavdaemon'. + # defUnix.prf: there must be an entry "*/var/amavis" (or whatever + # directory $TEMPBASE specifies) in the 'Names=' section. + # cd /opt/AVP/DaemonClients; configure; cd Sample; make + # cp AvpDaemonClient /opt/AVP/ + # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" + + ### http://www.centralcommand.com/ + ['CentralCommand Vexira (new) vascan', + ['vascan','/usr/lib/Vexira/vascan'], + "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". + "--log=/var/log/vascan.log {}", + [0,3], [1,2,5], + qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ], + # Adjust the path of the binary and the virus database as needed. + # 'vascan' does not allow to have the temp directory to be the same as + # the quarantine directory, and the quarantine option can not be disabled. + # If $QUARANTINEDIR is not used, then another directory must be specified + # to appease 'vascan'. Move status 3 to the second list if password + # protected files are to be considered infected. + + ### http://www.avira.com/ + ### old Avira AntiVir 2.x (ex H+BEDV) or old CentralCommand Vexira Antivirus + ['Avira AntiVir', ['antivir','vexira'], + '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m, + qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | + (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ], + # NOTE: if you only have a demo version, remove -z and add 214, as in: + # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, + + ### http://www.avira.com/ + ### Avira for UNIX 3.x + ['Avira AntiVir', ['avscan'], + '-s --batch --alert-action=none {}', [0,4], qr/(?:ALERT|FUND):/m, + qr/(?:ALERT|FUND): (?:.* <<< )?(.+?)(?: ; |$)/m ], + + ### http://www.commandsoftware.com/ + ['Command AntiVirus for Linux', 'csav', + '-all -archive -packed {}', [50], [51,52,53], + qr/Infection: (.+)/m ], + + ### http://www.symantec.com/ + ['Symantec CarrierScan via Symantec CommandLineScanner', + 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', + qr/^Files Infected:\s+0$/m, qr/^Infected\b/m, + qr/^(?:Info|Virus Name):\s+(.+)/m ], + + ### http://www.symantec.com/ + ['Symantec AntiVirus Scan Engine', + 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', + [0], qr/^Infected\b/m, + qr/^(?:Info|Virus Name):\s+(.+)/m ], + # NOTE: check options and patterns to see which entry better applies + +# ### http://www.f-secure.com/products/anti-virus/ version 5.52 +# ['F-Secure Antivirus for Linux servers', +# ['/opt/f-secure/fsav/bin/fsav', 'fsav'], +# '--virus-action1=report --archive=yes --auto=yes '. +# '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8], +# qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ], +# # NOTE: internal archive handling may be switched off by '--archive=no' +# # to prevent fsav from exiting with status 9 on broken archives + + ### http://www.f-secure.com/ version 9.14 + ['F-Secure Linux Security', + ['/opt/f-secure/fsav/bin/fsav', 'fsav'], + '--virus-action1=report --archive=yes --auto=yes '. + '--list=no --nomimeerr {}', [0], [3,4,6,8], + qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ], + # NOTE: internal archive handling may be switched off by '--archive=no' + # to prevent fsav from exiting with status 9 on broken archives + +# ### http://www.avast.com/ +# ['avast! Antivirus daemon', +# \&ask_daemon, # greets with 220, terminate with QUIT +# ["SCAN {}\015\012QUIT\015\012", '/run/avast4/mailscanner.sock'], +# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t[0-9]+\s+([^[ \t\015\012]+)/m ], + +# ### http://www.avast.com/ +# ['avast! Antivirus - Client/Server Version', 'avastlite', +# '-a /run/avast4/mailscanner.sock -n {}', [0], [1], +# qr/\t\[L\]\t([^[ \t\015\012]+)/m ], + + ['CAI InoculateIT', 'inocucmd', # retired product + '-sec -nex {}', [0], [100], + qr/was infected by virus (.+)/m ], + # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html + + ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) + ['CAI eTrust Antivirus', 'etrust-wrapper', + '-arc -nex -spm h {}', [0], [101], + qr/is infected by virus: (.+)/m ], + # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer + # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 + + ### http://mks.com.pl/english.html + ['MkS_Vir for Linux (beta)', ['mks32','mks'], + '-s {}/*', [0], [1,2], + qr/--[ \t]*(.+)/m ], + + ### http://mks.com.pl/english.html + ['MkS_Vir daemon', 'mksscan', + '-s -q {}', [0], [1..7], + qr/^... (\S+)/m ], + +# ### http://www.nod32.com/, version v2.52 (old) +# ['ESET NOD32 for Linux Mail servers', +# ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'], +# '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '. +# '-w -a --action-on-infected=accept --action-on-uncleanable=accept '. +# '--action-on-notscanned=accept {}', +# [0,3], [1,2], qr/virus="([^"]+)"/m ], + +# ### http://www.eset.com/, version v2.7 (old) +# ['ESET NOD32 Linux Mail Server - command line interface', +# ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'], +# '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ], + +# ### http://www.eset.com/, version 2.71.12 +# ['ESET Software ESETS Command Line Interface', +# ['/usr/bin/esets_cli', 'esets_cli'], +# '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ], + + ### http://www.eset.com/, version 3.0 + ['ESET Software ESETS Command Line Interface', + ['/usr/bin/esets_cli', 'esets_cli'], + '--subdir {}', [0], [1,2,3], + qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ], + + ## http://www.nod32.com/, NOD32LFS version 2.5 and above + ['ESET NOD32 for Linux File servers', + ['/opt/eset/nod32/sbin/nod32','nod32'], + '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '. + '-w -a --action=1 -b {}', + [0], [1,10], qr/^object=.*, virus="(.*?)",/m ], + +# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31 +# ['ESET Software NOD32 Client/Server (NOD32SS)', +# \&ask_daemon2, # greets with 200, persistent, terminate with QUIT +# ["SCAN {}/*\r\n", '127.0.0.1:8448' ], +# qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ], + + ### http://www.norman.com/products_nvc.shtml + ['Norman Virus Control v5 / Linux', 'nvcc', + '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], + qr/(?i).* virus in .* -> \'(.+)\'/m ], + + ### http://www.pandasoftware.com/ + ['Panda CommandLineSecure 9 for Linux', + ['/opt/pavcl/usr/bin/pavcl','pavcl'], + '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}', + qr/Number of files infected[ .]*: 0+(?!\d)/m, + qr/Number of files infected[ .]*: 0*[1-9]/m, + qr/Found virus :\s*(\S+)/m ], + # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr' + # before starting amavisd - the bases are then loaded only once at startup. + # To reload bases in a signature update script: + # /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr + # Please review other options of pavcl, for example: + # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies + +# ### http://www.pandasoftware.com/ +# ['Panda Antivirus for Linux', ['pavcl'], +# '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}', +# [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0], +# qr/Found virus :\s*(\S+)/m ], + +# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. +# Check your RAV license terms before fiddling with the following two lines! +# ['GeCAD RAV AntiVirus 8', 'ravav', +# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ], +# # NOTE: the command line switches changed with scan engine 8.5 ! +# # (btw, assigning stdin to /dev/null causes RAV to fail) + + ### http://www.nai.com/ + ['NAI McAfee AntiVirus (uvscan)', 'uvscan', + '--secure -rv --mime --summary --noboot - {}', [0], [13], + qr/(?x) Found (?: + \ the\ (.+)\ (?:virus|trojan) | + \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | + :\ (.+)\ NOT\ a\ virus)/m, + # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, + # sub {delete $ENV{LD_PRELOAD}}, + ], + # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before + # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 + # and then clear it when finished to avoid confusing anything else. + # NOTE2: to treat encrypted files as viruses replace the [13] with: + # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/ + + ### http://www.virusbuster.hu/en/ + ['VirusBuster', ['vbuster', 'vbengcl'], + "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], + qr/: '(.*)' - Virus/m ], + # VirusBuster Ltd. does not support the daemon version for the workstation + # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of + # binaries, some parameters AND return codes have changed (from 3 to 1). + # See also the new Vexira entry 'vascan' which is possibly related. + +# ### http://www.virusbuster.hu/en/ +# ['VirusBuster (Client + Daemon)', 'vbengd', +# '-f -log scandir {}', [0], [3], +# qr/Virus found = (.*);/m ], +# # HINT: for an infected file it always returns 3, +# # although the man-page tells a different story + + ### http://www.cyber.com/ + ['CyberSoft VFind', 'vfind', + '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m, + # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, + ], + +# ### http://www.avast.com/ (old) +# ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'], +# '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ], + +# ### http://www.avast.com/ +# ['avast! Antivirus', '/bin/scan', '{}', [0], [1], qr/\t(.+)/m ], + + ### http://www.ikarus-software.com/ + ['Ikarus AntiVirus for Linux', 'ikarus', + '{}', [0], [40], qr/Signature (.+) found/m ], + + ### http://www.bitdefender.com/ + ['BitDefender', 'bdscan', # new version + '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m, + qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m, + qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ], + + ### http://www.bitdefender.com/ + ['BitDefender', 'bdc', # old version + '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m, + qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m, + qr/(?:suspected|infected): (.*)(?:\033|$)/m ], + # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may + # not apply to your version of bdc, check documentation and see 'bdc --help' + + ### ArcaVir for Linux and Unix http://www.arcabit.pl/ + ['ArcaVir for Linux', ['arcacmd','arcacmd.static'], + '-v 1 -summary 0 -s {}', [0], [1,2], + qr/(?:VIR|WIR):[ \t]*(.+)/m ], + +# ### a generic SMTP-client interface to a SMTP-based virus scanner +# ['av_smtp', \&ask_av_smtp, +# ['{}', 'smtp:[127.0.0.1]:5525', 'dummy@localhost'], +# qr/^2/, qr/^5/, qr/^\s*(.*?)\s*$/m ], + +# ['File::Scan', sub {Amavis::AV::ask_av(sub{ +# use File::Scan; my($fn)=@_; +# my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0); +# my($vname) = $f->scan($fn); +# $f->error ? (2,"Error: ".$f->error) +# : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) }, +# ["{}/*"], [0], [1], qr/^(.*) FOUND$/m ], + +# ### fully-fledged checker for JPEG marker segments of invalid length +# ['check-jpeg', +# sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) }, +# ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ], +# # NOTE: place file JpegTester.pm somewhere where Perl can find it, +# # for example in /usr/local/lib/perl5/site_perl + +); + + +@av_scanners_backup = ( + + ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV + ['ClamAV-clamscan', 'clamscan', + "--stdout --no-summary -r --tempdir=$TEMPBASE {}", + [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], + +# ### http://www.clamav.net/ - using remote clamd scanner as a backup +# ['ClamAV-clamdscan', 'clamdscan', +# "--stdout --no-summary --config-file=/etc/clamd-client.conf {}", +# [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], + +# ['ClamAV-clamd-stream', +# \&ask_daemon, ["*", 'clamd:/run/clamav/clamd.sock'], +# qr/\bOK$/m, qr/\bFOUND$/m, +# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], + + ### http://www.f-prot.com/ - backs up F-Prot Daemon, V6 + ['F-PROT Antivirus for UNIX', ['fpscan'], + '--report --mount --adware {}', # consider: --applications -s 4 -u 3 -z 10 + [0,8,64], [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3], + qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ], + + ### http://www.f-prot.com/ - backs up F-Prot Daemon (old) + ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], + '-dumb -archive -packed {}', [0,8], [3,6], # or: [0], [3,6,8], + qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ], + + ### http://www.trendmicro.com/ - backs up Trophie + ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], + '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ], + + ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD + ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier + ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], + '-path={} -al -go -ot -cn -upn -ok-', + [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ], + + ### http://www.kaspersky.com/ + ['Kaspersky Antivirus v5.5', + ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner', + '/opt/kav/5.5/kav4unix/bin/kavscanner', + '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'], + '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25], + qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m, +# sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, +# sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, + ], + + ### http://www.sophos.com/ + ['Sophos Anti Virus (savscan)', # formerly known as 'sweep' + ['/opt/sophos-av/bin/savscan', 'savscan'], # 'sweep' + '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '. + '--no-reset-atime {}', + [0,2], qr/Virus .*? found/m, + qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m, + ], + # other options to consider: -idedir=/usr/local/sav + # A name 'sweep' clashes with a name of an audio editor (Debian and FreeBSD). + # Make sure the correct 'sweep' is found in the path if using the old name. + +# Always succeeds and considers mail clean. +# Potentially useful when all other scanners fail and it is desirable +# to let mail continue to flow with no virus checking (when uncommented). +# ['always-clean', sub {0}], + +); + + +1; # insure a defined return value diff --git a/amavisd/whitelist b/amavisd/whitelist new file mode 100644 index 0000000..e510156 --- /dev/null +++ b/amavisd/whitelist @@ -0,0 +1,3 @@ +root@terminal.spiffy.tv +188.166.41.106 +bogdan@898.ro diff --git a/anacrontab b/anacrontab new file mode 100644 index 0000000..78c6f8c --- /dev/null +++ b/anacrontab @@ -0,0 +1,16 @@ +# /etc/anacrontab: configuration file for anacron + +# See anacron(8) and anacrontab(5) for details. + +SHELL=/bin/sh +PATH=/sbin:/bin:/usr/sbin:/usr/bin +MAILTO=root +# the maximal random delay added to the base delay of the jobs +RANDOM_DELAY=45 +# the jobs will be started during the following hours only +START_HOURS_RANGE=3-22 + +#period in days delay in minutes job-identifier command +1 5 cron.daily nice run-parts /etc/cron.daily +7 25 cron.weekly nice run-parts /etc/cron.weekly +@monthly 45 cron.monthly nice run-parts /etc/cron.monthly diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg new file mode 100644 index 0000000..2728334 --- /dev/null +++ b/ansible/ansible.cfg @@ -0,0 +1,490 @@ +# config file for ansible -- https://ansible.com/ +# =============================================== + +# nearly all parameters can be overridden in ansible-playbook +# or with command line flags. ansible will read ANSIBLE_CONFIG, +# ansible.cfg in the current working directory, .ansible.cfg in +# the home directory or /etc/ansible/ansible.cfg, whichever it +# finds first + +[defaults] + +# some basic default values... + +#inventory = /etc/ansible/hosts +#library = /usr/share/my_modules/ +#module_utils = /usr/share/my_module_utils/ +#remote_tmp = ~/.ansible/tmp +#local_tmp = ~/.ansible/tmp +#plugin_filters_cfg = /etc/ansible/plugin_filters.yml +#forks = 5 +#poll_interval = 15 +#sudo_user = root +#ask_sudo_pass = True +#ask_pass = True +#transport = smart +#remote_port = 22 +#module_lang = C +#module_set_locale = False + +# plays will gather facts by default, which contain information about +# the remote system. +# +# smart - gather by default, but don't regather if already gathered +# implicit - gather by default, turn off with gather_facts: False +# explicit - do not gather by default, must say gather_facts: True +#gathering = implicit + +# This only affects the gathering done by a play's gather_facts directive, +# by default gathering retrieves all facts subsets +# all - gather all subsets +# network - gather min and network facts +# hardware - gather hardware facts (longest facts to retrieve) +# virtual - gather min and virtual facts +# facter - import facts from facter +# ohai - import facts from ohai +# You can combine them using comma (ex: network,virtual) +# You can negate them using ! (ex: !hardware,!facter,!ohai) +# A minimal set of facts is always gathered. +#gather_subset = all + +# some hardware related facts are collected +# with a maximum timeout of 10 seconds. This +# option lets you increase or decrease that +# timeout to something more suitable for the +# environment. +# gather_timeout = 10 + +# Ansible facts are available inside the ansible_facts.* dictionary +# namespace. This setting maintains the behaviour which was the default prior +# to 2.5, duplicating these variables into the main namespace, each with a +# prefix of 'ansible_'. +# This variable is set to True by default for backwards compatibility. It +# will be changed to a default of 'False' in a future release. +# ansible_facts. +# inject_facts_as_vars = True + +# additional paths to search for roles in, colon separated +#roles_path = /etc/ansible/roles + +# uncomment this to disable SSH key host checking +#host_key_checking = False + +# change the default callback, you can only have one 'stdout' type enabled at a time. +#stdout_callback = skippy + + +## Ansible ships with some plugins that require whitelisting, +## this is done to avoid running all of a type by default. +## These setting lists those that you want enabled for your system. +## Custom plugins should not need this unless plugin author specifies it. + +# enable callback plugins, they can output to stdout but cannot be 'stdout' type. +#callback_whitelist = timer, mail + +# Determine whether includes in tasks and handlers are "static" by +# default. As of 2.0, includes are dynamic by default. Setting these +# values to True will make includes behave more like they did in the +# 1.x versions. +#task_includes_static = False +#handler_includes_static = False + +# Controls if a missing handler for a notification event is an error or a warning +#error_on_missing_handler = True + +# change this for alternative sudo implementations +#sudo_exe = sudo + +# What flags to pass to sudo +# WARNING: leaving out the defaults might create unexpected behaviours +#sudo_flags = -H -S -n + +# SSH timeout +#timeout = 10 + +# default user to use for playbooks if user is not specified +# (/usr/bin/ansible will use current user as default) +#remote_user = root + +# logging is off by default unless this path is defined +# if so defined, consider logrotate +#log_path = /var/log/ansible.log + +# default module name for /usr/bin/ansible +#module_name = command + +# use this shell for commands executed under sudo +# you may need to change this to bin/bash in rare instances +# if sudo is constrained +#executable = /bin/sh + +# if inventory variables overlap, does the higher precedence one win +# or are hash values merged together? The default is 'replace' but +# this can also be set to 'merge'. +#hash_behaviour = replace + +# by default, variables from roles will be visible in the global variable +# scope. To prevent this, the following option can be enabled, and only +# tasks and handlers within the role will see the variables there +#private_role_vars = yes + +# list any Jinja2 extensions to enable here: +#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n + +# if set, always use this private key file for authentication, same as +# if passing --private-key to ansible or ansible-playbook +#private_key_file = /path/to/file + +# If set, configures the path to the Vault password file as an alternative to +# specifying --vault-password-file on the command line. +#vault_password_file = /path/to/vault_password_file + +# format of string {{ ansible_managed }} available within Jinja2 +# templates indicates to users editing templates files will be replaced. +# replacing {file}, {host} and {uid} and strftime codes with proper values. +#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host} +# {file}, {host}, {uid}, and the timestamp can all interfere with idempotence +# in some situations so the default is a static string: +#ansible_managed = Ansible managed + +# by default, ansible-playbook will display "Skipping [host]" if it determines a task +# should not be run on a host. Set this to "False" if you don't want to see these "Skipping" +# messages. NOTE: the task header will still be shown regardless of whether or not the +# task is skipped. +#display_skipped_hosts = True + +# by default, if a task in a playbook does not include a name: field then +# ansible-playbook will construct a header that includes the task's action but +# not the task's args. This is a security feature because ansible cannot know +# if the *module* considers an argument to be no_log at the time that the +# header is printed. If your environment doesn't have a problem securing +# stdout from ansible-playbook (or you have manually specified no_log in your +# playbook on all of the tasks where you have secret information) then you can +# safely set this to True to get more informative messages. +#display_args_to_stdout = False + +# by default (as of 1.3), Ansible will raise errors when attempting to dereference +# Jinja2 variables that are not set in templates or action lines. Uncomment this line +# to revert the behavior to pre-1.3. +#error_on_undefined_vars = False + +# by default (as of 1.6), Ansible may display warnings based on the configuration of the +# system running ansible itself. This may include warnings about 3rd party packages or +# other conditions that should be resolved if possible. +# to disable these warnings, set the following value to False: +#system_warnings = True + +# by default (as of 1.4), Ansible may display deprecation warnings for language +# features that should no longer be used and will be removed in future versions. +# to disable these warnings, set the following value to False: +#deprecation_warnings = True + +# (as of 1.8), Ansible can optionally warn when usage of the shell and +# command module appear to be simplified by using a default Ansible module +# instead. These warnings can be silenced by adjusting the following +# setting or adding warn=yes or warn=no to the end of the command line +# parameter string. This will for example suggest using the git module +# instead of shelling out to the git command. +# command_warnings = False + + +# set plugin path directories here, separate with colons +#action_plugins = /usr/share/ansible/plugins/action +#become_plugins = /usr/share/ansible/plugins/become +#cache_plugins = /usr/share/ansible/plugins/cache +#callback_plugins = /usr/share/ansible/plugins/callback +#connection_plugins = /usr/share/ansible/plugins/connection +#lookup_plugins = /usr/share/ansible/plugins/lookup +#inventory_plugins = /usr/share/ansible/plugins/inventory +#vars_plugins = /usr/share/ansible/plugins/vars +#filter_plugins = /usr/share/ansible/plugins/filter +#test_plugins = /usr/share/ansible/plugins/test +#terminal_plugins = /usr/share/ansible/plugins/terminal +#strategy_plugins = /usr/share/ansible/plugins/strategy + + +# by default, ansible will use the 'linear' strategy but you may want to try +# another one +#strategy = free + +# by default callbacks are not loaded for /bin/ansible, enable this if you +# want, for example, a notification or logging callback to also apply to +# /bin/ansible runs +#bin_ansible_callbacks = False + + +# don't like cows? that's unfortunate. +# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1 +#nocows = 1 + +# set which cowsay stencil you'd like to use by default. When set to 'random', +# a random stencil will be selected for each task. The selection will be filtered +# against the `cow_whitelist` option below. +#cow_selection = default +#cow_selection = random + +# when using the 'random' option for cowsay, stencils will be restricted to this list. +# it should be formatted as a comma-separated list with no spaces between names. +# NOTE: line continuations here are for formatting purposes only, as the INI parser +# in python does not support them. +#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\ +# hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\ +# stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www + +# don't like colors either? +# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1 +#nocolor = 1 + +# if set to a persistent type (not 'memory', for example 'redis') fact values +# from previous runs in Ansible will be stored. This may be useful when +# wanting to use, for example, IP information from one group of servers +# without having to talk to them in the same playbook run to get their +# current IP information. +#fact_caching = memory + +#This option tells Ansible where to cache facts. The value is plugin dependent. +#For the jsonfile plugin, it should be a path to a local directory. +#For the redis plugin, the value is a host:port:database triplet: fact_caching_connection = localhost:6379:0 + +#fact_caching_connection=/tmp + + + +# retry files +# When a playbook fails a .retry file can be created that will be placed in ~/ +# You can enable this feature by setting retry_files_enabled to True +# and you can change the location of the files by setting retry_files_save_path + +#retry_files_enabled = False +#retry_files_save_path = ~/.ansible-retry + +# squash actions +# Ansible can optimise actions that call modules with list parameters +# when looping. Instead of calling the module once per with_ item, the +# module is called once with all items at once. Currently this only works +# under limited circumstances, and only with parameters named 'name'. +#squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper + +# prevents logging of task data, off by default +#no_log = False + +# prevents logging of tasks, but only on the targets, data is still logged on the master/controller +#no_target_syslog = False + +# controls whether Ansible will raise an error or warning if a task has no +# choice but to create world readable temporary files to execute a module on +# the remote machine. This option is False by default for security. Users may +# turn this on to have behaviour more like Ansible prior to 2.1.x. See +# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user +# for more secure ways to fix this than enabling this option. +#allow_world_readable_tmpfiles = False + +# controls the compression level of variables sent to +# worker processes. At the default of 0, no compression +# is used. This value must be an integer from 0 to 9. +#var_compression_level = 9 + +# controls what compression method is used for new-style ansible modules when +# they are sent to the remote system. The compression types depend on having +# support compiled into both the controller's python and the client's python. +# The names should match with the python Zipfile compression types: +# * ZIP_STORED (no compression. available everywhere) +# * ZIP_DEFLATED (uses zlib, the default) +# These values may be set per host via the ansible_module_compression inventory +# variable +#module_compression = 'ZIP_DEFLATED' + +# This controls the cutoff point (in bytes) on --diff for files +# set to 0 for unlimited (RAM may suffer!). +#max_diff_size = 1048576 + +# This controls how ansible handles multiple --tags and --skip-tags arguments +# on the CLI. If this is True then multiple arguments are merged together. If +# it is False, then the last specified argument is used and the others are ignored. +# This option will be removed in 2.8. +#merge_multiple_cli_flags = True + +# Controls showing custom stats at the end, off by default +#show_custom_stats = True + +# Controls which files to ignore when using a directory as inventory with +# possibly multiple sources (both static and dynamic) +#inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo + +# This family of modules use an alternative execution path optimized for network appliances +# only update this setting if you know how this works, otherwise it can break module execution +#network_group_modules=eos, nxos, ios, iosxr, junos, vyos + +# When enabled, this option allows lookups (via variables like {{lookup('foo')}} or when used as +# a loop with `with_foo`) to return data that is not marked "unsafe". This means the data may contain +# jinja2 templating language which will be run through the templating engine. +# ENABLING THIS COULD BE A SECURITY RISK +#allow_unsafe_lookups = False + +# set default errors for all plays +#any_errors_fatal = False + +[inventory] +# enable inventory plugins, default: 'host_list', 'script', 'auto', 'yaml', 'ini', 'toml' +#enable_plugins = host_list, virtualbox, yaml, constructed + +# ignore these extensions when parsing a directory as inventory source +#ignore_extensions = .pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, ~, .orig, .ini, .cfg, .retry + +# ignore files matching these patterns when parsing a directory as inventory source +#ignore_patterns= + +# If 'true' unparsed inventory sources become fatal errors, they are warnings otherwise. +#unparsed_is_failed=False + +[privilege_escalation] +#become=True +#become_method=sudo +#become_user=root +#become_ask_pass=False + +[paramiko_connection] + +# uncomment this line to cause the paramiko connection plugin to not record new host +# keys encountered. Increases performance on new host additions. Setting works independently of the +# host key checking setting above. +#record_host_keys=False + +# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this +# line to disable this behaviour. +#pty=False + +# paramiko will default to looking for SSH keys initially when trying to +# authenticate to remote devices. This is a problem for some network devices +# that close the connection after a key failure. Uncomment this line to +# disable the Paramiko look for keys function +#look_for_keys = False + +# When using persistent connections with Paramiko, the connection runs in a +# background process. If the host doesn't already have a valid SSH key, by +# default Ansible will prompt to add the host key. This will cause connections +# running in background processes to fail. Uncomment this line to have +# Paramiko automatically add host keys. +#host_key_auto_add = True + +[ssh_connection] + +# ssh arguments to use +# Leaving off ControlPersist will result in poor performance, so use +# paramiko on older platforms rather than removing it, -C controls compression use +#ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s + +# The base directory for the ControlPath sockets. +# This is the "%(directory)s" in the control_path option +# +# Example: +# control_path_dir = /tmp/.ansible/cp +#control_path_dir = ~/.ansible/cp + +# The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname, +# port and username (empty string in the config). The hash mitigates a common problem users +# found with long hostnames and the conventional %(directory)s/ansible-ssh-%%h-%%p-%%r format. +# In those cases, a "too long for Unix domain socket" ssh error would occur. +# +# Example: +# control_path = %(directory)s/%%h-%%r +#control_path = + +# Enabling pipelining reduces the number of SSH operations required to +# execute a module on the remote server. This can result in a significant +# performance improvement when enabled, however when using "sudo:" you must +# first disable 'requiretty' in /etc/sudoers +# +# By default, this option is disabled to preserve compatibility with +# sudoers configurations that have requiretty (the default on many distros). +# +#pipelining = False + +# Control the mechanism for transferring files (old) +# * smart = try sftp and then try scp [default] +# * True = use scp only +# * False = use sftp only +#scp_if_ssh = smart + +# Control the mechanism for transferring files (new) +# If set, this will override the scp_if_ssh option +# * sftp = use sftp to transfer files +# * scp = use scp to transfer files +# * piped = use 'dd' over SSH to transfer files +# * smart = try sftp, scp, and piped, in that order [default] +#transfer_method = smart + +# if False, sftp will not use batch mode to transfer files. This may cause some +# types of file transfer failures impossible to catch however, and should +# only be disabled if your sftp version has problems with batch mode +#sftp_batch_mode = False + +# The -tt argument is passed to ssh when pipelining is not enabled because sudo +# requires a tty by default. +#usetty = True + +# Number of times to retry an SSH connection to a host, in case of UNREACHABLE. +# For each retry attempt, there is an exponential backoff, +# so after the first attempt there is 1s wait, then 2s, 4s etc. up to 30s (max). +#retries = 3 + +[persistent_connection] + +# Configures the persistent connection timeout value in seconds. This value is +# how long the persistent connection will remain idle before it is destroyed. +# If the connection doesn't receive a request before the timeout value +# expires, the connection is shutdown. The default value is 30 seconds. +#connect_timeout = 30 + +# The command timeout value defines the amount of time to wait for a command +# or RPC call before timing out. The value for the command timeout must +# be less than the value of the persistent connection idle timeout (connect_timeout) +# The default value is 30 second. +#command_timeout = 30 + +[accelerate] +#accelerate_port = 5099 +#accelerate_timeout = 30 +#accelerate_connect_timeout = 5.0 + +# The daemon timeout is measured in minutes. This time is measured +# from the last activity to the accelerate daemon. +#accelerate_daemon_timeout = 30 + +# If set to yes, accelerate_multi_key will allow multiple +# private keys to be uploaded to it, though each user must +# have access to the system via SSH to add a new key. The default +# is "no". +#accelerate_multi_key = yes + +[selinux] +# file systems that require special treatment when dealing with security context +# the default behaviour that copies the existing context or uses the user default +# needs to be changed to use the file system dependent context. +#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p,vfat + +# Set this to yes to allow libvirt_lxc connections to work without SELinux. +#libvirt_lxc_noseclabel = yes + +[colors] +#highlight = white +#verbose = blue +#warn = bright purple +#error = red +#debug = dark gray +#deprecate = purple +#skip = cyan +#unreachable = red +#ok = green +#changed = yellow +#diff_add = green +#diff_remove = red +#diff_lines = cyan + + +[diff] +# Always print diff when running ( same as always running with -D/--diff ) +# always = no + +# Set how many context lines to show in diff +# context = 3 diff --git a/ansible/hosts b/ansible/hosts new file mode 100644 index 0000000..841f4bc --- /dev/null +++ b/ansible/hosts @@ -0,0 +1,44 @@ +# This is the default ansible 'hosts' file. +# +# It should live in /etc/ansible/hosts +# +# - Comments begin with the '#' character +# - Blank lines are ignored +# - Groups of hosts are delimited by [header] elements +# - You can enter hostnames or ip addresses +# - A hostname/ip can be a member of multiple groups + +# Ex 1: Ungrouped hosts, specify before any group headers. + +## green.example.com +## blue.example.com +## 192.168.100.1 +## 192.168.100.10 + +# Ex 2: A collection of hosts belonging to the 'webservers' group + +## [webservers] +## alpha.example.org +## beta.example.org +## 192.168.1.100 +## 192.168.1.110 + +# If you have multiple hosts following a pattern you can specify +# them like this: + +## www[001:006].example.com + +# Ex 3: A collection of database servers in the 'dbservers' group + +## [dbservers] +## +## db01.intranet.mydomain.net +## db02.intranet.mydomain.net +## 10.25.1.56 +## 10.25.1.57 + +# Here's another example of host ranges, this time there are no +# leading 0s: + +## db-[99:101]-node.example.com + diff --git a/asciidoc/asciidoc.conf b/asciidoc/asciidoc.conf new file mode 100644 index 0000000..2fe3363 --- /dev/null +++ b/asciidoc/asciidoc.conf @@ -0,0 +1,648 @@ +# +# asciidoc.conf +# +# Asciidoc global configuration file. +# Contains backend independent configuration settings that are applied to all +# AsciiDoc documents. +# + +[miscellaneous] +tabsize=8 +textwidth=70 +newline=\r\n + +[attributes] +backend-alias-html=xhtml11 +backend-alias-docbook=docbook45 +toclevels=2 +toc-placement=auto +sectids= +iconsdir=./images/icons +encoding=UTF-8 +# Uncomment to use xhtml11 quirks mode CSS. +#quirks= +# HTML source code highlighter (source-highlight, pygments or highlight). +source-highlighter=source-highlight +# Uncomment to use deprecated quote attributes. +#deprecated-quotes= +empty= +sp=" " +# Attribute and AttributeList element patterns. +attributeentry-pattern=^:(?P\w[^.]*?)(\.(?P.*?))?:(\s+(?P.*))?$ +attributelist-pattern=(^\[\[(?P[\w_:][\w_:.-]*)(,(?P.*?))?\]\]$)|(^\[(?P.*)\]$) +# Substitution attributes for escaping AsciiDoc processing. +amp=& +lt=< +gt=> +brvbar=| +nbsp=  +zwsp=​ +wj=⁠ +deg=° +backslash=\ +two-colons=:: +two-semicolons=;; +plus=+ +# DEPRECATED: underscore attribute names. +two_colons=:: +two_semicolons=;; +# Left and right single and double quote characters. +# See http://en.wikipedia.org/wiki/Non-English_usage_of_quotation_marks +lsquo=‘ +rsquo=’ +ldquo=“ +rdquo=” + +[titles] +subs=specialcharacters,quotes,replacements,macros,attributes,replacements2 +# Double-line title pattern and underlines. +sectiontitle=^(?P.*?)$ +underlines="==","--","~~","^^","++" +# Single-line title patterns. +sect0=^= +(?P<title>[\S].*?)( +=)?$ +sect1=^== +(?P<title>[\S].*?)( +==)?$ +sect2=^=== +(?P<title>[\S].*?)( +===)?$ +sect3=^==== +(?P<title>[\S].*?)( +====)?$ +sect4=^===== +(?P<title>[\S].*?)( +=====)?$ +blocktitle=^\.(?P<title>([^.\s].*)|(\.[^.\s].*))$ + +[specialcharacters] +&=& +<=< +>=> + +[quotes] +# The order is important, quotes are processed in conf file order. +**=#strong +*=strong +``|''=doublequoted +'=emphasis +`|'=singlequoted +ifdef::no-inline-literal[] +`=monospaced +endif::no-inline-literal[] +# +++ and $$ quoting is applied to the +++ and $$ inline passthrough +# macros to allow quoted attributes to be used. +# This trick only works with inline passthrough macros. ++++=#unquoted +$$=#unquoted +++=#monospaced ++=monospaced +__=#emphasis +_=emphasis +\##=#unquoted +\#=unquoted +^=#superscript +~=#subscript + +[specialwords] +emphasizedwords= +strongwords= +monospacedwords= + +[replacements] +# Replacements performed in order of configuration file entry. The first entry +# of each replacement pair performs the (non-escaped) replacement, the second +# strips the backslash from the escaped replacement. + +# (C) Copyright (entity reference ©) +(?<!\\)\(C\)=© +\\\(C\)=(C) + +# (R) registered trade mark (entity reference ® +(?<!\\)\(R\)=® +\\\(R\)=(R) + +# (TM) Trademark (entity reference ™) +(?<!\\)\(TM\)=™ +\\\(TM\)=(TM) + +# -- Spaced and unspaced em dashes (entity reference —). +# Space on both sides is translated to thin space characters. +(^-- )=—  +(\n-- )|( -- )|( --\n)= —  +(\w)--(\w)=\1—\2 +\\--(?!-)=-- + +# Replace vertical typewriter apostrophe with punctuation apostrophe. +(\w)'(\w)=\1’\2 +(\w)\\'(\w)=\1'\2 + +# ... Ellipsis (entity reference …) +(?<!\\)\.\.\.=… +\\\.\.\.=... + +# Arrows from the Arrows block of Unicode. +# -> right arrow +(?<!\\)->=→ +\\->=-> +# => right double arrow +(?<!\\)\=>=⇒ +\\\=>==> +# <- left arrow +(?<!\\)<-=← +\\<-=<- +# <= left double arrow +(?<!\\)<\==⇐ +\\<\==<= + +# Arbitrary entity references. +(?<!\\)&([:_#a-zA-Z][:_.\-\w]*?;)=&\1 +\\(&[:_#a-zA-Z][:_.\-\w]*?;)=\1 + +#----------- +# Paragraphs +#----------- +[paradef-default] +delimiter=(?s)(?P<text>\S.*) +posattrs=style +style=normal +template::[paragraph-styles] + +[paradef-literal] +delimiter=(?s)(?P<text>\s+.*) +options=listelement +posattrs=style +style=literal +template::[paragraph-styles] + +[paradef-admonition] +delimiter=(?s)^\s*(?P<style>NOTE|TIP|IMPORTANT|WARNING|CAUTION):\s+(?P<text>.+) +template::[paragraph-styles] + +[paragraph-styles] +normal-style=template="paragraph" +comment-style=template="paragraph",options=('skip',) +verse-style=template="verseparagraph",posattrs=("style","attribution","citetitle") +quote-style=template="quoteparagraph",posattrs=("style","attribution","citetitle") +literal-style=template="literalparagraph",subs=("verbatim",) +listing-style=template="listingparagraph",subs=("verbatim",) +example-style=template="exampleparagraph" +sidebar-style=template="sidebarparagraph" +abstract-style=template="abstractparagraph" +partintro-style=template="partintroparagraph" +NOTE-style=template="admonitionparagraph",name="note",caption="{note-caption}" +TIP-style=template="admonitionparagraph",name="tip",caption="{tip-caption}" +IMPORTANT-style=template="admonitionparagraph",name="important",caption="{important-caption}" +WARNING-style=template="admonitionparagraph",name="warning",caption="{warning-caption}" +CAUTION-style=template="admonitionparagraph",name="caution",caption="{caution-caption}" + +[literalparagraph] +template::[literalblock] + +[verseparagraph] +template::[verseblock] + +[quoteparagraph] +template::[quoteblock] + +[listingparagraph] +template::[listingblock] + +[exampleparagraph] +template::[exampleblock] + +[sidebarparagraph] +template::[sidebarblock] + +[abstractparagraph] +template::[abstractblock] + +[partintroparagraph] +template::[partintroblock] + + +[macros] +#-------------- +# Inline macros +#-------------- +# Backslash prefix required for escape processing. +# (?s) re flag for line spanning. + +# Macros using default syntax. +(?su)(?<!\w)[\\]?(?P<name>http|https|ftp|file|irc|mailto|callto|image|link|anchor|xref|indexterm|indexterm2):(?P<target>\S*?)\[(?P<attrlist>.*?)(?<!\\)\]= + +# These URL types don't require any special attribute list formatting. +(?su)(?<!\S)[\\]?(?P<name>http|https|ftp|file|irc):(?P<target>//[^\s<>]*[\w/])= +# Allow a leading parenthesis and square bracket. +(?su)(?<\=[([])[\\]?(?P<name>http|https|ftp|file|irc):(?P<target>//[^\s<>]*[\w/])= +# Allow <> brackets. +(?su)[\\]?<(?P<name>http|https|ftp|file|irc):(?P<target>//[^\s<>]*[\w/])>= + +# Email addresses don't require special attribute list formatting. +# The before ">: and after "< character exclusions stop multiple substitution. +(?su)(?<![">:\w._/-])[\\]?(?P<target>\w[\w._-]*@[\w._-]*\w)(?!["<\w_-])=mailto + +# Allow footnote macros hard up against the preceding word so the footnote mark +# can be placed against the noted text without an intervening space +# (http://groups.google.com/group/asciidoc/browse_frm/thread/e1dcb7ee0efc17b5). +(?su)[\\]?(?P<name>footnote|footnoteref):(?P<target>\S*?)\[(?P<attrlist>.*?)(?<!\\)\]= + +# Anchor: [[[id]]]. Bibliographic anchor. +(?su)[\\]?\[\[\[(?P<attrlist>[\w_:][\w_:.-]*?)\]\]\]=anchor3 +# Anchor: [[id,xreflabel]] +(?su)[\\]?\[\[(?P<attrlist>[\w"_:].*?)\]\]=anchor2 +# Link: <<id,text>> +(?su)[\\]?<<(?P<attrlist>[\w"_:].*?)>>=xref2 + +ifdef::asciidoc7compatible[] +# Index term: ++primary,secondary,tertiary++ +(?su)(?<!\S)[\\]?\+\+(?P<attrlist>[^+].*?)\+\+(?!\+)=indexterm +# Index term: +primary+ +# Follows ++...++ macro otherwise it will match them. +(?<!\S)[\\]?\+(?P<attrlist>[^\s\+][^+].*?)\+(?!\+)=indexterm2 +endif::asciidoc7compatible[] + +ifndef::asciidoc7compatible[] +# Index term: (((primary,secondary,tertiary))) +(?su)(?<!\()[\\]?\(\(\((?P<attrlist>[^(].*?)\)\)\)(?!\))=indexterm +# Index term: ((primary)) +# Follows (((...))) macro otherwise it will match them. +(?<!\()[\\]?\(\((?P<attrlist>[^\s\(].*?)\)\)(?!\))=indexterm2 +endif::asciidoc7compatible[] + +# Callout +[\\]?<(?P<index>\d+)>=callout + +# Passthrough macros. +(?su)[\\]?(?P<name>pass):(?P<subslist>\S*?)\[(?P<passtext>.*?)(?<!\\)\]=[] + +# Triple-plus and double-dollar inline passthroughs. +(?su)[\\]?\+\+\+(?P<passtext>.*?)\+\+\+=pass[] +(?su)[\\]?\$\$(?P<passtext>.*?)\$\$=pass[specialcharacters] + +# Inline literal. +ifndef::no-inline-literal[] +(?su)(?<![`\w])([\\]?`(?P<passtext>[^`\s]|[^`\s].*?\S)`)(?![`\w])=literal[specialcharacters] +endif::no-inline-literal[] + +# Inline comment. +(?mu)^[\\]?//(?P<passtext>[^/].*|)$=comment[specialcharacters] + +# Default (catchall) inline macro is not implemented so there is no ambiguity +# with previous definition that could result in double substitution of escaped +# references. +#(?su)[\\]?(?P<name>\w(\w|-)*?):(?P<target>\S*?)\[(?P<passtext>.*?)(?<!\\)\]= + +#------------- +# Block macros +#------------- +# Macros using default syntax. +^(?P<name>image|unfloat|toc)::(?P<target>\S*?)(\[(?P<attrlist>.*?)\])$=# + +# Passthrough macros. +^(?P<name>pass)::(?P<subslist>\S*?)(\[(?P<passtext>.*?)\])$=# + +^'{3,}$=#ruler +^<{3,}$=#pagebreak +^//(?P<passtext>[^/].*|)$=#comment[specialcharacters] + +# Implemented in HTML backends. +[unfloat-blockmacro] +[toc-blockmacro] + +#----------------- +# Delimited blocks +#----------------- +[blockdef-comment] +delimiter=^/{4,}$ +options=skip +posattrs=style + +[blockdef-sidebar] +delimiter=^\*{4,}$ +template=sidebarblock +options=sectionbody +posattrs=style +# DEPRECATED: Use Openblock instead. +abstract-style=template="abstractblock" + +[blockdef-open] +# A block without opening or closing tags. +delimiter=^--$ +posattrs=style +style=default +default-style=template="openblock",options=("sectionbody",) +comment-style=template="openblock",options=("skip",) +abstract-style=template="abstractblock",options=("sectionbody",) +partintro-style=template="partintroblock",options=("sectionbody",) +example-style=template="exampleblock",options=("sectionbody",) +sidebar-style=template="sidebarblock",options=("sectionbody",) +verse-style=template="verseblock",posattrs=("style","attribution","citetitle") +quote-style=template="quoteblock",posattrs=("style","attribution","citetitle"),options=("sectionbody",) +literal-style=template="literalparagraph",subs=("verbatim",) +listing-style=template="listingparagraph",subs=("verbatim",) +NOTE-style=template="admonitionblock",name="note",caption="{note-caption}",options=("sectionbody",) +TIP-style=template="admonitionblock",name="tip",caption="{tip-caption}",options=("sectionbody",) +IMPORTANT-style=template="admonitionblock",name="important",caption="{important-caption}",options=("sectionbody",) +WARNING-style=template="admonitionblock",name="warning",caption="{warning-caption}",options=("sectionbody",) +CAUTION-style=template="admonitionblock",name="caution",caption="{caution-caption}",options=("sectionbody",) + +[blockdef-pass] +delimiter=^\+{4,}$ +template=passblock +# Default subs choosen for backward compatibility. +subs=attributes,macros +posattrs=style +pass-style=template="passblock",subs=() + +[blockdef-listing] +delimiter=^-{4,}$ +template=listingblock +subs=verbatim +posattrs=style + +[blockdef-literal] +delimiter=^\.{4,}$ +template=literalblock +subs=verbatim +posattrs=style +listing-style=template="listingblock" +# DEPRECATED: Use verse style on quote blocks instead. +verse-style=template="verseblock",subs="normal" + +[blockdef-quote] +delimiter=^_{4,}$ +subs=normal +style=quote +posattrs=style,attribution,citetitle +quote-style=template="quoteblock",options=("sectionbody",) +verse-style=template="verseblock" + +[blockdef-example] +delimiter=^={4,}$ +template=exampleblock +options=sectionbody +posattrs=style +NOTE-style=template="admonitionblock",name="note",caption="{note-caption}" +TIP-style=template="admonitionblock",name="tip",caption="{tip-caption}" +IMPORTANT-style=template="admonitionblock",name="important",caption="{important-caption}" +WARNING-style=template="admonitionblock",name="warning",caption="{warning-caption}" +CAUTION-style=template="admonitionblock",name="caution",caption="{caution-caption}" + +# For use by custom filters. +# DEPRECATED: No longer used, a styled listing block (blockdef-listing) is preferable. +[blockdef-filter] +delimiter=^~{4,}$ +template=listingblock +subs=none +posattrs=style + +#------- +# Lists +#------- +[listdef-bulleted] +# - bullets. +delimiter=^\s*- +(?P<text>.+)$ +posattrs=style +type=bulleted +tags=bulleted +callout-style=tags="callout" +bibliography-style=tags="bibliography" + +[listdef-bulleted1] +# * bullets. +template::[listdef-bulleted] +delimiter=^\s*\* +(?P<text>.+)$ + +[listdef-bulleted2] +# ** bullets. +template::[listdef-bulleted] +delimiter=^\s*\*{2} +(?P<text>.+)$ + +[listdef-bulleted3] +# *** bullets. +template::[listdef-bulleted] +delimiter=^\s*\*{3} +(?P<text>.+)$ + +[listdef-bulleted4] +# **** bullets. +template::[listdef-bulleted] +delimiter=^\s*\*{4} +(?P<text>.+)$ + +[listdef-bulleted5] +# ***** bullets. +template::[listdef-bulleted] +delimiter=^\s*\*{5} +(?P<text>.+)$ + +[listdef-arabic] +# Arabic numbering. +delimiter=^\s*(?P<index>\d+\.) +(?P<text>.+)$ +posattrs=style +type=numbered +tags=numbered +style=arabic + +[listdef-loweralpha] +# Lower alpha numbering. +template::[listdef-arabic] +delimiter=^\s*(?P<index>[a-z]\.) +(?P<text>.+)$ +style=loweralpha + +[listdef-upperalpha] +# Upper alpha numbering. +template::[listdef-arabic] +delimiter=^\s*(?P<index>[A-Z]\.) +(?P<text>.+)$ +style=upperalpha + +[listdef-lowerroman] +# Lower roman numbering. +template::[listdef-arabic] +delimiter=^\s*(?P<index>[ivx]+\)) +(?P<text>.+)$ +style=lowerroman + +[listdef-upperroman] +# Upper roman numbering. +template::[listdef-arabic] +delimiter=^\s*(?P<index>[IVX]+\)) +(?P<text>.+)$ +style=upperroman + +[listdef-numbered1] +# . numbering. +template::[listdef-arabic] +delimiter=^\s*\. +(?P<text>.+)$ + +[listdef-numbered2] +# .. numbering. +template::[listdef-loweralpha] +delimiter=^\s*\.{2} +(?P<text>.+)$ + +[listdef-numbered3] +# ... numbering. +template::[listdef-lowerroman] +delimiter=^\s*\.{3} +(?P<text>.+)$ + +[listdef-numbered4] +# .... numbering. +template::[listdef-upperalpha] +delimiter=^\s*\.{4} +(?P<text>.+)$ + +[listdef-numbered5] +# ..... numbering. +template::[listdef-upperroman] +delimiter=^\s*\.{5} +(?P<text>.+)$ + +[listdef-labeled] +# label:: item. +delimiter=^\s*(?P<label>.*[^:])::(\s+(?P<text>.+))?$ +posattrs=style +type=labeled +tags=labeled +vertical-style=tags="labeled" +horizontal-style=tags="horizontal" +glossary-style=tags="glossary" +qanda-style=tags="qanda" + +[listdef-labeled2] +# label;; item. +template::[listdef-labeled] +delimiter=^\s*(?P<label>.*[^;]);;(\s+(?P<text>.+))?$ + +[listdef-labeled3] +# label::: item. +template::[listdef-labeled] +delimiter=^\s*(?P<label>.*[^:]):{3}(\s+(?P<text>.+))?$ + +[listdef-labeled4] +# label:::: item. +template::[listdef-labeled] +delimiter=^\s*(?P<label>.*[^:]):{4}(\s+(?P<text>.+))?$ + +[listdef-callout] +posattrs=style +delimiter=^<?(?P<index>\d*>) +(?P<text>.+)$ +type=callout +tags=callout +style=arabic + +# DEPRECATED: Old list syntax. +[listdef-qanda] +posattrs=style +delimiter=^\s*(?P<label>.*\S)\?\?$ +type=labeled +tags=qanda + +# DEPRECATED: Old list syntax. +[listdef-bibliography] +posattrs=style +delimiter=^\+ +(?P<text>.+)$ +type=bulleted +tags=bibliography + +# DEPRECATED: Old list syntax. +[listdef-glossary] +delimiter=^(?P<label>.*\S):-$ +posattrs=style +type=labeled +tags=glossary + +#------- +# Tables +#------- +[tabledef-default] +delimiter=^\|={3,}$ +posattrs=style +template=table +default-style=tags="default" +verse-style=tags="verse" +literal-style=tags="literal",subs=("specialcharacters",) +emphasis-style=tags="emphasis" +strong-style=tags="strong" +monospaced-style=tags="monospaced" +header-style=tags="header" +asciidoc-style=tags="asciidoc",subs=(),filter='"{python}" "{asciidoc-file}" -b {backend} {asciidoc-args}{lang? -a "lang={lang}@"}{icons? -a icons -a "iconsdir={iconsdir}"}{imagesdir? -a "imagesdir={imagesdir}"}{data-uri? -a data-uri} -a "indir={indir}"{trace? -a "trace={trace}"}{blockname? -a "blockname={blockname}"} -s -' + +[tabledef-nested] +# Same as [tabledef-default] but with different delimiter and separator. +delimiter=^!={3,}$ +separator=((?<!\S)((?P<span>[\d.]+)(?P<op>[*+]))?(?P<align>[<\^>.]{,3})?(?P<style>[a-z])?)?! +posattrs=style +template=table +verse-style=tags="verse" +literal-style=tags="literal",subs=("specialcharacters",) +emphasis-style=tags="emphasis" +strong-style=tags="strong" +monospaced-style=tags="monospaced" +header-style=tags="header" +asciidoc-style=tags="asciidoc",subs=(),filter='"{python}" "{asciidoc-file}" -b {backend} {asciidoc-args}{lang? -a "lang={lang}@"}{icons? -a icons -a "iconsdir={iconsdir}"}{imagesdir? -a "imagesdir={imagesdir}"}{data-uri? -a data-uri} -a "indir={indir}"{trace? -a "trace={trace}"}{blockname? -a "blockname={blockname}"} -s -' + +#---------------------------------------- +# Common block and macro markup templates +#---------------------------------------- +[comment-inlinemacro] +# Outputs nothing. + +[comment-blockmacro] +# Outputs nothing. + +[pass-blockmacro] +{passtext} + +[pass-inlinemacro] +template::[pass-blockmacro] + +[passblock] +| + +[filter-image-blockmacro] +# Synthesize missing target attribute for filter generated file names. +# The tag split | ensures missing target file names are auto-generated +# before the filter is executed, the remainder (the [image-blockmacro]) +# is excuted after the filter to ensure data URI encoding comes after +# the image is created. +{target%}{counter2:target-number} +{target%}{set2:target:{docname}__{target-number}.png} +| +template::[image-blockmacro] + +[+docinfo] +# Blank section to suppress missing template warning. + +#---------------------------------- +# Default special section templates +#---------------------------------- +[abstract] +template::[sect1] + +[colophon] +template::[sect1] + +[dedication] +template::[sect1] + +[preface] +template::[sect1] + +[appendix] +template::[sect1] + +[glossary] +template::[sect1] + +[bibliography] +template::[sect1] + +[index] +template::[sect1] + +[synopsis] +template::[sect1] + +#-------------------------------------------------------------------- +# Deprecated old table definitions. +# + +[old_tabledef-default] +fillchar=- +format=fixed + +[old_tabledef-csv] +fillchar=~ +format=csv + +[old_tabledef-dsv] +fillchar=_ +format=dsv + +# End of deprecated old table definitions. +#-------------------------------------------------------------------- diff --git a/asciidoc/dblatex b/asciidoc/dblatex new file mode 120000 index 0000000..9e72d45 --- /dev/null +++ b/asciidoc/dblatex @@ -0,0 +1 @@ +../../usr/share/asciidoc/dblatex \ No newline at end of file diff --git a/asciidoc/docbook-xsl b/asciidoc/docbook-xsl new file mode 120000 index 0000000..3bac0b7 --- /dev/null +++ b/asciidoc/docbook-xsl @@ -0,0 +1 @@ +../../usr/share/asciidoc/docbook-xsl \ No newline at end of file diff --git a/asciidoc/docbook45.conf b/asciidoc/docbook45.conf new file mode 100644 index 0000000..999631c --- /dev/null +++ b/asciidoc/docbook45.conf @@ -0,0 +1,802 @@ +# +# docbook45.conf +# +# Asciidoc DocBook 4.5 configuration file. +# + +[miscellaneous] +outfilesuffix=.xml +# Printable page width and units. +# Used to calculate DocBook CALS tables absolute column and table widths. +pagewidth=425 +pageunits=* + +[attributes] +basebackend=docbook +basebackend-docbook= +basebackend-docbook45= +# For backward compatibility (docbook backend was renamed to docbook45 at 8.6.2) +backend-docbook= +# toc and numbered are set to maintain original default behavior. +toc= +numbered= + +[replacements2] +# Line break markup. Custom processing instruction in fo.xsl. +(?m)^(.*)\s\+$=\1<?asciidoc-br?> + +[replacements] +ifdef::asciidoc7compatible[] +# Superscripts. +\^(.+?)\^=<superscript>\1</superscript> +# Subscripts. +~(.+?)~=<subscript>\1</subscript> +endif::asciidoc7compatible[] + +[ruler-blockmacro] +# Uses custom processing instructions in fo.xsl and asciidoc-dblatex.xsl. +<simpara><?asciidoc-hr?></simpara> + +[pagebreak-blockmacro] +# Uses custom processing instructions in fo.xsl and asciidoc-dblatex.xsl. +<simpara><?asciidoc-pagebreak?></simpara> + +[blockdef-pass] +latexmath-style=template="latexmathblock",subs=(),posattrs=(),filter="unwraplatex.py" + +[macros] +# math macros. +(?su)[\\]?(?P<name>latexmath):(?P<subslist>\S*?)\[(?:\$\s*)?(?P<passtext>.*?)(?:\s*\$)?(?<!\\)\]=[] +^(?P<name>latexmath)::(?P<subslist>\S*?)(\[(?:\\\[\s*)?(?P<passtext>.*?)(?:\s*\\\])?\])$=#[] + +[latexmath-inlinemacro] +<inlineequation> +<alt><![CDATA[${passtext}$]]></alt> +<inlinemediaobject><textobject><phrase></phrase></textobject></inlinemediaobject> +</inlineequation> + +[latexmath-blockmacro] +<informalequation> +<alt><![CDATA[{backslash}[{passtext}{backslash}]]]></alt> +<mediaobject><textobject><phrase></phrase></textobject></mediaobject> +</informalequation> + +[latexmathblock] +<equation{id? id="{id}"}{role? role="{role}"}{reftext? xreflabel="{reftext}"}><title>{title} +{title%} + + +{title#} +{title%} + +[image-inlinemacro] + + + + + {alt={target}} + + +[image-blockmacro] +{title} +{title%}{pgwide-option?} +# DocBook XSL Stylesheets custom processing instructions. + + + + + + + {alt={target}} + +{title#} +{title%} + +[indexterm-inlinemacro] +# Index term. +# Generate separate index entries for primary, secondary and tertiary +# descriptions. +# Primary only. +{2%} +{2%} {1} +{2%} +# Primary and secondary. +{2#}{3%} +{2#}{3%} {1}{2} +{2#}{3%} +{2#}{3%} +{2#}{3%} {2} +{2#}{3%} +# Primary, secondary and tertiary. +{3#} + {1}{2}{3} +{3#} +{3#} + {2}{3} +{3#} +{3#} + {3} +{3#} + +[indexterm2-inlinemacro] +# Index term. +# Single entry index term that is visible in the primary text flow. +{1}{1} + +[footnote-inlinemacro] +# Footnote. +{0} + +[footnoteref-inlinemacro] +# Footnote reference. +{2#}{2} +{2%} + +[callout-inlinemacro] +# Callout. + + +# List tags. +[listtags-bulleted] +list={unbreakable-option? }{title?{title}}| +item=| +text=| + +[listtags-numbered] +list={unbreakable-option? }{title?{title}}{start?}| +item=| +text=| + +[listtags-labeled] +list={title?{title}}| +entry=| +label= +term=| +item=| +text=| + +[listtags-horizontal] +# Horizontal labeled list (implemented with two column table). +# Hardwired column widths to 30%,70% because the current crop of PDF +# generators do not auto calculate column widths. + list=<{title?table}{title!informaltable}{id? id="{id}"}{role? role="{role}"}{reftext? xreflabel="{reftext}"}{style? tabstyle="{style}"}{pgwide-option? pgwide="1"} frame="none" colsep="0" rowsep="0">{title?{title}}|<{title?/table}{title!/informaltable}> +entry=| +label=| +term=| +item=| +text=| + +[listtags-callout] +list={title?{title}}| +item=| +text=| + +[listtags-qanda] +list={title?{title}}| +entry=| +label=| +term=| +item=| +text=| + +[listtags-bibliography] +list={title?{title}}| +item=| +text=| + +[listtags-glossary] +list= +entry=| +label= +term=| +item=| +text=| + +[tags] +# Quoted text +emphasis={1?}|{1?} +strong={1?}|{1?} +monospaced={1?}|{1?} +singlequoted={lsquo}{1?}|{1?}{rsquo} +doublequoted={ldquo}{1?}|{1?}{rdquo} +unquoted={1?}|{1?} +subscript={1?}|{1?} +superscript={1?}|{1?} + +ifdef::deprecated-quotes[] +# Override with deprecated quote attributes. +emphasis={role?}|{role?} +strong={role?}|{role?} +monospaced={role?}|{role?} +singlequoted={role?}{amp}#8216;|{amp}#8217;{role?} +doublequoted={role?}{amp}#8220;|{amp}#8221;{role?} +unquoted={role?}|{role?} +subscript={role?}|{role?} +superscript={role?}|{role?} +endif::deprecated-quotes[] + +# Inline macros +[http-inlinemacro] +{0={name}:{target}} +[https-inlinemacro] +{0={name}:{target}} +[ftp-inlinemacro] +{0={name}:{target}} +[file-inlinemacro] +{0={name}:{target}} +[irc-inlinemacro] +{0={name}:{target}} +[mailto-inlinemacro] +{0={target}} +[callto-inlinemacro] +{0={target}} +[link-inlinemacro] +{0={target}} +# anchor:id[text] +[anchor-inlinemacro] + +# [[id,text]] +[anchor2-inlinemacro] + +# [[[id]]] +[anchor3-inlinemacro] +[{1}] +# xref:id[text] +[xref-inlinemacro] +{0} +{0%} +# <> +[xref2-inlinemacro] +{2} +{2%} +# // comment line +[comment-inlinemacro] +{showcomments#}{passtext} + +[comment-blockmacro] +{showcomments#}{passtext} + +[literal-inlinemacro] +# Inline literal. +{passtext} + +# Special word macros +[emphasizedwords] +{words} +[monospacedwords] +{words} +[strongwords] +{words} + +# Paragraph substitution. +[paragraph] +{title} +{title%} +| +{title%} +{title#} +{empty} + +[admonitionparagraph] +<{name}{id? id="{id}"}{role? role="{role}"}{reftext? xreflabel="{reftext}"}>| + +# Delimited blocks. +[literalblock] +{title} +{title#} +{title%} +| + +{title#} + +[listingblock] +{title} +{title#} +{title%} +| + +{title#} + +[sidebarblock-open] + +{title} + +[sidebarblock-close] + + +[sidebarblock] +template::[sidebarblock-open] +| +template::[sidebarblock-close] + +[sidebarparagraph] +template::[sidebarblock-open] +| +template::[sidebarblock-close] + +[abstractblock-open] + +{title} + +[abstractblock-close] + + +[abstractblock] +template::[abstractblock-open] +| +template::[abstractblock-close] + +[abstractparagraph] +template::[abstractblock-open] +| +template::[abstractblock-close] + +[openblock] +| + +[partintroblock-open] + +{title} + +[partintroblock-close] + + +[partintroblock] +template::[partintroblock-open] +| +template::[partintroblock-close] + +[partintroparagraph] +template::[partintroblock-open] +| +template::[partintroblock-close] + +[quote-open] +# Common quote and verse element template. + +{title} +# Include attribution only if either {attribution} or {citetitle} is defined. +{attribution#} +{attribution%}{citetitle#} +{attribution} +{citetitle} +{attribution#} +{attribution%}{citetitle#} + +[quote-close] + + +[quoteblock] +template::[quote-open] +| +template::[quote-close] + +[verseblock] +template::[quote-open] +| +template::[quote-close] + +[quoteparagraph] +template::[quote-open] +| +template::[quote-close] + +[exampleblock-open] +<{title?example}{title!informalexample}{id? id="{id}"}{role? role="{role}"}{reftext? xreflabel="{reftext}"}> +# DocBook XSL Stylesheets custom processing instructions. + + +{title} + +[exampleblock-close] + + +[exampleblock] +template::[exampleblock-open] +| +template::[exampleblock-close] + +[exampleparagraph] +template::[exampleblock-open] +| +template::[exampleblock-close] + +[admonitionblock] +<{name}{id? id="{id}"}{role? role="{role}"}{reftext? xreflabel="{reftext}"}> +{title} +| + + +# Tables. +[tabletags-default] +colspec= +bodyrow=| +headdata=| +bodydata=| +paragraph=| + +[tabletags-emphasis] +paragraph=| + +[tabletags-header] +paragraph=| + +[tabletags-strong] +paragraph=| + +[tabletags-monospaced] +paragraph=| + +[tabletags-verse] +bodydata=| +paragraph= + +[tabletags-literal] +bodydata=| +paragraph= + +[tabletags-asciidoc] +paragraph= + +[table] +<{title?table}{title!informaltable}{id? id="{id}"}{role? role="{role}"}{reftext? xreflabel="{reftext}"}{pgwide-option? pgwide="1"} +frame="{frame=all}" +{grid%rowsep="1" colsep="1"} +rowsep="{grid@none|cols:0:1}" colsep="{grid@none|rows:0:1}" +> +{title} +# DocBook XSL Stylesheets custom processing instructions. + + + + + + +{colspecs} +{headrows#} +{headrows} +{headrows#} +{footrows#} +{footrows} +{footrows#} + +{bodyrows} + + + + +#-------------------------------------------------------------------- +# Deprecated old table definitions. +# + +[old_tabledef-default] +template=old_table +colspec= +bodyrow=| +bodydata=| + +[old_table] +<{title?table}{title!informaltable}{id? id="{id}"}{role? role="{role}"}{reftext? xreflabel="{reftext}"} pgwide="0" +frame="{frame=topbot}" +{grid%rowsep="0" colsep="0"} +rowsep="{grid@none|cols:0:1}" colsep="{grid@none|rows:0:1}" +> +{title} + +{colspecs} +{headrows#} +{headrows} +{headrows#} +{footrows#} +{footrows} +{footrows#} + +{bodyrows} + + + + +# End of deprecated old table definitions. +#-------------------------------------------------------------------- + +# Special sections. +[preface] + +{title=} +| + + +[index] + +{title} +| + + +[bibliography] + +{title} +| + + +[glossary] + +{title} +| + + +[appendix] + +{title} +| + + +[floatingtitle] +{title} + + +[header-declarations] + + +{toc#} +{numbered#} + +[+docinfo] +{notitle%} {doctitle} + {revdate} +# To ensure valid articleinfo/bookinfo when there is no AsciiDoc header. + {doctitle%}{revdate%}{docdate} + {authored#} + {firstname} + {middlename} + {lastname} + {email} + {authored#} + {authorinitials} +{revnumber?{revnumber}}{revdate}{authorinitials?{authorinitials}}{revremark?{revremark}} +{docinfo1,docinfo2#}{include:{docdir}/docinfo.xml} +{docinfo,docinfo2#}{include:{docdir}/{docname}-docinfo.xml} +# DEPRECATED: Use docinfo. +{revisionhistory#}{include:{docdir}/{docname}-revhistory.xml} +# DEPRECATED: Use orgname in preference to companyname. +{companyname} +# DEPRECATED: Use orgname in preference to corpname. +{corpname} +{orgname} + +#------------------------- +# article document type +#------------------------- +ifdef::doctype-article[] + +[header] +template::[header-declarations] + +
+ +template::[docinfo] + + +[footer] +
+ +[preamble] +# Untitled elements between header and first section title. +| + +[abstract] + +| + + +[sect1] + +{title} +| + + +[sect2] + +{title} +| + + +[sect3] + +{title} +| + + +[sect4] + +{title} +| + + +endif::doctype-article[] + +#------------------------- +# manpage document type +#------------------------- +ifdef::doctype-manpage[] + +[replacements] +# The roff format does not substitute special characters so just print them as +# text. +\(C\)=(C) +\(TM\)=(TM) + +[header] +template::[header-declarations] + + +template::[docinfo] + + +{mantitle} +{manvolnum} +# Default source and manual to suppress DocBook XSL warnings. +{mansource= } +{manmanual= } +{manversion={revnumber}} + + + {manname1} + {manname2} + {manname3} + {manname4} + {manname5} + {manname6} + {manname7} + {manname8} + {manname9} + {manpurpose} + + +[footer] + + +# Section macros +[synopsis] + +| + + +[sect1] + +{title} +| + + +[sect2] + +{title} +| + + +[sect3] + +{title} +| + + +endif::doctype-manpage[] + +#------------------------- +# book document type +#------------------------- +ifdef::doctype-book[] + +[header] +template::[header-declarations] + + + +template::[docinfo] + + +[footer] + + +[preamble] +# Preamble is not allowed in DocBook book so wrap it in a preface. + +{title=} +| + + +[dedication] + +{title} +| + + +[colophon] + +{title} +| + + +[sect0] + +{title} +| + + +[sect1] + +{title} +| + + +[sect2] + +{title} +| + + +[sect3] + +{title} +| + + +[sect4] + +{title} +| + + +endif::doctype-book[] + +ifdef::sgml[] +# +# Optional DocBook SGML. +# +# Most of the differences between DocBook XML and DocBook SGML boils +# down to the empty element syntax: SGML does not like the XML empty +# element <.../> syntax, use <...> instead. +# +[miscellaneous] +outfilesuffix=.sgml + +[header-declarations] + + +[tabledef-default] +colspec= + +[image-inlinemacro] + + + + + {alt={target}} + + +[image-blockmacro] +
{title} +{title%} + + + + + {alt={target}} + +{title#}
+{title%} + +# Inline macros +[xref-inlinemacro] +{0} +{2%} +[xref2-inlinemacro] +# <> +{2} +{2%} +[anchor-inlinemacro] + +[anchor2-inlinemacro] +# [[id,text]] + + +endif::sgml[] diff --git a/asciidoc/filters/code/code-filter.conf b/asciidoc/filters/code/code-filter.conf new file mode 100644 index 0000000..5cdab96 --- /dev/null +++ b/asciidoc/filters/code/code-filter.conf @@ -0,0 +1,8 @@ +# +# AsciiDoc code filter configuration file. +# +# Documented in code-filter-readme.txt +# + +[blockdef-listing] +code-style=template="listingblock",presubs=(),postsubs=("callouts",),posattrs=("style","language"),filter="code-filter.py -b {basebackend} -l {language}" diff --git a/asciidoc/filters/code/code-filter.py b/asciidoc/filters/code/code-filter.py new file mode 100755 index 0000000..92e4e9e --- /dev/null +++ b/asciidoc/filters/code/code-filter.py @@ -0,0 +1,239 @@ +#!/usr/libexec/platform-python +''' +NAME + code-filter - AsciiDoc filter to highlight language keywords + +SYNOPSIS + code-filter -b backend -l language [ -t tabsize ] + [ --help | -h ] [ --version | -v ] + +DESCRIPTION + This filter reads source code from the standard input, highlights language + keywords and comments and writes to the standard output. + + The purpose of this program is to demonstrate how to write an AsciiDoc + filter -- it's much to simplistic to be passed off as a code syntax + highlighter. Use the 'source-highlight-filter' instead. + + +OPTIONS + --help, -h + Print this documentation. + + -b + Backend output file format: 'docbook', 'linuxdoc', 'html', 'css'. + + -l + The name of the source code language: 'python', 'ruby', 'c++', 'c'. + + -t tabsize + Expand source tabs to tabsize spaces. + + --version, -v + Print program version number. + +BUGS + - Code on the same line as a block comment is treated as comment. + Keywords inside literal strings are highlighted. + - There doesn't appear to be an easy way to accomodate linuxdoc so + just pass it through without markup. + +AUTHOR + Written by Stuart Rackham, + +URLS + http://sourceforge.net/projects/asciidoc/ + http://asciidoc.org/ + +COPYING + Copyright (C) 2002-2006 Stuart Rackham. Free use of this software is + granted under the terms of the GNU General Public License (GPL). +''' + +import os, sys, re + +VERSION = '1.1.2' + +# Globals. +language = None +backend = None +tabsize = 8 +keywordtags = { + 'html': + ('',''), + 'css': + ('',''), + 'docbook': + ('',''), + 'linuxdoc': + ('','') +} +commenttags = { + 'html': + ('',''), + 'css': + ('',''), + 'docbook': + ('',''), + 'linuxdoc': + ('','') +} +keywords = { + 'python': + ('and', 'del', 'for', 'is', 'raise', 'assert', 'elif', 'from', + 'lambda', 'return', 'break', 'else', 'global', 'not', 'try', 'class', + 'except', 'if', 'or', 'while', 'continue', 'exec', 'import', 'pass', + 'yield', 'def', 'finally', 'in', 'print'), + 'ruby': + ('__FILE__', 'and', 'def', 'end', 'in', 'or', 'self', 'unless', + '__LINE__', 'begin', 'defined?' 'ensure', 'module', 'redo', 'super', + 'until', 'BEGIN', 'break', 'do', 'false', 'next', 'rescue', 'then', + 'when', 'END', 'case', 'else', 'for', 'nil', 'retry', 'true', 'while', + 'alias', 'class', 'elsif', 'if', 'not', 'return', 'undef', 'yield'), + 'c++': + ('asm', 'auto', 'bool', 'break', 'case', 'catch', 'char', 'class', + 'const', 'const_cast', 'continue', 'default', 'delete', 'do', 'double', + 'dynamic_cast', 'else', 'enum', 'explicit', 'export', 'extern', + 'false', 'float', 'for', 'friend', 'goto', 'if', 'inline', 'int', + 'long', 'mutable', 'namespace', 'new', 'operator', 'private', + 'protected', 'public', 'register', 'reinterpret_cast', 'return', + 'short', 'signed', 'sizeof', 'static', 'static_cast', 'struct', + 'switch', 'template', 'this', 'throw', 'true', 'try', 'typedef', + 'typeid', 'typename', 'union', 'unsigned', 'using', 'virtual', 'void', + 'volatile', 'wchar_t', 'while') +} +block_comments = { + 'python': ("'''","'''"), + 'ruby': None, + 'c++': ('/*','*/') +} +inline_comments = { + 'python': '#', + 'ruby': '#', + 'c++': '//' +} + +def print_stderr(line): + sys.stderr.write(line+os.linesep) + +def sub_keyword(mo): + '''re.subs() argument to tag keywords.''' + word = mo.group('word') + if word in keywords[language]: + stag,etag = keywordtags[backend] + return stag+word+etag + else: + return word + +def code_filter(): + '''This function does all the work.''' + global language, backend + inline_comment = inline_comments[language] + blk_comment = block_comments[language] + if blk_comment: + blk_comment = (re.escape(block_comments[language][0]), + re.escape(block_comments[language][1])) + stag,etag = commenttags[backend] + in_comment = 0 # True if we're inside a multi-line block comment. + tag_comment = 0 # True if we should tag the current line as a comment. + line = sys.stdin.readline() + while line: + line = line.rstrip() + line = line.expandtabs(tabsize) + # Escape special characters. + line = line.replace('&','&') + line = line.replace('<','<') + line = line.replace('>','>') + # Process block comment. + if blk_comment: + if in_comment: + if re.match(r'.*'+blk_comment[1]+r'$',line): + in_comment = 0 + else: + if re.match(r'^\s*'+blk_comment[0]+r'.*'+blk_comment[1],line): + # Single line block comment. + tag_comment = 1 + elif re.match(r'^\s*'+blk_comment[0],line): + # Start of multi-line block comment. + tag_comment = 1 + in_comment = 1 + else: + tag_comment = 0 + if tag_comment: + if line: line = stag+line+etag + else: + if inline_comment: + pos = line.find(inline_comment) + else: + pos = -1 + if pos >= 0: + # Process inline comment. + line = re.sub(r'\b(?P\w+)\b',sub_keyword,line[:pos]) \ + + stag + line[pos:] + etag + else: + line = re.sub(r'\b(?P\w+)\b',sub_keyword,line) + sys.stdout.write(line + os.linesep) + line = sys.stdin.readline() + +def usage(msg=''): + if msg: + print_stderr(msg) + print_stderr('Usage: code-filter -b backend -l language [ -t tabsize ]') + print_stderr(' [ --help | -h ] [ --version | -v ]') + +def main(): + global language, backend, tabsize + # Process command line options. + import getopt + opts,args = getopt.getopt(sys.argv[1:], + 'b:l:ht:v', + ['help','version']) + if len(args) > 0: + usage() + sys.exit(1) + for o,v in opts: + if o in ('--help','-h'): + print(__doc__) + sys.exit(0) + if o in ('--version','-v'): + print('code-filter version %s' % (VERSION,)) + sys.exit(0) + if o == '-b': backend = v + if o == '-l': + v = v.lower() + if v == 'c': v = 'c++' + language = v + if o == '-t': + try: + tabsize = int(v) + except: + usage('illegal tabsize') + sys.exit(1) + if tabsize <= 0: + usage('illegal tabsize') + sys.exit(1) + if backend is None: + usage('backend option is mandatory') + sys.exit(1) + if backend not in keywordtags: + usage('illegal backend option') + sys.exit(1) + if language is None: + usage('language option is mandatory') + sys.exit(1) + if language not in keywords: + usage('illegal language option') + sys.exit(1) + # Do the work. + code_filter() + +if __name__ == "__main__": + try: + main() + except (KeyboardInterrupt, SystemExit): + pass + except: + print_stderr("%s: unexpected exit status: %s" % + (os.path.basename(sys.argv[0]), sys.exc_info()[1])) + # Exit with previous sys.exit() status or zero if no sys.exit(). + sys.exit(sys.exc_info()[1]) diff --git a/asciidoc/filters/graphviz/graphviz-filter.conf b/asciidoc/filters/graphviz/graphviz-filter.conf new file mode 100644 index 0000000..f1ca264 --- /dev/null +++ b/asciidoc/filters/graphviz/graphviz-filter.conf @@ -0,0 +1,53 @@ +# +# AsciiDoc Graphviz filter configuration file. +# +# Version: 1.0 +# Gouici Iisaka + +[graphviz-filter-style] +# When the filter output image is data-uri encoded write it to the indir +# (instead of the outdir) so that encoder can find it. +ifndef::data-uri[] +graphviz-style=template="graphviz{format?-{format}}-block",subs=(),posattrs=("style","target","layout","format"),filter='graphviz2png.py {verbose?-v} -o "{outdir={indir}}/{imagesdir=}{imagesdir?/}{target}" -L {layout=dot} -F {format=png} -' +endif::data-uri[] +ifdef::data-uri[] +graphviz-style=template="graphviz{format?-{format}}-block",subs=(),posattrs=("style","target","layout","format"),filter='graphviz2png.py {verbose?-v} -o "{indir={outdir}}/{imagesdir=}{imagesdir?/}{target}" -L {layout=dot} -F {format=png} -' +endif::data-uri[] + +[blockdef-open] +template::[graphviz-filter-style] + +[blockdef-listing] +template::[graphviz-filter-style] + +[paradef-default] +template::[graphviz-filter-style] + +[graphviz-block] +template::[filter-image-blockmacro] + +# EXPERIMENTAL: xhtml11 backend SVG image block. +ifdef::basebackend-xhtml11[] +[graphviz-svg-block] +
+
+ + +{link#} + +
{caption={figure-caption} {counter:figure-number}. }{title}
+ +endif::basebackend-xhtml11[] + +# +# DEPRECATED: Pre 8.2.7 filter definition. +# +[blockdef-graphviz] +delimiter=^graphviz~{4,}$ +template=graphviz-block +presubs=none +filter=graphviz2png.py {verbose?-v} -o "{outdir={indir}}/{target}" -L {layout=dot} - +posattrs=target,format +# +# DEPRECATED: End +# diff --git a/asciidoc/filters/graphviz/graphviz2png.py b/asciidoc/filters/graphviz/graphviz2png.py new file mode 100755 index 0000000..d2e438f --- /dev/null +++ b/asciidoc/filters/graphviz/graphviz2png.py @@ -0,0 +1,169 @@ +#!/usr/libexec/platform-python + +import os, sys, subprocess +from optparse import * + +__AUTHOR__ = "Gouichi Iisaka " +__VERSION__ = '1.1.4' + +class EApp(Exception): + '''Application specific exception.''' + pass + +class Application(): + ''' +NAME + graphviz2png - Converts textual graphviz notation to PNG file + +SYNOPSIS + graphviz2png [options] INFILE + +DESCRIPTION + This filter reads Graphviz notation text from the input file + INFILE (or stdin if INFILE is -), converts it to a PNG image file. + + +OPTIONS + -o OUTFILE, --outfile=OUTFILE + The file name of the output file. If not specified the output file is + named like INFILE but with a .png file name extension. + + -L LAYOUT, --layout=LAYOUT + Graphviz layout: dot, neato, twopi, circo, fdp + Default is 'dot'. + + -F FORMAT, --format=FORMAT + Graphviz output format: png, svg, or any other format Graphviz + supports. Run dot -T? to get the full list. + Default is 'png'. + + -v, --verbose + Verbosely print processing information to stderr. + + -h, --help + Print this documentation. + + -V, --version + Print program version number. + +SEE ALSO + graphviz(1) + +AUTHOR + Written by Gouichi Iisaka, + Format support added by Elmo Todurov, + +THANKS + Stuart Rackham, + This script was inspired by his music2png.py and AsciiDoc + +LICENSE + Copyright (C) 2008-2009 Gouichi Iisaka. + Free use of this software is granted under the terms of + the GNU General Public License (GPL). + ''' + + def __init__(self, argv=None): + # Run dot, get the list of supported formats. It's prefixed by some junk. + format_output = subprocess.Popen(["dot", "-T?"], stderr=subprocess.PIPE, stdout=subprocess.PIPE).communicate()[1].decode('utf-8') + # The junk contains : and ends with :. So we split it, then strip the final endline, then split the list for future usage. + supported_formats = format_output.split(": ")[2][:-1].split(" ") + + if not argv: + argv = sys.argv + + self.usage = '%prog [options] inputfile' + self.version = 'Version: %s\n' % __VERSION__ + self.version += 'Copyright(c) 2008-2009: %s\n' % __AUTHOR__ + + self.option_list = [ + Option("-o", "--outfile", action="store", + dest="outfile", + help="Output file"), + Option("-L", "--layout", action="store", + dest="layout", default="dot", type="choice", + choices=['dot','neato','twopi','circo','fdp'], + help="Layout type. LAYOUT="), + Option("-F", "--format", action="store", + dest="format", default="png", type="choice", + choices=supported_formats, + help="Format type. FORMAT=<" + "|".join(supported_formats) + ">"), + Option("--debug", action="store_true", + dest="do_debug", + help=SUPPRESS_HELP), + Option("-v", "--verbose", action="store_true", + dest="do_verbose", default=False, + help="verbose output"), + ] + + self.parser = OptionParser( usage=self.usage, version=self.version, + option_list=self.option_list) + (self.options, self.args) = self.parser.parse_args() + + if len(self.args) != 1: + self.parser.print_help() + sys.exit(1) + + self.options.infile = self.args[0] + + def systemcmd(self, cmd): + if self.options.do_verbose: + msg = 'Execute: %s' % cmd + sys.stderr.write(msg + os.linesep) + else: + cmd += ' 2>%s' % os.devnull + if os.system(cmd): + raise EApp('failed command: %s' % cmd) + + def graphviz2png(self, infile, outfile): + '''Convert Graphviz notation in file infile to + PNG file named outfile.''' + + outfile = os.path.abspath(outfile) + outdir = os.path.dirname(outfile) + + if not os.path.isdir(outdir): + raise EApp('directory does not exist: %s' % outdir) + + basefile = os.path.splitext(outfile)[0] + saved_cwd = os.getcwd() + os.chdir(outdir) + try: + cmd = '%s -T%s "%s" > "%s"' % ( + self.options.layout, self.options.format, infile, outfile) + self.systemcmd(cmd) + finally: + os.chdir(saved_cwd) + + if not self.options.do_debug: + os.unlink(infile) + + def run(self): + if self.options.format == '': + self.options.format = 'png' + + if self.options.infile == '-': + if self.options.outfile is None: + sys.stderr.write('OUTFILE must be specified') + sys.exit(1) + infile = os.path.splitext(self.options.outfile)[0] + '.txt' + lines = sys.stdin.readlines() + open(infile, 'w').writelines(lines) + + if not os.path.isfile(infile): + raise EApp('input file does not exist: %s' % infile) + + if self.options.outfile is None: + outfile = os.path.splitext(infile)[0] + '.png' + else: + outfile = self.options.outfile + + self.graphviz2png(infile, outfile) + + # To suppress asciidoc 'no output from filter' warnings. + if self.options.infile == '-': + sys.stdout.write(' ') + +if __name__ == "__main__": + app = Application() + app.run() diff --git a/asciidoc/filters/source/source-highlight-filter.conf b/asciidoc/filters/source/source-highlight-filter.conf new file mode 100644 index 0000000..e945511 --- /dev/null +++ b/asciidoc/filters/source/source-highlight-filter.conf @@ -0,0 +1,140 @@ +# +# AsciiDoc source code highlight filter configuration file. +# +# Documented in source-hightlight-filter.txt in AsciiDoc distribution +# ./examples/website/ directory. +# +# HTML outputs require GNU source-highlight (xhtml11, html4 outputs) +# http://www.gnu.org/software/src-highlite/source-highlight.html +# +# or Pygments (xhtml11 outputs): +# http://pygments.org/ +# +# GNU source-hightlight is default, define the 'pygments' attribute to use +# Pygments. +# + +######################## +# Source block templates +######################## +[source-highlight-block] +template::[listingblock] + +ifdef::basebackend-html[] +[source-highlight-block] + +

{title}

+ +{source-highlighter$highlight:}

+|
+{source-highlighter$highlight:}
+ +endif::basebackend-html[] + +ifdef::basebackend-xhtml11,basebackend-html5[] +[source-highlight-block] +
+ +
{caption=}{title}
+
+{source-highlighter$highlight:}

+|
+{source-highlighter$highlight:}
+
+endif::basebackend-xhtml11,basebackend-html5[] + +# Use DocBook programlisting element. +ifdef::basebackend-docbook[] +[source-highlight-block] +{title} +{title#} +{title%} +| + +{title#} +endif::basebackend-docbook[] + +# Source styles template. +ifdef::basebackend-html[] +[source-filter-style] +ifeval::["{source-highlighter}"=="source-highlight"] +source-style=template="source-highlight-block",presubs=(),postsubs=("callouts",),posattrs=("style","language","src_numbered","src_tab"),filter="source-highlight --gen-version -f xhtml -s {language} {src_numbered?--line-number=' '} {src_tab?--tab={src_tab}} {args=}" +endif::[] +ifeval::["{source-highlighter}"=="highlight"] +source-style=template="source-highlight-block",presubs=(),postsubs=("callouts",),posattrs=("style","language","src_numbered","src_tab"),filter="highlight --no-doc --inline-css --out-format=xhtml --syntax={language@python:py:{language}} {src_numbered?--line-number} {src_tab?--tab={src_tab}} --encoding={encoding} {args=}" +endif::[] +ifeval::["{source-highlighter}"=="pygments"] +source-style=template="source-highlight-block",presubs=(),postsubs=("callouts",),posattrs=("style","language","src_numbered"),filter="pygmentize -f html -l {language} {src_numbered?-O linenos=table} {encoding?-O encoding={encoding}} {args=}" +endif::[] +# DEPRECATED: 'pygments' attribute. +ifdef::pygments[] +source-style=template="source-highlight-block",presubs=(),postsubs=("callouts",),posattrs=("style","language","src_numbered"),filter="pygmentize -f html -l {language} {src_numbered?-O linenos=table} {encoding?-O encoding={encoding}} {args=}" +endif::[] +endif::basebackend-html[] + +ifdef::basebackend-html4[] +[source-filter-style] +# html4 does not use pygments. +ifeval::["{source-highlighter}"=="source-highlight"] +source-style=template="source-highlight-block",presubs=(),postsubs=("callouts",),posattrs=("style","language","src_numbered","src_tab"),filter="source-highlight --gen-version -f html -s {language} {src_numbered?--line-number=' '} {src_tab?--tab={src_tab}} {args=}" +endif::[] +ifeval::["{source-highlighter}"=="highlight"] +source-style=template="source-highlight-block",presubs=(),postsubs=("callouts",),posattrs=("style","language","src_numbered","src_tab"),filter="highlight --no-doc --inline-css --out-format=html --syntax={language@python:py:{language}} {src_numbered?--line-number} {src_tab?--tab={src_tab}} {args=}" +endif::[] +endif::basebackend-html4[] + +ifdef::basebackend-docbook[] +[source-filter-style] +source-style=template="source-highlight-block",presubs=(),postsubs=("specialcharacters","callouts"),posattrs=("style","language","src_numbered","src_tab") +endif::basebackend-docbook[] + +######################### +# Source paragraph styles +######################### +[paradef-default] +template::[source-filter-style] + +[paradef-literal] +template::[source-filter-style] + +######################### +# Source block styles +######################### +[blockdef-open] +template::[source-filter-style] + +[blockdef-listing] +template::[source-filter-style] + + +# +# DEPRECATED: Pre 8.2.7 filter definition. +# + +######################### +# Source block definition +######################### +[blockdef-source-highlight] +# The old ^ delimiter is for backward compatibility, may be removed from +# in future versions. +delimiter=(^source~{4,}$)|(^\^{4,}$) +template=source-highlight-block +presubs=none +posattrs=language,src_numbered,src_tab + +ifndef::basebackend-docbook[] +postsubs=callouts +# GNU Source Highlight filter. +filter=source-highlight -f {basebackend-xhtml11?xhtml}{basebackend-html4?html} -s {language} {src_numbered?--line-number} {src_tab?--tab={src_tab}} +endif::basebackend-docbook[] + +ifdef::basebackend-docbook[] +postsubs=specialcharacters,callouts +# In the case of DocBook just pass the listing through and let the DocBook +# toolchain handle it. +filter= +endif::basebackend-docbook[] + +# +# DEPRECATED: End +# diff --git a/asciidoc/help.conf b/asciidoc/help.conf new file mode 100644 index 0000000..fadcb9c --- /dev/null +++ b/asciidoc/help.conf @@ -0,0 +1,394 @@ +# AsciiDoc help file. +# +# INI section format, each section contains a topic. +# Displayed with 'asciidoc --help sectionname' command. +# + +# +# Default help topic. +# +[default] + +Man page: asciidoc --help manpage +Syntax: asciidoc --help syntax + +[manpage] + +NAME + + asciidoc - converts an AsciiDoc text file to HTML or DocBook + +SYNOPSIS + + asciidoc [OPTIONS] FILE + +DESCRIPTION + + The asciidoc(1) command translates the AsciiDoc text file FILE to + DocBook or HTML. If FILE is - then the standard input is used. + +OPTIONS + + -a, --attribute=ATTRIBUTE + Define or delete document attribute. ATTRIBUTE is formatted like + NAME=VALUE. Command-line attributes take precedence over + document and configuration file attributes. Alternate acceptable + forms are NAME (the VALUE defaults to an empty string); NAME! + (delete the NAME attribute); NAME=VALUE@ (do not override + document or configuration file attributes). Values containing + spaces should be enclosed in double-quote characters. This + option may be specified more than once. A special attribute + named trace controls the output of diagnostic information. + + -b, --backend=BACKEND + Backend output file format: docbook45, xhtml11, html4, html5, + slidy, wordpress or latex (the latex backend is experimental). + You can also use the backend alias names html (aliased to + xhtml11) or docbook (aliased to docbook45). Defaults to + html. The --backend option is also used to manage backend + plugins (see [1]PLUGIN COMMANDS). + + -f, --conf-file=CONF_FILE + Use configuration file CONF_FILE.Configuration files processed + in command-line order (after implicit configuration files). This + option may be specified more than once. + + --doctest + Run Python doctests in asciidoc module. + + -d, --doctype=DOCTYPE + Document type: article, manpage or book. The book document type + is only supported by the docbook backend. Default document type + is article. + + -c, --dump-conf + Dump configuration to stdout. + + --filter=FILTER + Specify the name of a filter to be loaded (used to load filters + that are not auto-loaded). This option may be specified more + than once. The --filter option is also used to manage filter + plugins (see [2]PLUGIN COMMANDS). + + -h, --help [TOPIC] + Print help TOPIC. --help topics will print a list of help + topics, --help syntax summarizes AsciiDoc syntax, --help manpage + prints the AsciiDoc manpage. + + -e, --no-conf + Exclude implicitly loaded configuration files except for those + named like the input file (infile.conf and infile-backend.conf). + + -s, --no-header-footer + Suppress document header and footer output. + + -o, --out-file=OUT_FILE + Write output to file OUT_FILE. Defaults to the base name of + input file with backend extension. If the input is stdin then + the outfile defaults to stdout. If OUT_FILE is - then the + standard output is used. + + -n, --section-numbers + Auto-number HTML article section titles. Synonym for --attribute + numbered. + + --safe + Enable safe mode. Safe mode is disabled by default. AsciiDoc + safe mode skips potentially dangerous scripted sections in + AsciiDoc source files. + + --theme=THEME + Specify a theme name. Synonym for --attribute theme=THEME. The + --theme option is also used to manage theme plugins (see + [3]PLUGIN COMMANDS). + + -v, --verbose + Verbosely print processing information and configuration file + checks to stderr. + + --version + Print program version number. + +PLUGIN COMMANDS + + The asciidoc(1) --filter, --backend and --theme options are used to + install, remove and list AsciiDoc filter, backend and theme plugins. + Syntax: + + asciidoc OPTION install ZIP_FILE [PLUGINS_DIR] + asciidoc OPTION remove PLUGIN_NAME [PLUGINS_DIR] + asciidoc OPTION list + asciidoc OPTION build ZIP_FILE PLUGIN_SOURCE + + Where: + + OPTION + asciidoc(1) --filter, --backend or --theme option specifying the + type of plugin. + + PLUGIN_NAME + A unique plugin name containing only alphanumeric or underscore + characters. + + ZIP_FILE + A Zip file containing plugin resources, the name must start with + the plugin name e.g. my_filter-1.0.zip packages filter + my_filter. + + PLUGINS_DIR + The directory containing installed plugins. Each plugin is + contained in its own separate subdirectory which has the same + name as the plugin. PLUGINS_DIR defaults to the + $HOME/.asciidoc/filters (for filter plugins) or + $HOME/.asciidoc/backends (for backend plugins) or + $HOME/.asciidoc/themes (for theme plugins). + + PLUGIN_SOURCE + The name of a directory containing the plugin source files or + the name of a single source file. + + The plugin commands perform as follows: + + install + Create a subdirectory in PLUGINS_DIR with the same name as the + plugin then extract the ZIP_FILE into it. + + remove + Delete the PLUGIN_NAME plugin subdirectory and all its contents + from the PLUGINS_DIR. + + list + List the names and locations of all installed filter or theme + plugins (including standard plugins installed in the global + configuration directory). + + build + Create a plugin file named ZIP_FILE containing the files and + subdirectories specified by PLUGIN_SOURCE. File and directory + names starting with a period are skipped. + +EXIT STATUS + + 0 + Success + + 1 + Failure (syntax or usage error; configuration error; document + processing failure; unexpected error). + +BUGS + + See the AsciiDoc distribution BUGS file. + +AUTHOR + + AsciiDoc was originally written by Stuart Rackham. Many people have + contributed to it. + +RESOURCES + + SourceForge: [4]http://sourceforge.net/projects/asciidoc/ + + Main web site: [5]http://asciidoc.org/ + +COPYING + + Copyright (C) 2002-2011 Stuart Rackham. Free use of this software is + granted under the terms of the GNU General Public License (GPL). + + +[syntax] + +AsciiDoc Markup Syntax Summary +============================== + +A summary of the most commonly used markup. +For a complete reference see the 'AsciiDoc User Guide'. + +Text formatting +--------------- + *bold text* (boldface font) + _emphasized text_ (normally italics) + 'emphasized text' + +monospaced text+ (proportional font) + `monospaced text` (inline literal passthrough) + +Document links +-------------- + [[id]] (define link target) + <> (link to target id) + link:filename#id[caption] (link to external HTML file) + +URLs +---- + Use normal URL and email addess syntax or: + + http:address[caption] (link to web page) + mailto:address[caption] (link to mail recipient) + +Images +------ + image:filename[caption] (inline image) + image::filename[caption] (block image) + +Document header +--------------- + + The Document Title + ================== + author + revision, date + +author, email, revision and date are optional. + +Section title underlines +------------------------ + Underlined: + + Level 0 (document title) + ======= + Level 1 + ------- + Level 2 + ~~~~~~~ + Level 3 + ^^^^^^^ + Level 4 (bottom level) + +++++++ + + Single line: + + = Level 0 = (document title) + == Level 1 == + === Level 2 === + ==== Level 3 ==== + ===== Level 4 ===== (bottom level) + +Paragraphs +---------- +A normal paragraph. (styles: literal,verse,quote,listing, + NOTE,TIP,WARNING,IMPORTANT,CAUTION) + An indented literal + paragraph. + +Delimited blocks +---------------- +Delimiters must begin at left margin. + + ------------------- (styles: source,music,graphviz) + listing block + ------------------- + + ................... (styles: listing,verse) + literal block + ................... + + ******************* + sidebar block + ******************* + + [style, author, cite] + ___________________ (styles: quote,verse) + quote block + ___________________ + + =================== (styles: NOTE,TIP,WARNING, + example block IMPORTANT,CAUTION) + =================== + + /////////////////// + comment block + /////////////////// + + +++++++++++++++++++ (styles: pass,asciimath,latexmath) + passthrough block + +++++++++++++++++++ + + [style] (styles: abstract,partintro) + -- + open block + -- + +More block elements +------------------- + [attributes list] + .Block title + // Comment line + include::filename[] + +Tables +------ + .An example table + [width="40%",cols="^,2m",frame="topbot",options="header,footer"] + |====================== + |Column 1 |Column 2 + |1 |Item 1 + |2 |Item 2 + |3 |Item 3 + |6 |Three items + |====================== + + Common attributes: + + grid: none,cols,rows,all + frame: topbot,none,sides,all + options: header,footer + format: psv,csv,dsv + valign: top,bottom,middle + width: 1%..100% + cols: colspec[,colspec,...] + + colspec: [multiplier*][align][width][style] + multiplier: 1... + width: 1... or 1%...100% + align: [horiz][.vert] + horiz: < (left), ^ (center), > (right) + vert: < (top), ^ (middle), > (bottom) + style: d[efault], e[mphasis], m[onospaced], a[sciidoc], + s[trong], l[iteral], v[erse], h[eader] + cell: [cellspec]|data + cellspec: [span*|+][align][style] + span: [colspan][.rowspan] + colspan: 1... + rowspan: 1... + +Bulleted lists +-------------- + - item text + * item text + ** item text + *** item text + **** item text + ***** item text + + (styles: callout,bibliography) + +Numbered lists +-------------- + 1. arabic (decimal) numbering + a. loweralpha numbering + F. upperalpha numbering + iii) lowerroman numbering + IX) upperroman numbering + + . arabic (decimal) numbering + .. loweralpha numbering + ... lowerroman numbering + .... upperalpha numbering + ..... upperroman numbering + + (styles: arabic,loweralpha,upperalpha,lowerroman,upperroman) + +Labeled lists +------------- + label:: item text + label;; item text + label::: item text + label:::: item text + + (styles: horizontal,vertical,glossary,qanda,bibliograpy) + +More inline elements +-------------------- + footnote:[footnote text] (document footnote) + diff --git a/asciidoc/html4.conf b/asciidoc/html4.conf new file mode 100644 index 0000000..66d1f48 --- /dev/null +++ b/asciidoc/html4.conf @@ -0,0 +1,530 @@ +# +# html4.conf +# +# Asciidoc HTML 4.01 configuration file. +# + +[miscellaneous] +outfilesuffix=.html + +[attributes] +basebackend=html +basebackend-html= +basebackend-html4= +hr=
+ +[replacements2] +# Line break. +(?m)^(.*)\s\+$=\1
+ +[replacements] +ifdef::asciidoc7compatible[] +# Superscripts. +\^(.+?)\^=\1 +# Subscripts. +~(.+?)~=\1 +endif::asciidoc7compatible[] + +[ruler-blockmacro] +
+ +[pagebreak-blockmacro] +
+ +[pi-blockmacro] + + +[pi-inlinemacro] +template::[pi-blockmacro] + +[image-inlinemacro] + +# src attribute must be first attribute for blogpost compatibility. +{data-uri%}{alt={target}} +{data-uri#}{alt={target}} +{link#} + +[image-blockmacro] + + + +{data-uri%}{alt={target}} +{data-uri#}{alt={target}} +{link#} +

{caption={figure-caption} {counter:figure-number}. }{title}

+ + +[unfloat-blockmacro] +
+ +[indexterm-inlinemacro] +# Index term. +{empty} + +[indexterm2-inlinemacro] +# Index term. +# Single entry index term that is visible in the primary text flow. +{1} + +[footnote-inlinemacro] +# footnote:[]. +
[{0}]
+ +[footnoteref-inlinemacro] +# footnoteref:[], create reference to footnote. +{2%}
[{1}]
+# footnoteref:[,], create footnote with ID. +{2#}
[{2}]
+ +[callout-inlinemacro] +# Callout. +<{index}> + +# Comment line macros. +[comment-inlinemacro] +{showcomments#}
{passtext}
+ +[comment-blockmacro] +{showcomments#}

{passtext}

+ +[literal-inlinemacro] +# Inline literal. +{passtext} + +# List tags. +[listtags-bulleted] +list={id?}{title?

{title}

}| +item=
  • |
    • +text=

    |

    + +[listtags-numbered] +list={id?}{title?

    {title}

    }
      |
    +item=
  • |
    • +text=

    |

    + +[listtags-labeled] +list={id?}{title?

    {title}

    }| +entry= +label= +term=
    {strong-option?}|{strong-option?}
    +item=
    |
    +text=

    |

    + +[listtags-horizontal] +list={id?}{title?

    {title}

    }|
    +entry=| +label={strong-option?}|{strong-option?} +term=|
    +item=| +text=

    |

    + +[listtags-callout] +list={id?}{title?

    {title}

    }| +item=
  • |
    • +text=

    |

    + +[listtags-qanda] +list={id?}{title?

    {title}

    }| +entry=
  • |
    • +label= +term=

    |

    +item= +text=

    |

    + +[listtags-glossary] +list={id?}{title?

    {title}

    }| +entry= +label= +term=
    |
    +item=
    |
    +text=

    |

    + +[listtags-bibliography] +list={id?}{title?

    {title}

    }| +item=
  • |
    • +text=

    |

    + +[tags] +# Quoted text. +emphasis={1?}|{1?} +strong={1?}|{1?} +monospaced={1?}|{1?} +singlequoted={lsquo}{1?}|{1?}{rsquo} +doublequoted={ldquo}{1?}|{1?}{rdquo} +unquoted={1?}|{1?} +superscript={1?}|{1?} +subscript={1?}|{1?} + +ifdef::deprecated-quotes[] +# Override with deprecated quote attributes. +emphasis={role?}|{role?} +strong={role?}|{role?} +monospaced={role?}|{role?} +singlequoted={role?}{1,2,3?}{amp}#8216;|{amp}#8217;{1,2,3?}{role?} +doublequoted={role?}{1,2,3?}{amp}#8220;|{amp}#8221;{1,2,3?}{role?} +unquoted={role?}{1,2,3?}|{1,2,3?}{role?} +superscript={role?}|{role?} +subscript={role?}|{role?} +endif::deprecated-quotes[] + +# Inline macros +[http-inlinemacro] +{0={name}:{target}} +[https-inlinemacro] +{0={name}:{target}} +[ftp-inlinemacro] +{0={name}:{target}} +[file-inlinemacro] +{0={name}:{target}} +[irc-inlinemacro] +{0={name}:{target}} +[mailto-inlinemacro] +{0={target}} +[callto-inlinemacro] +{0={target}} +[link-inlinemacro] +{0={target}} +# anchor:id[text] +[anchor-inlinemacro] + +# [[id,text]] +[anchor2-inlinemacro] + +# [[[id]]] +[anchor3-inlinemacro] +[{1}] +# xref:id[text] +[xref-inlinemacro] +{0=[{target}]} +# <> +[xref2-inlinemacro] +{2=[{1}]} + +# Special word substitution. +[emphasizedwords] +{words} +[monospacedwords] +{words} +[strongwords] +{words} + +# Paragraph substitution. +[paragraph] +{id?}{title?{title}
    } +| +

    + +[admonitionparagraph] +template::[admonitionblock] + +# Delimited blocks. +[passthroughblock] +| + +[listingblock] + +

    {title}

    +
    +
    
+|
+
    +
    + +[literalblock] + +

    {title}

    + +| + + +[sidebarblock] + + +
    +

    {title}

    +| +
    + +[openblock] + +

    {title}

    +| + + +[partintroblock] +template::[openblock] + +[abstractblock] +template::[quoteblock] + +[quoteblock] + + +

    {title}

    +| +

    +{citetitle}{attribution?
    } +— {attribution} +

    + + +[verseblock] + + +

    {title}

    +# Font inheritance broken in IE6. +
    +|
+
    +

    +{citetitle}{attribution?
    } +— {attribution} +

    + + +[exampleblock] + + +
    +| +
    +

    {caption={example-caption} {counter:example-number}. }{title}

    + +[admonitionblock] + + + + +
    +{data-uri%}{icons#}{caption} +{data-uri#}{icons#}{caption} +{icons%}

    {caption}

    +    		 +

    {title}

    +| +
    + +[mathblock] +# Here to suppress missing block warning (html4 does not include math +# JavaScripts). + +

    {title}

    + +| + + +# Tables. +[tabletags-default] +bodyrow=| +headdata=| +footdata=| +bodydata=| +paragraph=

    |

    + +[tabletags-header] +paragraph=

    |

    + +[tabletags-emphasis] +paragraph=

    |

    + +[tabletags-strong] +paragraph=

    |

    + +[tabletags-monospaced] +paragraph=

    |

    + +[tabletags-verse] +bodydata=
    |
    +paragraph= + +[tabletags-literal] +bodydata=
    |
    +paragraph= + +[tabletags-asciidoc] +bodydata=
    |
    +paragraph= + +[table] + + + +{headrows#} +{headrows} +{headrows#} +{footrows#} +{footrows} +{footrows#} + +{bodyrows} + +
    +

    {caption={table-caption} {counter:table-number}. }{title}

    + + +#-------------------------------------------------------------------- +# Deprecated old table definitions. +# + +[miscellaneous] +# Screen width in pixels. +pagewidth=800 +pageunits= + +[old_tabledef-default] +template=old_table +bodyrow=| +headdata=| +footdata=| +bodydata=| + +[old_table] +

    {caption={table-caption}}{title}

    + + +{headrows#} +{headrows} +{headrows#} +{footrows#} +{footrows} +{footrows#} + +{bodyrows} + +
    + +# End of deprecated old table definitions. +#-------------------------------------------------------------------- + +[floatingtitle] +{id?}{title} + +[preamble] +# Untitled elements between header and first section title. + +| + +[sect0] +{doctype-manpage%}{hr} +

    {id?}{title}

    +| + +[sect1] +{doctype-manpage%}{hr} +{id?}{numbered?{sectnum} }{title} +| + +[sect2] +{id?}{numbered?{sectnum} }{title} +| + +[sect3] +{id?}{numbered?{sectnum} }{title} +| + +[sect4] +{id?}{title} +| + +[appendix] +{hr} +{id?}{numbered?{sectnum} }{appendix-caption} {counter:appendix-number:A}: {title} +| + +[footer] +# Removing footer date and version if footer-style set to none +ifeval::["{footer-style=default}"!="none"] +

    +

    +

    +template::[footer-text] +

    +endif::[] + + + +[header-declarations] + + + + + + + +{title} +{title%}{doctitle=} +{docinfo1,docinfo2#}{include:{docdir}/docinfo.html} +{docinfo,docinfo2#}{include:{docdir}/{docname}-docinfo.html} +template::[docinfo] + + +[footer-date] +# Default footer date is document modification time +ifeval::["{footer-style=default}"!="revdate"] + {docdate} {doctime} +endif::[] +# If set to "revdate", it'll be set to the revision date +ifeval::["{footer-style=default}"=="revdate"] + {revdate} +endif::[] + +#-------------------------------- +# article and book document types +#-------------------------------- +ifndef::doctype-manpage[] + +[header] +template::[header-declarations] + +{notitle%}

    {doctitle}

    +{doctitle#}

    +{doctitle#}{author}
    +{doctitle#}<{email}>
    +{doctitle#}version {revnumber}{revdate?,} +{doctitle#}{revdate} +{doctitle#}
    {revremark} +{doctitle#}

    + +endif::doctype-manpage[] + +#------------------------- +# manpage document type +#------------------------- +ifdef::doctype-manpage[] + +[tags] +# This is more inline with man page convention. +emphasis=| +vlistterm=
    |
    + +[header] +template::[header-declarations] + +{hr} +

    + {doctitle} Manual Page +

    +{hr} + +[name] +

    {manname-title}

    +

    {manname} - + {manpurpose} +

    + +[synopsis] +template::[sect1] + +endif::doctype-manpage[] diff --git a/asciidoc/html5.conf b/asciidoc/html5.conf new file mode 100644 index 0000000..8131fb9 --- /dev/null +++ b/asciidoc/html5.conf @@ -0,0 +1,725 @@ +# +# html5.conf +# +# Asciidoc configuration file. +# html5 backend. +# + +[miscellaneous] +outfilesuffix=.html + +[attributes] +basebackend=html +basebackend-html= +basebackend-html5= + +[replacements2] +# Line break. +(?m)^(.*)\s\+$=\1
    + +[replacements] +ifdef::asciidoc7compatible[] +# Superscripts. +\^(.+?)\^=\1 +# Subscripts. +~(.+?)~=\1 +endif::asciidoc7compatible[] + +[ruler-blockmacro] +
    + +[pagebreak-blockmacro] +
    + +[blockdef-pass] +asciimath-style=template="asciimathblock",subs=() +latexmath-style=template="latexmathblock",subs=(),posattrs=(),filter="unwraplatex.py" + +[macros] +^(?Paudio|video)::(?P\S*?)(\[(?P.*?)\])$=# +# math macros. +# Special characters are escaped in HTML math markup. +(?su)[\\]?(?Pasciimath):(?P\S*?)\[(?P.*?)(?asciimath)::(?P\S*?)(\[(?P.*?)\])$=#[specialcharacters] +(?su)[\\]?(?Platexmath):(?P\S*?)\[(?:\$\s*)?(?P.*?)(?:\s*\$)?(?latexmath)::(?P\S*?)(\[(?:\\\[\s*)?(?P.*?)(?:\s*\\\])?\])$=#[specialcharacters] + +[asciimath-inlinemacro] +`{passtext}` + +[asciimath-blockmacro] +
    +
    +
    {title}
    +`{passtext}` +
    + +[asciimathblock] +
    +
    +
    {title}
    +`|` +
    + +[latexmath-inlinemacro] +${passtext}$ + +[latexmath-blockmacro] +
    +
    +
    {title}
    +{backslash}[{passtext}{backslash}] +
    + +[latexmathblock] +
    +
    +
    {title}
    +\[|\] +
    + +[image-inlinemacro] + + +{data-uri%}{alt={target}} +{data-uri#}{alt={target}} +{link#} + + +[image-blockmacro] +
    +
    + +{data-uri%}{alt={target}} +{data-uri#}{alt={target}} +{link#} +
    +
    {caption={figure-caption} {counter:figure-number}. }{title}
    +
    + +[audio-blockmacro] +
    +
    {caption=}{title}
    +
    + +
    + +[video-blockmacro] +
    +
    {caption=}{title}
    +
    + +
    + +[unfloat-blockmacro] +
    + +[toc-blockmacro] +template::[toc] + +[indexterm-inlinemacro] +# Index term. +{empty} + +[indexterm2-inlinemacro] +# Index term. +# Single entry index term that is visible in the primary text flow. +{1} + +[footnote-inlinemacro] +# footnote:[]. +
    [{0}]
     + +[footnoteref-inlinemacro] +# footnoteref:[], create reference to footnote. +{2%}
    [{1}]
     +# footnoteref:[,], create footnote with ID. +{2#}
    [{2}]
     + +[callout-inlinemacro] +ifndef::icons[] +<{index}> +endif::icons[] +ifdef::icons[] +ifndef::data-uri[] +{index} +endif::data-uri[] +ifdef::data-uri[] +{index} +endif::data-uri[] +endif::icons[] + +# Comment line macros. +[comment-inlinemacro] +{showcomments#}
    {passtext}
    + +[comment-blockmacro] +{showcomments#}

    {passtext}

    + +[literal-inlinemacro] +# Inline literal. +{passtext} + +# List tags. +[listtags-bulleted] +list=
    {title?
    {title}
    }
      |
    +item=
  • |
    • +text=

    |

    + +[listtags-numbered] +# The start attribute is not valid XHTML 1.1 but all browsers support it. +list=
    {title?
    {title}
    }
      |
    +item=
  • |
    • +text=

    |

    + +[listtags-labeled] +list=
    {title?
    {title}
    }
    |
    +entry= +label= +term=
    |
    +item=
    |
    +text=

    |

    + +[listtags-horizontal] +list=
    {title?
    {title}
    }{labelwidth?}{itemwidth?}|
    +label=| +term=|
    +entry=| +item=| +text=

    |

    + +[listtags-qanda] +list=
    {title?
    {title}
    }
      |
    +entry=
  • |
    • +label= +term=

    |

    +item= +text=

    |

    + +[listtags-callout] +ifndef::icons[] +list=
    {title?
    {title}
    }
      |
    +item=
  • |
    • +text=

    |

    +endif::icons[] +ifdef::icons[] +list=
    {title?
    {title}
    }|
    +ifndef::data-uri[] +item={listindex}| +endif::data-uri[] +ifdef::data-uri[] +item={listindex}| +endif::data-uri[] +text=| +endif::icons[] + +[listtags-glossary] +list=
    {title?
    {title}
    }
    |
    +label= +entry= +term=
    |
    +item=
    |
    +text=

    |

    + +[listtags-bibliography] +list=
    {title?
    {title}
    }
      |
    +item=
  • |
    • +text=

    |

    + +[tags] +# Quoted text. +emphasis={1?}|{1?} +strong={1?}|{1?} +monospaced=| +singlequoted={lsquo}{1?}|{1?}{rsquo} +doublequoted={ldquo}{1?}|{1?}{rdquo} +unquoted={1?}|{1?} +superscript={1?}|{1?} +subscript={1?}|{1?} + +ifdef::deprecated-quotes[] +# Override with deprecated quote attributes. +emphasis={role?}|{role?} +strong={role?}|{role?} +monospaced=| +singlequoted={role?}{1,2,3?}{amp}#8216;|{amp}#8217;{1,2,3?}{role?} +doublequoted={role?}{1,2,3?}{amp}#8220;|{amp}#8221;{1,2,3?}{role?} +unquoted={role?}{1,2,3?}|{1,2,3?}{role?} +superscript={role?}|{role?} +subscript={role?}|{role?} +endif::deprecated-quotes[] + +# Inline macros +[http-inlinemacro] +{0={name}:{target}} +[https-inlinemacro] +{0={name}:{target}} +[ftp-inlinemacro] +{0={name}:{target}} +[file-inlinemacro] +{0={name}:{target}} +[irc-inlinemacro] +{0={name}:{target}} +[mailto-inlinemacro] +{0={target}} +[link-inlinemacro] +{0={target}} +[callto-inlinemacro] +{0={target}} +# anchor:id[text] +[anchor-inlinemacro] + +# [[id,text]] +[anchor2-inlinemacro] + +# [[[id]]] +[anchor3-inlinemacro] +[{1}] +# xref:id[text] +[xref-inlinemacro] +{0=[{target}]} +# <> +[xref2-inlinemacro] +{2=[{1}]} + +# Special word substitution. +[emphasizedwords] +{words} +[monospacedwords] +{words} +[strongwords] +{words} + +# Paragraph substitution. +[paragraph] +
    {title?
    {title}
    }

    +| +

    + +[admonitionparagraph] +template::[admonitionblock] + +# Delimited blocks. +[listingblock] +
    +
    {caption=}{title}
    +
    +
    +|
+
    +
    + +[literalblock] +
    +
    {title}
    +
    +
    +|
+
    +
    + +[sidebarblock] +
    +
    +
    {title}
    +| +
    + +[openblock] +
    +
    {title}
    +
    +| +
    + +[partintroblock] +template::[openblock] + +[abstractblock] +template::[quoteblock] + +[quoteblock] +
    +
    {title}
    +
    +| +
    +
    +{citetitle}{attribution?
    } +— {attribution} +
    + +[verseblock] +
    +
    {title}
    +
    +|
+
    +
    +{citetitle}{attribution?
    } +— {attribution} +
    + +[exampleblock] +
    +
    {caption={example-caption} {counter:example-number}. }{title}
    +
    +| +
    + +[admonitionblock] +
    + + + +
    +{data-uri%}{icons#}{caption} +{data-uri#}{icons#}{caption} +{icons%}
    {caption}
    +    		 +
    {title}
    +| +
    +
    + +# Tables. +[tabletags-default] +colspec= +bodyrow=| +headdata=| +bodydata=| +paragraph=

    |

    + +[tabletags-header] +paragraph=

    |

    + +[tabletags-emphasis] +paragraph=

    |

    + +[tabletags-strong] +paragraph=

    |

    + +[tabletags-monospaced] +paragraph=

    |

    + +[tabletags-verse] +bodydata=
    |
    +paragraph= + +[tabletags-literal] +bodydata=
    |
    +paragraph= + +[tabletags-asciidoc] +bodydata=
    |
    +paragraph= + +[table] + + +{colspecs} +{headrows#} +{headrows} +{headrows#} +{footrows#} +{footrows} +{footrows#} + +{bodyrows} + +
    {caption={table-caption} {counter:table-number}. }{title}
    + +#-------------------------------------------------------------------- +# Deprecated old table definitions. +# + +[miscellaneous] +# Screen width in pixels. +pagewidth=800 +pageunits=px + +[old_tabledef-default] +template=old_table +colspec= +bodyrow=| +headdata=| +footdata=| +bodydata=| + +[old_table] + + +{colspecs} +{headrows#} +{headrows} +{headrows#} +{footrows#} +{footrows} +{footrows#} + +{bodyrows} + +
    {caption={table-caption}}{title}
    + +# End of deprecated old table definitions. +#-------------------------------------------------------------------- + +[floatingtitle] +{title} + +[preamble] +# Untitled elements between header and first section title. +
    +
    +| +
    +
    + +# Document sections. +[sect0] +{title} +| + +[sect1] +
    +{numbered?{sectnum} }{title} +
    +| +
    +
    + +[sect2] +
    +{numbered?{sectnum} }{title} +| +
    + +[sect3] +
    +{numbered?{sectnum} }{title} +| +
    + +[sect4] +
    +{title} +| +
    + +[appendix] +
    +{numbered?{sectnum} }{appendix-caption} {counter:appendix-number:A}: {title} +
    +| +
    +
    + +[toc] +
    +
    {toc-title}
    + +
    + +[header] + + + + + + + +{title} +{title%}{doctitle=} +ifdef::linkcss[] + +ifeval::["{source-highlighter}"=="pygments"] + +endif::[] + +# DEPRECATED: 'pygments' attribute. +ifdef::pygments[] + +ifdef::toc2[] + +endif::linkcss[] +ifndef::linkcss[] + +endif::linkcss[] +ifndef::disable-javascript[] +ifdef::linkcss[] + + + +endif::linkcss[] +ifndef::linkcss[] + +endif::linkcss[] +endif::disable-javascript[] +ifdef::asciimath[] +ifdef::linkcss[] + +endif::linkcss[] +ifndef::linkcss[] + +endif::linkcss[] +endif::asciimath[] +ifdef::latexmath[] +ifdef::linkcss[] + +endif::linkcss[] +ifndef::linkcss[] + +endif::linkcss[] +endif::latexmath[] +ifdef::mathjax[] + + +endif::mathjax[] +{docinfo1,docinfo2#}{include:{docdir}/docinfo.html} +{docinfo,docinfo2#}{include:{docdir}/{docname}-docinfo.html} +template::[docinfo] + + +# Article, book header. +ifndef::doctype-manpage[] + +endif::doctype-manpage[] +# Man page header. +ifdef::doctype-manpage[] + +endif::doctype-manpage[] +
    + +[footer] +
    +{disable-javascript%
    } + + + + +[footer-date] +# Default footer date is document modification time +ifeval::["{footer-style=default}"!="revdate"] + {docdate} {doctime} +endif::[] +# If set to "revdate", it'll be set to the revision date +ifeval::["{footer-style=default}"=="revdate"] + {revdate} +endif::[] + +ifdef::doctype-manpage[] +[synopsis] +template::[sect1] +endif::doctype-manpage[] + diff --git a/asciidoc/images b/asciidoc/images new file mode 120000 index 0000000..a564569 --- /dev/null +++ b/asciidoc/images @@ -0,0 +1 @@ +../../usr/share/asciidoc/images \ No newline at end of file diff --git a/asciidoc/javascripts b/asciidoc/javascripts new file mode 120000 index 0000000..fa18fef --- /dev/null +++ b/asciidoc/javascripts @@ -0,0 +1 @@ +../../usr/share/asciidoc/javascripts \ No newline at end of file diff --git a/asciidoc/lang-cs.conf b/asciidoc/lang-cs.conf new file mode 100644 index 0000000..ba72996 --- /dev/null +++ b/asciidoc/lang-cs.conf @@ -0,0 +1,56 @@ +# +# AsciiDoc Czech language configuration file. +# (C) 2012 Petr Klíma +# License: GNU Free Documentation License, ver. 1.3 or later version, see http://fsf.org/ + +[attributes] +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=Pozor +important-caption=Důležité +note-caption=Poznámka +tip-caption=Tip +warning-caption=Varování +figure-caption=Obrázek +table-caption=Tabulka +example-caption=Příklad +toc-title=Obsah +appendix-caption=Příloha +# Man page NAME section title. +manname-title=NAME + +[footer-text] +Verze {revnumber}{basebackend-xhtml11?
    }{basebackend-xhtml11=
    } +Poslední úprava +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^Abstrakt$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Tiráž$=colophon +^VÄ›nování$=dedication +^PÅ™edmluva$=preface +endif::doctype-book[] + +^Index$=index +^(Bibliografie|Reference)$=bibliography +^Glosář$=glossary +^Příloha [A-Z][:.](?P.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +(?i)^PÅ™ehled$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-de.conf b/asciidoc/lang-de.conf new file mode 100644 index 0000000..5364c59 --- /dev/null +++ b/asciidoc/lang-de.conf @@ -0,0 +1,62 @@ +# +# AsciiDoc German language configuration file. +# Originally written by Michael Wild +# + +[attributes] +# Left and right single and double quote characters. +lsquo=‚ +rsquo=‘ +ldquo=„ +rdquo=“ + +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=Achtung +important-caption=Wichtig +note-caption=Anmerkung +tip-caption=Tipp +warning-caption=Warnung +figure-caption=Abbildung +table-caption=Tabelle +example-caption=Beispiel +toc-title=Inhaltsverzeichnis +appendix-caption=Anhang +# Man page NAME section title. +manname-title=NAME + +[footer-text] +Version {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +Letzte Änderung +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^Zusammenfassung$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Kolophon$=colophon +^Widmung$=dedication +^Vorwort$=preface +endif::doctype-book[] + +^Stichwortverzeichnis$=index +^Literaturverzeichnis$=bibliography +^Glossar$=glossary +^Anhang [A-Z][:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +(?i)^ÃœBERSICHT$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-el.conf b/asciidoc/lang-el.conf new file mode 100644 index 0000000..f9a2714 --- /dev/null +++ b/asciidoc/lang-el.conf @@ -0,0 +1,56 @@ +# +# AsciiDoc Greek language configuration file. +# Originally written by Michael Dourmousoglou +# + +[attributes] +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=ΠÏοσοχή +important-caption=Σημαντικό +note-caption=Σημείωση +tip-caption=Υπόδειξη +warning-caption=ΠÏοειδοποίηση +figure-caption=Σχήμα +table-caption=Πίνακας +example-caption=ΠαÏάδειγμα +toc-title=Πίνακας πεÏιεχομένων +appendix-caption=ΠαÏάÏτημα +# Man page NAME section title. +manname-title=ÎŒÎΟΜΑ + +[footer-text] +Έκδοση {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +Τελευταία αναθεώÏηση +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^ΠεÏίληψη$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Κολοφώνας$=colophon +^ΑφιέÏωση$=dedication +^ΠÏόλογος$=preface +endif::doctype-book[] + +^ΕυÏετήÏιο$=index +^(ΒιβλιογÏαφία|ΑναφοÏές)$=bibliography +^ΓλωσσάÏι÷$=glossary +^ΠαÏάÏτημα [Α-Ω][:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +(?i)^ΣÏνοψη$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-en.conf b/asciidoc/lang-en.conf new file mode 100644 index 0000000..d304fcb --- /dev/null +++ b/asciidoc/lang-en.conf @@ -0,0 +1,55 @@ +# +# AsciiDoc English language configuration file. +# + +[attributes] +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=Caution +important-caption=Important +note-caption=Note +tip-caption=Tip +warning-caption=Warning +figure-caption=Figure +table-caption=Table +example-caption=Example +toc-title=Table of Contents +appendix-caption=Appendix +# Man page NAME section title. +manname-title=NAME + +[footer-text] +Version {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +Last updated +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^Abstract$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Colophon$=colophon +^Dedication$=dedication +^Preface$=preface +endif::doctype-book[] + +^Index$=index +^(Bibliography|References)$=bibliography +^Glossary$=glossary +^Appendix [A-Z][:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +(?i)^SYNOPSIS$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-es.conf b/asciidoc/lang-es.conf new file mode 100644 index 0000000..da9a3bb --- /dev/null +++ b/asciidoc/lang-es.conf @@ -0,0 +1,58 @@ +# +# AsciiDoc Spanish language configuration file. +# + +[attributes] +#TODO: Left and right single and double quote characters. + +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=Atención +important-caption=Importante +note-caption=Nota +tip-caption=Sugerencia +warning-caption=Aviso +figure-caption=Figura +table-caption=Tabla +example-caption=Ejemplo +toc-title=Tabla de contenidos +appendix-caption=Apéndice +# Man page NAME section title. +manname-title=NOMBRE DE REFERENCIA + +[footer-text] +#TODO: Translation of 'Version' and 'Last updated'. +Version {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +Last updated +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^Resumen$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Colofón$=colophon +^Dedicación$=dedication +^Prefacio$=preface +endif::doctype-book[] + +^Ãndice$=index +^(Bibliografía|Referencias)$=bibliography +^Glosario$=glossary +^Apéndice [A-Z][:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +(?i)^SINOPSIS$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-fi.conf b/asciidoc/lang-fi.conf new file mode 100644 index 0000000..2af8769 --- /dev/null +++ b/asciidoc/lang-fi.conf @@ -0,0 +1,55 @@ +# +# AsciiDoc Finnish language configuration file. +# + +[attributes] +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=Huom +important-caption=Tärkeää +note-caption=Huomio +tip-caption=Vinkki +warning-caption=Varoitus +figure-caption=Kuvio +table-caption=Taulukko +example-caption=Esimerkki +toc-title=Sisällysluettelo +appendix-caption=Liitteet +# Man page NAME section title. +manname-title=NAME + +[footer-text] +Versio {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +Viimeksi päivitetty +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^Tiivistelmä$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Loppukirjoitus$=colophon +^Omistus$=dedication +^Esipuhe$=preface +endif::doctype-book[] + +^$Hakemisto=index +^(Lähdeluettelo|Lähteet|Viitteet)$=bibliography +^Sanasto$=glossary +^Liitteet [A-Z][:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +(?i)^Yhteenveto$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-fr.conf b/asciidoc/lang-fr.conf new file mode 100644 index 0000000..8b708f6 --- /dev/null +++ b/asciidoc/lang-fr.conf @@ -0,0 +1,60 @@ +# +# AsciiDoc French language configuration file. +# Originally written by Yves-Alexis Perez +# + +[attributes] +# Left and right single and double quote characters. +ldquo=« +rdquo=» + +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=Avertissement +important-caption=Important +note-caption=Note +tip-caption=Astuce +warning-caption=Attention +figure-caption=Figure +table-caption=Tableau +example-caption=Exemple +toc-title=Table des matières +appendix-caption=Appendice +# Man page NAME section title. +manname-title=NOM + +[footer-text] +Version {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +Dernière mise à jour +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^Résumé$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Colophon$=colophon +^Dédicace$=dedication +^Préface$=preface +endif::doctype-book[] + +^Index$=index +^(Bibliographie|Références)$=bibliography +^Glossaire$=glossary +^Appendice [A-Z][:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +(?i)^SYNOPSIS$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-hu.conf b/asciidoc/lang-hu.conf new file mode 100644 index 0000000..c9a2906 --- /dev/null +++ b/asciidoc/lang-hu.conf @@ -0,0 +1,58 @@ +# +# AsciiDoc Hungarian language configuration file. +# Originally written by Miklos Vajna +# + +[attributes] +#TODO: Left and right single and double quote characters. + +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=Figyelmeztetés +important-caption=Fontos +note-caption=Megjegyzés +tip-caption=Tipp +warning-caption=Figyelem +figure-caption=Ãbra +table-caption=Táblázat +example-caption=Példa +toc-title=Tartalomjegyzék +appendix-caption=függelék +# Man page NAME section title. +manname-title=NÉV + +[footer-text] +Verzió {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +Utolsó frissítés: +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^Kivonat$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Utószó$=colophon +^Ajánlás$=dedication +^ElÅ‘szó$=preface +endif::doctype-book[] + +^Index$=index +^(Bibliográfia|Hivatkozások)$=bibliography +^Szójegyzék$=glossary +^[A-Z] függelék[:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +(?i)^ÃTTEKINTÉS$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-id.conf b/asciidoc/lang-id.conf new file mode 100644 index 0000000..f2bcbc2 --- /dev/null +++ b/asciidoc/lang-id.conf @@ -0,0 +1,55 @@ +# +# AsciiDoc Indonesian language configuration file. +# + +[attributes] +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=Perhatian +important-caption=Penting +note-caption=Catatan +tip-caption=Tips +warning-caption=Peringatan +figure-caption=Gambar +table-caption=Tabel +example-caption=Contoh +toc-title=Daftar Isi +appendix-caption=Lampiran +# Man page NAME section title. +manname-title=NAME + +[footer-text] +Versi {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +Pembaruan terakhir +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^Abstrak$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Colophon$=colophon +^Dedikasi$=dedication +^Pengantar$=preface +endif::doctype-book[] + +^Indeks$=index +^(Bibliografi|Referensi|Pustaka)$=bibliography +^Glosarium$=glossary +^Lampiran [A-Z][:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +(?i)^SYNOPSIS$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-it.conf b/asciidoc/lang-it.conf new file mode 100644 index 0000000..52e083f --- /dev/null +++ b/asciidoc/lang-it.conf @@ -0,0 +1,57 @@ +# +# AsciiDoc Italian language configuration file. +# + +[attributes] +#TODO: Left and right single and double quote characters. + +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=Attenzione +important-caption=Importante +note-caption=Nota +tip-caption=Suggerimento +warning-caption=Avvertenza +figure-caption=Figura +table-caption=Tabella +example-caption=Esempio +toc-title=Indice +appendix-caption=Appendice +# Man page NAME section title. +manname-title=NOME + +[footer-text] +Versione {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +Ultimo aggiornamento +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^Abstract$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Colofone$=colophon +^Dedica$=dedication +^Prefazione$=preface +endif::doctype-book[] + +^Index$=index +^(Bibliografia|Riferimenti)$=bibliography +^Glossario$=glossary +^Appendice [A-Z][:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +(?i)^SINOSSI$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-ja.conf b/asciidoc/lang-ja.conf new file mode 100644 index 0000000..5ff71df --- /dev/null +++ b/asciidoc/lang-ja.conf @@ -0,0 +1,62 @@ +# +# AsciiDoc Japanese language configuration file. +# Originally written by 渡邊裕貴 (WATANABE Yuki) +# + +[attributes] +# Left and right single and double quote characters. +lsquo=「 +rsquo=〠+ldquo=『 +rdquo=〠+ +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=æ³¨æ„ +important-caption=é‡è¦ +note-caption=注 +tip-caption=補足 +warning-caption=警告 +figure-caption=図 +table-caption=表 +example-caption=例 +toc-title=目次 +appendix-caption=付録 +# Man page NAME section title. +manname-title=åå‰ + +[footer-text] +ãƒãƒ¼ã‚¸ãƒ§ãƒ³ {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +template::[footer-date] + æ›´æ–° + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^概è¦$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^奥付ã‘?$=colophon +^献辞$=dedication +^(å‰æ›¸ã?|ã¾ãˆãŒã)$=preface +endif::doctype-book[] + +^索引$=index +^(å‚考|引用)(書目|文献)$=bibliography +^用語集$=glossary +^付録 [A-Z][:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +^書å¼$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-nl.conf b/asciidoc/lang-nl.conf new file mode 100644 index 0000000..32a27e2 --- /dev/null +++ b/asciidoc/lang-nl.conf @@ -0,0 +1,63 @@ +# +# AsciiDoc Dutch language configuration file. +# Originally written by Dag Wieërs +# + +[attributes] +# Left and right single and double quote characters. +lsquo=‚ +rsquo=‘ +ldquo=„ +rdquo=“ + +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=Let op +important-caption=Belangrijk +note-caption=Opmerking +tip-caption=Tip +warning-caption=Waarschuwing +figure-caption=Figuur +table-caption=Tabel +example-caption=Voorbeeld +toc-title=Inhoudsopgave +appendix-caption=Bijlage +# Man page NAME section title. +manname-title=NAME + +[footer-text] +Versie {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +Laatst bijgewerkt +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^Samenvatting$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Colofon$=colophon +^Opdracht$=dedication +^Voorwoord$=preface +endif::doctype-book[] + +^Register$=index +^Literatuurlijst$=bibliography +^Woordenlijst$=glossary +^Bijlage [A-Z][:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +#TODO: Translation of 'SYNOPSIS'. +(?i)^SYNOPSIS$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-pl.conf b/asciidoc/lang-pl.conf new file mode 100644 index 0000000..7bb6d87 --- /dev/null +++ b/asciidoc/lang-pl.conf @@ -0,0 +1,56 @@ +# +# AsciiDoc Polish language configuration file. +# (C) 2015 Kerusey Karyu <keruseykaryu@o2.pl> +# License: GNU Free Documentation License, ver. 1.3 or later version, see http://fsf.org/ + +[attributes] +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=Uwaga +important-caption=Ważne +note-caption=ZapamiÄ™taj +tip-caption=Wskazówka +warning-caption=Ostrzeżenie +figure-caption=Rysunek +table-caption=Tabela +example-caption=PrzykÅ‚ad +toc-title=Spis TreÅ›ci +appendix-caption=Dodatek +# Man page NAME section title. +manname-title=NAME + +[footer-text] +Wersja {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +Ostatnio zmodyfikowany +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^Streszczenie$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Kolofon$=colophon +^Dedykacja$=dedication +^Przedmowa$=preface +endif::doctype-book[] + +^Indeks$=index +^(Bibliografia|ŹródÅ‚a)$=bibliography +^SÅ‚owniczek$=glossary +^Dodatek [A-Z][:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +(?i)^KONSPEKT$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-pt-BR.conf b/asciidoc/lang-pt-BR.conf new file mode 100644 index 0000000..21981db --- /dev/null +++ b/asciidoc/lang-pt-BR.conf @@ -0,0 +1,58 @@ +# +# AsciiDoc Portugues language configuration file. +# Originally written by Thiago Farina +# + +[attributes] +#TODO: Left and right single and double quote characters. + +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=Atenção +important-caption=Importante +note-caption=Nota +tip-caption=Sugestão +warning-caption=Aviso +figure-caption=Figura +table-caption=Tabela +example-caption=Exemplo +toc-title=Tabela de conteúdos +appendix-caption=Apêndice +# Man page NAME section title. +manname-title=NOME + +[footer-text] +Versão {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +Última Atualização +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^Resumo$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Cólofon$=colophon +^Dedicação$=dedication +^Prefácio$=preface +endif::doctype-book[] + +^Ãndice$=index +^(Bibliografia|Referências)$=bibliography +^Glossário$=glossary +^Apêndice [A-Z][:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +(?i)^SINOPSE$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-ro.conf b/asciidoc/lang-ro.conf new file mode 100644 index 0000000..cb63af2 --- /dev/null +++ b/asciidoc/lang-ro.conf @@ -0,0 +1,60 @@ +# +# AsciiDoc Romanian language configuration file. +# Originally written by Vitalie Lazu +# + +[attributes] +# Left and right single and double quote characters. +ldquo=„ +rdquo=†+ +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=PrecauÈ›ie +important-caption=Important +note-caption=Notă +tip-caption=Sfat +warning-caption=AnteÈ›ie +figure-caption=Figură +table-caption=Tabela +example-caption=Exemplu +toc-title=Cuprins +appendix-caption=Apendix +# Man page NAME section title. +manname-title=NUME + +[footer-text] +Versiunea {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +Ultima actualizare +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^AdnotaÈ›ie$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Casetă$=colophon +^Dedicare$=dedication +^Prefață$=preface +endif::doctype-book[] + +^Index$=index +^Bibliografia$=bibliography +^Glosar$=glossary +^Anexa [A-Z][:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +(?i)^REZUMAT$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-ru.conf b/asciidoc/lang-ru.conf new file mode 100644 index 0000000..8e66e3e --- /dev/null +++ b/asciidoc/lang-ru.conf @@ -0,0 +1,60 @@ +# +# AsciiDoc Russian language configuration file. +# Originally written by Artem Zolochevskiy +# + +[attributes] +# Left and right single and double quote characters. +ldquo=« +rdquo=» + +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=ПредоÑтережение +important-caption=Важно +note-caption=Замечание +tip-caption=ПодÑказка +warning-caption=Внимание +figure-caption=РиÑунок +table-caption=Таблица +example-caption=Пример +toc-title=Содержание +appendix-caption=Приложение +# Man page NAME section title. +manname-title=ИМЯ + +[footer-text] +Ð ÐµÐ´Ð°ÐºÑ†Ð¸Ñ {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +ПоÑледнее обновление +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^ÐннотациÑ$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Колофон$=colophon +^ПоÑвÑщение$=dedication +^Введение$=preface +endif::doctype-book[] + +^Предметный указатель$=index +^БиблиографиÑ$=bibliography +^Словарь терминов$=glossary +^Приложение [A-Z][:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +(?i)^ОБЗОР$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-sv.conf b/asciidoc/lang-sv.conf new file mode 100644 index 0000000..2157089 --- /dev/null +++ b/asciidoc/lang-sv.conf @@ -0,0 +1,55 @@ +# +# AsciiDoc Swedish language configuration file. +# + +[attributes] +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=Varning +important-caption=Viktigt +note-caption=Not +tip-caption=Tips +warning-caption=Varning +figure-caption=Figur +table-caption=Tabell +example-caption=Exempel +toc-title=InnehÃ¥llsförteckning +appendix-caption=Appendix +# Man page NAME section title. +manname-title=NAMN + +[footer-text] +Version {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +Senast uppdaterad +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^Sammanfattning$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Kolofon$=colophon +^Dedikation$=dedication +^Förord$=preface +endif::doctype-book[] + +^Index|Sakregister$=index +^(Litteraturförteckning|Referenser)$=bibliography +^Ordlista|Ordförteckning$=glossary +^Appendix [A-Z][:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +(?i)^SYNOPS|ÖVERSIKT$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/lang-uk.conf b/asciidoc/lang-uk.conf new file mode 100644 index 0000000..fa6abad --- /dev/null +++ b/asciidoc/lang-uk.conf @@ -0,0 +1,60 @@ +# +# AsciiDoc Ukrainian language configuration file. +# Originally written by Oleksandr Lavrushchenko +# + +[attributes] +# Left and right single and double quote characters. +ldquo=« +rdquo=» + +# Captions, used by (X)HTML backends. +# Captions on RHS are displayed in outputs. +ifdef::basebackend-html[] + +caution-caption=ÐŸÐ¾Ð¿ÐµÑ€ÐµÐ´Ð¶ÐµÐ½Ð½Ñ +important-caption=Важливо +note-caption=Ð—Ð°ÑƒÐ²Ð°Ð¶ÐµÐ½Ð½Ñ +tip-caption=Підказка +warning-caption=Увага +figure-caption=РиÑунок +table-caption=Ð¢Ð°Ð±Ð»Ð¸Ñ†Ñ +example-caption=Приклад +toc-title=ЗміÑÑ‚ +appendix-caption=Додаток +# Man page NAME section title. +manname-title=ÐÐЗВР+ +[footer-text] +ВерÑÑ–Ñ {revnumber}{basebackend-xhtml11?<br />}{basebackend-xhtml11=<br>} +ВоÑтаннє оновлено +template::[footer-date] + +endif::basebackend-html[] + + +[specialsections] +# DocBook special sections. +# The regular expression on LHS is matched against source titles. +ifdef::basebackend-docbook[] + +ifdef::doctype-article[] +^ÐнотаціÑ$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Колофон$=colophon +^ПриÑвÑченнÑ$=dedication +^Ð’Ñтуп$=preface +endif::doctype-book[] + +^Предметний покажчик$=index +^БібліографіÑ$=bibliography +^Словник термінів$=glossary +^Додаток [Ð-Я][:.](?P<title>.*)$=appendix + +endif::basebackend-docbook[] + +ifdef::doctype-manpage[] +(?i)^ОГЛЯД$=synopsis +endif::doctype-manpage[] diff --git a/asciidoc/latex.conf b/asciidoc/latex.conf new file mode 100644 index 0000000..f8b7b17 --- /dev/null +++ b/asciidoc/latex.conf @@ -0,0 +1,700 @@ +# +# latex.conf +# +# Asciidoc configuration file. +# latex backend, generates LaTeX conformant markup. +# +# Originally created by Benjamin Klum, later modified by Geoff Eddy. + +[titles] +subs=quotes,replacements,attributes,macros,specialcharacters,replacements2 + + +# The listing block uses a LaTeX verbatim environment where special characters don't need to be escaped. +# Hence only "callouts" substitution should be applied. +[blockdef-listing] +subs=callouts + + +[attributes] +basebackend=latex +basebackend-latex= + +latex-table-rowlimit=20 +latex-use-bibliography-environment! +latex-indent-paragraphs! +latex-recognize-escaped-unicode! +latex-use-custom-list-items! +latex-use-colored-tables! +latex-use-running-title-headings! +latex-use-colored-sidebar-blocks! + +[miscellaneous] +subsnormal=quotes,specialwords,replacements,attributes,macros,specialcharacters,replacements2 +#subsnormal=quotes,specialwords,replacements,attributes,macros,passthroughs,specialcharacters,replacements2 +subsverbatim=callouts,specialcharacters +outfilesuffix=.tex +# Screen width in pixels. +pagewidth=418 +pageunits=pt + + +[specialcharacters] +{=\{{} +}=\}{} +\=\textbackslash{} +$=\${} +<=\textless{} +>=\textgreater{} +&=\&{} +_=\_{} +%=\%{} +\#=\#{} +^=\textasciicircum{} +~=\textasciitilde{} +|=\textbar{} +"=\textquotedbl{} + + +[macros] +# I needed to rewrite some regular expressions because '<' and '>' have not been escaped to '<' and '>' + +# Callout +[\\]?<(?P<index>\d+)>=callout + +# Link: <<id,text>> +(?su)[\\]?<<(?P<attrlist>[\w"].*?)>>=xref2 + +[replacements] + +# Line break. +(?m)^(.*)\s\+$=\1 !..backslash..!newline!..braceleft..!!..braceright..! + +# -- Spaced em dashes (entity reference —) +(^|[^-\\])--($|[^-])=\1--\2 + + +# (C) Copyright (entity reference ©) +(?<!\\)\(C\)=!..backslash..!textcopyright!..braceleft..!!..braceright..! +\\\(C\)=(C) + +# (R) registered trade mark (entity reference ® +(?<!\\)\(R\)=!..backslash..!textregistered!..braceleft..!!..braceright..! +\\\(R\)=(R) + +# (TM) Trademark (entity reference ™) +(?<!\\)\(TM\)=!..backslash..!texttrademark!..braceleft..!!..braceright..! +\\\(TM\)=(TM) + +# ... Ellipsis (entity reference …) +(?<!\\)\.\.\.=!..backslash..!dots!..braceleft..!!..braceright..! +\\\.\.\.=... + +# Recognize escaped unicode characters +# FIXME: these should be uncommented, but then there are encoding +# problems. + +#&#([0-9]*);=!..backslash..!unichar!..braceleft..!\1!..braceright..! +#&#x([0123456789abcdefABCDEF]*);=!..backslash..!unichar!..braceleft..!{eval:0x\1}!..braceright..! + +# -> right arrow +->=!..backslash..!textrightarrow!..braceleft..!!..braceright..! +# => right double arrow (have to enter math mode) +=>=!..dollar..!!..backslash..!Rightarrow!..braceleft..!!..braceright..!!..dollar..! +# <- left arrow +<-=!..backslash..!textleftarrow!..braceleft..!!..braceright..! +# <= left double arrow (have to enter math mode) +<\==!..dollar..!!..backslash..!Leftarrow!..braceleft..!!..braceright..!!..dollar..! +# --> long right arrow (have to enter math mode) +-->=!..backslash..!textrightarrow!..braceleft..!!..braceright..! +# ==> long right double arrow (have to enter math mode) +=\=>=!..dollar..!!..backslash..!Rightarrow!..braceleft..!!..braceright..!!..dollar..! +# <-- long left arrow (have to enter math mode) +<--=!..backslash..!textleftarrow!..braceleft..!!..braceright..! +# <== long left double arrow (have to enter math mode) +<\=\==!..dollar..!!..backslash..!Leftarrow!..braceleft..!!..braceright..!!..dollar..! +# apostrophe +(\w)'(\w)=\1'\2 + +[quotes] +#``|''= +#`|'= +`=monospaced + +[replacements2] +!..braceleft..!={ +!..braceright..!=} +!..backslash..!=\\ +!..dollar..!=$ +!..lessthan..!=< +!..greaterthan..!=> +!..amp..!=& +!..underline..!=_ +!..percent..!=% +!..sharp..!=# +!..circum..!=^ +!..tilde..!=~ +!..bar..!=| +!..doublequote..!=" + + + +# Ruler is interpreted as a page break. +[ruler-blockmacro] +\clearpage + +[image-inlinemacro] +!..backslash..!href!..braceleft..!{link}!..braceright..!!..braceleft..!!..percent..! +!..backslash..!includegraphics[{scale?scale={scale},}{width?width={width}pt,}{height? height={height}pt}]!..braceleft..!{target}!..braceright..! +{link#}!..braceright..! + + +[image-blockmacro] +\begin\{figure\} +\hypertarget\{{id}\}\{\} +\caption\{{title}\} +\href\{{link}\}\{% +\includegraphics[{scale?scale={scale},}{width?width={width}pt,}{height? height={height}pt}]\{{target}\}% +\label\{{id}\} +{link#}\} +\end\{figure\} + +[indexterm-inlinemacro] +# Inline index term. +!..backslash..!index!..braceleft..!{1}{2?!{2}}{3?!{3}}!..braceright..! + +[indexterm2-inlinemacro] +# Inline index term. +# Single entry index term that is visible in the primary text flow. +!..backslash..!index!..braceleft..!{1}!..braceright..!{1} + +[footnote-inlinemacro] +# Inline footnote. +!..backslash..!footnote!..braceleft..!{0}!..braceright..! + +[footnoteref-inlinemacro] + + +[callout-inlinemacro] +# Inline callout. +<{index}> + +[literal-inlinemacro] + +[listtags-bulleted] +list={title?\minisec\{{title}\}} {id?\label\{{id}\}\hypertarget\{{id}\}\{\}} \begin\{itemize\}|\end\{itemize\} +item=\item%| +text=| + +[listtags-numbered] +list={title?\minisec\{{title}\}} {id?\label\{{id}\}\hypertarget\{{id}\}\{\}} \begin\{enumerate\}|\end\{enumerate\} +item=\item%| +text=| + +[listtags-labeled] +list={title?\minisec\{{title}\}} \par{id?\label\{{id}\}\hypertarget\{{id}\}\{\}} | +item=\begin\{quote\}|\end\{quote\} +text=| +term=\noindent\textbf\{%|\} +entry= +label= + +[listtags-horizontal] +list={title?\minisec\{{title}\}} {id?\label\{{id}\}\hypertarget\{{id}\}\{\}} \begin\{description\}|\end\{description\} +item= +text=| +term=\item[%|] +entry= +label= + +[listtags-callout] +list={title?\minisec\{{title}\}} {id?\label\{{id}\}\hypertarget\{{id}\}\{\}} \begin\{enumerate\}|\end\{enumerate\} +item=\item%| +text=| + +[listtags-qanda] +list={title?\minisec\{{title}\}} {id?\label\{{id}\}\hypertarget\{{id}\}\{\}} \begin\{enumerate\}|\end\{enumerate\} +item=\begin\{quotation\}|\end\{quotation\} +text=| +term=| +entry=\item%| +label= + +[listtags-glossary] +list={title?\minisec\{{title}\}} {id?\label\{{id}\}\hypertarget\{{id}\}\{\}} \begin\{enumerate\}|\end\{enumerate\} +item=\item%| +text=| +term=\item%| +entry= +label= + +[listtags-bibliography] +list=biblist={title?\minisec\{{title}\}} {id?\label\{{id}\}\hypertarget\{{id}\}\{\}} \begin\{description\} | \end\{description\} +item=| +text=| + + + +[tags] +superscript=!..backslash..!textsuperscript!..braceleft..!|!..braceright..! +subscript=!..backslash..!textsubscript!..braceleft..!|!..braceright..! +singlequoted=``|'' +doublequoted=`|' + + + +# Quoted text. +emphasis=!..backslash..!emph!..braceleft..!|!..braceright..! +strong=!..backslash..!textbf!..braceleft..!|!..braceright..! +monospaced=!..backslash..!texttt!..braceleft..!|!..braceright..! +doublequoted=!..backslash..!{language!textquotedblleft}{language?{language@.german:glqq}}{language?{language@english:textquotedblleft}}!..braceleft..!!..braceright..!|!..backslash..!{language?{language@.german:grqq}}{language?{language@english:textquotedblright}}{language!textquotedblright}!..braceleft..!!..braceright..! +unquoted=| + +# $$ inline passthrough. +$$passthrough=| + +# Inline macros +[http-inlinemacro] +!..backslash..!href!..braceleft..!{name}:{target}!..braceright..!!..braceleft..!{0={name}:{target}}!..braceright..! +[https-inlinemacro] +!..backslash..!href!..braceleft..!{name}:{target}!..braceright..!!..braceleft..!{0={name}:{target}}!..braceright..! +[ftp-inlinemacro] +!..backslash..!href!..braceleft..!{name}:{target}!..braceright..!!..braceleft..!{0={name}:{target}}!..braceright..! +[file-inlinemacro] +!..backslash..!href!..braceleft..!{name}:{target}!..braceright..!!..braceleft..!{0={name}:{target}}!..braceright..! +[mailto-inlinemacro] +!..backslash..!href!..braceleft..!{name}:{target}!..braceright..!!..braceleft..!{0={target}}!..braceright..! +[callto-inlinemacro] +!..backslash..!href!..braceleft..!{name}:{target}!..braceright..!!..braceleft..!{0={target}}!..braceright..! +[link-inlinemacro] +!..backslash..!href!..braceleft..!{target}!..braceright..!!..braceleft..!{0={target}}!..braceright..! +# anchor:id[text] +[anchor-inlinemacro] +!..backslash..!label!..braceleft..!{target}!..braceright..!!..backslash..!hypertarget!..braceleft..!{target}!..braceright..!!..braceleft..!{0={target}}!..braceright..! +# [[id,text]] +[anchor2-inlinemacro] +!..backslash..!label!..braceleft..!{1}!..braceright..!!..backslash..!hypertarget!..braceleft..!{1}!..braceright..!!..braceleft..!{2={1}}!..braceright..! +# [[[id]]] +[anchor3-inlinemacro] +{latex-use-bibliography-environment?!..backslash..!bibitem!..braceleft..!{1}!..braceright..!} {latex-use-bibliography-environment!!..backslash..!item[{1}]} !..backslash..!label!..braceleft..!{1}!..braceright..!!..backslash..!hypertarget!..braceleft..!{1}!..braceright..!!..braceleft..!!..braceright..! +# xref:id[text] +[xref-inlinemacro] +{style#}{style$page:!..backslash..!pageref!..braceleft..!{target}!..braceright..!} +{style#}{style$autoref:!..backslash..!autoref!..braceleft..!{target}!..braceright..!} +{style#}{style$ref:!..backslash..!ref!..braceleft..!{target}!..braceright..!} +{style#}{latex-use-bibliography-environment#}{style$cite:!..backslash..!cite!..braceleft..!{target}!..braceright..!} +{style#}{latex-use-bibliography-environment%}{style$cite:!..backslash..!hyperlink!..braceleft..!{target}!..braceright..!!..braceleft..!{0=[{target}]}!..braceright..!} +{style%}!..backslash..!hyperlink!..braceleft..!{target}!..braceright..!!..braceleft..!{0=[{target}]}!..braceright..! + +# <<id,text>> +[xref2-inlinemacro] +{3#}{3$page:!..backslash..!pageref!..braceleft..!{1}!..braceright..!} +{3#}{3$autoref:!..backslash..!autoref!..braceleft..!{1}!..braceright..!} +{3#}{3$ref:!..backslash..!ref!..braceleft..!{1}!..braceright..!} +{3#}{latex-use-bibliography-environment#}{3$cite:!..backslash..!cite!..braceleft..!{1}!..braceright..!} +{3#}{latex-use-bibliography-environment%}{3$cite:!..backslash..!hyperlink!..braceleft..!{1}!..braceright..!!..braceleft..!{2=[{1}]}!..braceright..!} +{3%}!..backslash..!hyperlink!..braceleft..!{1}!..braceright..!!..braceleft..!{2=[{1}]}!..braceright..! + + +# Special word substitution. +[emphasizedwords] +!..backslash..!emph!..braceleft..!{words}!..braceright..! +[monospacedwords] +!..backslash..!texttt!..braceleft..!{words}!..braceright..! +[strongwords] +!..backslash..!textbf!..braceleft..!{words}!..braceright..! + + + +# Paragraph substitution. +[paragraph] +{title%} \par{latex-indent-paragraphs!\noindent{}} +{title#} \paragraph\{{title}\} +\label\{{id}\}\hypertarget\{{id}\}\{\} + +| + +[literalparagraph] +# The literal block employs the same markup. +template::[literalblock] + +[verseparagraph] +# The verse block employs the same markup. +template::[verseblock] + +[admonitionparagraph] +# The admonition block employs the same markup. +template::[admonitionblock] + +# Delimited blocks. +[passthroughblock] +| + +# FIXME: we get SPURIOUS TEXT at the beginning, but can't delete it. +# Putting "[]" after the \begin{lstlisting} in the LaTeX output works, +# but inserting the same "[]" below doesn't. + +[listingblock] +\\minisec\{{caption=Listing: }{title}\} +\label\{{id}\}\hypertarget\{{id}\}\{\} +\begin\{verbatim\}|\end\{verbatim\} + +% FIXXME: dirty hack to circumvent missing \n after verbatim + +[literalblock] +\minisec\{{title}\} +\label\{{id}\}\hypertarget\{{id}\}\{\} +\begin\{alltt\} + +| + +\end\{alltt\} + +[verseblock] +\minisec\{{title}\} +\label\{{id}\}\hypertarget\{{id}\}\{\} +\begin\{alltt\} +\normalfont\{\} + +| + +\end\{alltt\} + +[sidebarblock] +\label\{{id}\}\hypertarget\{{id}\}\{\} +\par\noindent{} +ifndef::latex-use-colored-sidebar-blocks[] +\setlength\{\tabcolsep\}\{0pt\} +\rowcolors\{1\}\{\}\{\} +\begin\{tabular\}\{l>\{\columncolor[gray]\{.75\}\}rcl\} +\hspace*\{0pt\} & +\hspace*\{8pt\} & +\hspace*\{16pt\} & +\begin\{minipage\}\{4in\} +endif::latex-use-colored-sidebar-blocks[] +ifdef::latex-use-colored-sidebar-blocks[] +\fcolorbox\{SidebarBorderColor\}\{SidebarBackgroundColor\}\{\parbox\{\textwidth\}\{ +endif::latex-use-colored-sidebar-blocks[] +\minisec\{{title}\} + +| + +ifdef::latex-use-colored-sidebar-blocks[] +\} +\} +endif::latex-use-colored-sidebar-blocks[] +ifndef::latex-use-colored-sidebar-blocks[] +\end\{minipage\} +\end\{tabular\} +endif::latex-use-colored-sidebar-blocks[] +\bigskip + +[quoteblock] +\minisec\{{title}\} +\label\{{id}\}\hypertarget\{{id}\}\{\} +\begin\{quote\} + +| + +\end\{quote\} + +\begin\{flushright\} +{citetitle} \\ +-- {attribution} +\end\{flushright\} + +[exampleblock] +\minisec\{{caption=}{title}\} +\label\{{id}\}\hypertarget\{{id}\}\{\} +\begin\{quotation\} + +| + +\end\{quotation\} + +[admonitionblock] +\begin\{addmargin*\}[0em]\{0em\} +\label\{{id}\}\hypertarget\{{id}\}\{\} +\begin\{minipage\}\{\linewidth\} +{icons#} \includegraphics\{{icon={iconsdir}/{name}.png}\} +{icons%} \minisec\{{caption}\} +\rule\{\linewidth\}\{2pt\} +\par\{\}\noindent\{\}|\par\{\}\noindent\{\}% +\rule[.25\baselineskip]\{\linewidth\}\{2pt\} +\end\{minipage\} +\end\{addmargin*\} + +# Bibliography list. +# Same as numbered list. +[listdef-bibliography] +listtag=biblist +itemtag=biblistitem +texttag=biblisttext + +# Glossary list. +# Same as labeled list. +[listdef-glossary] +listtag=vlist +itemtag=vlistitem +texttag=vlisttext +entrytag=vlistentry +labeltag=vlistterm + +# Tables. +# FIXME: no lines! + +[tabletags-monospaced] + +[tabletags-strong] + +[tabletags-verse] + +[tabletags-literal] + +[tabletags-emphasis] + +[tabletags-asciidoc] + +#[tabledef-default] + +[tabletags-default] +#template=table +colspec=>\{{colalign@left:\\raggedright}{colalign@center:\\centering}{colalign@right:\\raggedleft}\}p\{ {colwidth}pt \} +bodyrow=| \tabularnewline +headdata=\{\bfseries\{\}|\} {colnumber@{colcount}::&} +footdata=\{\bfseries\{\}|\} {colnumber@{colcount}::&} +bodydata=| {colnumber@{colcount}:%:&} +paragraph= + +[tabletags-header] + +[table] +ifdef::latex-use-colored-tables[] +\rowcolors\{1\}\{TableEvenColor\}\{TableOddColor\} +\setlength\arrayrulewidth\{1.5pt\} +\arrayrulecolor\{TableBorderColor\} +endif::latex-use-colored-tables[] +{eval:{rowcount}{gt}{latex-table-rowlimit}} \begin\{longtable\}\{ +{eval:{rowcount}{gt}{latex-table-rowlimit}} {frame$all|sides:|} +{eval:{rowcount}{gt}{latex-table-rowlimit}} {colspecs} +{eval:{rowcount}{gt}{latex-table-rowlimit}} {frame$all|sides:|} +{eval:{rowcount}{gt}{latex-table-rowlimit}} \} +{eval:{rowcount}{gt}{latex-table-rowlimit}} \hypertarget\{{id}\}\{\} +{eval:{rowcount}{gt}{latex-table-rowlimit}} \caption\{{title}\} +{eval:{rowcount}{gt}{latex-table-rowlimit}} {frame$all|topbot:\hline} +{eval:{rowcount}{gt}{latex-table-rowlimit}} {headrows} +{eval:{rowcount}{gt}{latex-table-rowlimit}} {headrows#} \endhead +{eval:{rowcount}{gt}{latex-table-rowlimit}} {footrows} +{eval:{rowcount}{gt}{latex-table-rowlimit}} {footrows#} \endlastfoot +{eval:{rowcount}{gt}{latex-table-rowlimit}} +{eval:{rowcount}{gt}{latex-table-rowlimit}} {bodyrows} +{eval:{rowcount}{gt}{latex-table-rowlimit}} {frame$all|topbot:\hline} +{eval:{rowcount}{gt}{latex-table-rowlimit}} \label\{{id}\} +{eval:{rowcount}{gt}{latex-table-rowlimit}} \end\{longtable\} +{eval:{rowcount}{lt}={latex-table-rowlimit}} {title%} \par{latex-indent-paragraphs!\noindent} +{eval:{rowcount}{lt}={latex-table-rowlimit}} {title#} \begin\{table\} +{eval:{rowcount}{lt}={latex-table-rowlimit}} {title#} \begin\{center\} +{eval:{rowcount}{lt}={latex-table-rowlimit}} \hypertarget\{{id}\}\{\} +{eval:{rowcount}{lt}={latex-table-rowlimit}} \caption\{{title}\} +{eval:{rowcount}{lt}={latex-table-rowlimit}} \begin\{tabular\}\{lllllllllllllll +{eval:{rowcount}{lt}={latex-table-rowlimit}} {frame$all|sides:|} +{eval:{rowcount}{lt}={latex-table-rowlimit}} {colspecs} +{eval:{rowcount}{lt}={latex-table-rowlimit}} {frame$all|sides:|} +{eval:{rowcount}{lt}={latex-table-rowlimit}} \} +{eval:{rowcount}{lt}={latex-table-rowlimit}} {frame$all|topbot:\hline} +{eval:{rowcount}{lt}={latex-table-rowlimit}} {headrows} +{eval:{rowcount}{lt}={latex-table-rowlimit}} {bodyrows} +{eval:{rowcount}{lt}={latex-table-rowlimit}} {footrows} +{eval:{rowcount}{lt}={latex-table-rowlimit}} {frame$all|topbot:\hline} +{eval:{rowcount}{lt}={latex-table-rowlimit}} \end\{tabular\} +{eval:{rowcount}{lt}={latex-table-rowlimit}} {title#} \end\{center\} +{eval:{rowcount}{lt}={latex-table-rowlimit}} \label\{{id}\} +{eval:{rowcount}{lt}={latex-table-rowlimit}} {title#} \end\{table\} + +[specialsections] +ifdef::doctype-article[] +^Abstract$=abstract +endif::doctype-article[] + +ifdef::doctype-book[] +^Dedication$=dedication +endif::doctype-book[] + +^Index$=index + +ifdef::latex-use-bibliography-environment[] +^(Bibliography|References)$=bibliography +endif::latex-use-bibliography-environment[] + +^Appendix.*$=appendix +^(TOC|Contents)$=toc + +^Figures$=list-of-figures + +# Special sections. + + +[list-of-figures] +\listoffigures + + +[toc] +\label\{{id}\}\hypertarget\{{id}\}\{\} +\tableofcontents + +[index] +\setindexpreamble\{ +| +\} +\label\{{id}\}\hypertarget\{{id}\}\{\} +\printindex + +ifdef::latex-use-bibliography-environment[] +[bibliography] +\label\{{id}\}\hypertarget\{{id}\}\{\} +\begin\{thebibliography\}\{99\} +| +\end\{thebibliography\} +endif::latex-use-bibliography-environment[] + +[appendix] +\appendix +\label\{{id}\}\hypertarget\{{id}\}\{\} +| + +[abstract] +\label\{{id}\}\hypertarget\{{id}\}\{\} +\begin\{abstract\} +| + +\end\{abstract\} + +[abstractblock] + +[dedication] +\label\{{id}\}\hypertarget\{{id}\}\{\} +\dedication\{ +| +\} + +[preamble] +# Untitled elements between header and first section title. +ifdef::doctype-book[] +\frontmatter +\chapter*\{Preface\} +\label\{preamble\}\hypertarget\{preamble\}\{\} +endif::doctype-book[] + + +| + +ifdef::doctype-book[] +\mainmatter +endif::doctype-book[] + +# Document sections. +[sect0] +\hypertarget\{{id}\}\{\} +\chapter\{{title}\} +\label\{{id}\} +| + +[sect1] +\hypertarget\{{id}\}\{\} +\section\{{title}\} +\label\{{id}\} + +[sect2] +\hypertarget\{{id}\}\{\} +\subsection\{{title}\} +\label\{{id}\} +| + +[sect3] +\hypertarget\{{id}\}\{\} +\subsubsection\{{title}\} +\label\{{id}\} +| + +[sect4] +\hypertarget\{{id}\}\{\} +\minisec\{{title}\} +\label\{{id}\} +| + + +# FIXME: if the "backgroundcolor" entry is present as below, the +# background comes out black and is unreadable in PDF, although it is +# OK in DVI. +# \lstset\{basicstyle=\footnotesize\ttfamily,showstringspaces=false,breaklines,frame=single, rulecolor=\color\{ListingBorderColor\}, backgroundcolor=\color\{ListingBackgroundColor\}, xleftmargin=0cm, linewidth=0.95\textwidth\} + + +[header] +{encoding$UTF-8:}% coding: utf-8 +\documentclass [a4paper,abstracton,titlepage]\{{doctype@article:scrartcl:scrbook}\} +\pagestyle\{{latex-use-running-title-headings?headings}{latex-use-running-title-headings!plain}\} +\usepackage\{makeidx\} +\usepackage[table]\{xcolor\} +\usepackage\{color\} +\definecolor\{LinkColor\}\{rgb\}\{0.33,0.42,0.18\} +\definecolor\{TableEvenColor\}\{rgb\}\{0.93,1,0.8\} +\definecolor\{TableOddColor\}\{rgb\}\{0.93,1,1\} +\definecolor\{TableBorderColor\}\{rgb\}\{0.55,0.67,0.73\} +\definecolor\{ListingBorderColor\}\{rgb\}\{0.55,0.55,0.55\} +\definecolor\{ListingBackgroundColor\}\{rgb\}\{0.95,0.95,0.95\} +\definecolor\{SidebarBorderColor\}\{rgb\}\{0.95,0.95,0.95\} +\definecolor\{SidebarBackgroundColor\}\{rgb\}\{1,1,0.93\} +\usepackage\{type1ec\} +\usepackage[{language=english}]\{babel\} +\usepackage[ + pdftex, + pdftitle=\{{doctitle}\}, + pdfauthor=\{{author}\}, + backref, + pagebackref, + breaklinks=true, + unicode + ] + \{hyperref\} +\usepackage\{enumerate\} +\usepackage\{graphicx\} +\usepackage\{longtable\} +\usepackage[T1]\{fontenc\} +\usepackage\{ucs\} +\usepackage[{encoding@ISO-8859-1:latin1}{encoding@UTF-8:utf8x}{encoding!utf8x}]\{inputenc\} +\usepackage\{textcomp\} +\usepackage\{alltt\} +%\usepackage\{listings\} +\usepackage\{verbatim\} +\usepackage\{moreverb\} +\usepackage\{upquote\} + +%\lstset\{basicstyle=\footnotesize\ttfamily,showstringspaces=false,breaklines,frame=single, rulecolor=\color\{ListingBorderColor\}, xleftmargin=0cm, linewidth=0.95\textwidth\} + +{latex-indent-paragraphs%} \setlength\{\parskip\}\{1ex plus 0.5ex minus 0.2ex\} + +\makeatletter +\DeclareRobustCommand*\textsubscript[1]\{% + \@textsubscript\{\selectfont#1\}\} +\def\@textsubscript#1\{% + \{\m@th\ensuremath\{_\{\mbox\{\fontsize\sf@size\z@#1\}\}\}\}\} +\makeatother + +\subject\{{subject}\} +\title\{{doctitle}\} +\author\{{author}{email?, \href\{mailto:{email}\}\{{email}\}}\} +\date\{{revdate}\} +\publishers\{\begin\{tabular\}\{ll\} {revision?\textbf\{Revision:\} & {revision} \\ } {keywords?\textbf\{Keywords:\} & {keywords} \\ } \end\{tabular\}\} + +\makeindex + +\begin\{document\} + +%\newcommand{\texttesh}{\textteshlig\/} + +\label\{header\}\hypertarget\{header\}\{\} +{doctitle#\maketitle} + +[footer] +\label\{footer\}\hypertarget\{footer\}\{\} +\end\{document\} diff --git a/asciidoc/slidy.conf b/asciidoc/slidy.conf new file mode 100644 index 0000000..32a9098 --- /dev/null +++ b/asciidoc/slidy.conf @@ -0,0 +1,150 @@ +# +# Asciidoc Configuration file for slidy HTML generation. +# + +include::xhtml11.conf[] + +[literalparagraph] +template::[listingblock] + +[openblock] +<div class="openblock{incremental? incremental}{role? {role}}"{id? id="{id}"}> +<div class="title">{title}</div> +<div class="content"> +| +</div></div> + +[listtags-bulleted] +list={title?<div class="title">{title}</div>}<ul{id? id="{id}"} class="{incremental? incremental}{role? {role}}">|</ul> +item=<li>|</li> +text=<span>|</span> + +[listtags-numbered] +# The start attribute is not valid XHTML 1.1 but all browsers support it. +list={title?<div class="title">{title}</div>}<ol{id? id="{id}"} class="{style}{incremental? incremental}{role? {role}}"{start? start="{start}"}>|</ol> +item=<li>|</li> +text=<span>|</span> + +[listtags-labeled] +list=<div class="dlist{compact-option? compact}{role? {role}}"{id? id="{id}"}>{title?<div class="title">{title}</div>}<dl class="{incremental? incremental}{role? {role}}">|</dl></div> +entry= +label= +term=<dt class="hdlist1{strong-option? strong}">|</dt> +item=<dd>|</dd> +text=<p>|</p> + +[preamble] +# Untitled elements between header and first section title. +<div id="preamble" class="slide"> +<div class="sectionbody"{max-width? style="max-width:{max-width}"}> +| +</div> +</div> + +[sect1] +<div class="sect1 slide{style? {style}}{role? {role}}"> +<h1{id? id="{id}"}>{numbered?{sectnum} }{title}</h1> +# Set max-width here because Slidy ignores max-width on body. +<div class="sectionbody"{max-width? style="max-width:{max-width}"}> +| +</div> +</div> + +[appendix] +<div class="sect1 slide{style? {style}}{role? {role}}"> +<h1{id? id="{id}"}>{numbered?{sectnum} }{appendix-caption} {counter:appendix-number:A}: {title}</h1> +# Set max-width here because Slidy ignores max-width on body. +<div class="sectionbody"{max-width? style="max-width:{max-width}"}> +| +</div> +</div> + +[header] +<?xml version="1.0" encoding="{encoding}"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="{lang=en}" xml:lang="{lang=en}"> +<head> +<title>{doctitle=} + +ifndef::copyright[] + + + +ifdef::linkcss[] + + +ifeval::["{source-highlighter}"=="pygments"] + +endif::[] + +# DEPRECATED: 'pygments' attribute. +ifdef::pygments[] + + + +endif::linkcss[] +ifndef::linkcss[] + + +endif::linkcss[] +ifdef::asciimath[] +ifdef::linkcss[] + +endif::linkcss[] +ifndef::linkcss[] + +endif::linkcss[] +endif::asciimath[] +ifdef::latexmath[] +ifdef::linkcss[] + +endif::linkcss[] +ifndef::linkcss[] + +endif::linkcss[] +endif::latexmath[] + + + + +[footer] + + diff --git a/asciidoc/stylesheets b/asciidoc/stylesheets new file mode 120000 index 0000000..b1d0fd3 --- /dev/null +++ b/asciidoc/stylesheets @@ -0,0 +1 @@ +../../usr/share/asciidoc/stylesheets \ No newline at end of file diff --git a/asciidoc/text.conf b/asciidoc/text.conf new file mode 100644 index 0000000..7bc6658 --- /dev/null +++ b/asciidoc/text.conf @@ -0,0 +1,16 @@ +# text.conf +# Used by the AsciiDoc a2x(1) toolchain wrapper utility. +# Filters to add leading blank line and margin indent to verbatim +# block elements so lynx(1) generated text output looks nicer. + +[paradef-default] +verse-style=template="verseparagraph",filter="echo; echo; sed 's/^/ /'" + +[paradef-literal] +filter=echo; echo; sed 's/^/ /' + +[blockdef-listing] +filter=echo; sed 's/^/ /' + +[blockdef-literal] +filter=echo; sed 's/^/ /' diff --git a/asciidoc/themes/flask/flask.css b/asciidoc/themes/flask/flask.css new file mode 100644 index 0000000..03abe3b --- /dev/null +++ b/asciidoc/themes/flask/flask.css @@ -0,0 +1,597 @@ +/* Shared CSS for AsciiDoc xhtml11 and html5 backends */ + +/* Default font. */ +body { + font-family: Georgia,serif; +} + +/* Title font. */ +h1, h2, h3, h4, h5, h6, +div.title, caption.title, +thead, p.table.header, +#toctitle, +#author, #revnumber, #revdate, #revremark, +#footer { + font-family: Arial,Helvetica,sans-serif; +} + +body { + margin: 1em 5% 1em 5%; +} + +a { + color: blue; + text-decoration: underline; +} +a:visited { + color: fuchsia; +} + +em { + font-style: italic; + color: navy; +} + +strong { + font-weight: bold; + color: #083194; +} + +h1, h2, h3, h4, h5, h6 { + color: #527bbd; + margin-top: 1.2em; + margin-bottom: 0.5em; + line-height: 1.3; +} + +h1, h2, h3 { + border-bottom: 2px solid silver; +} +h2 { + padding-top: 0.5em; +} +h3 { + float: left; +} +h3 + * { + clear: left; +} +h5 { + font-size: 1.0em; +} + +div.sectionbody { + margin-left: 0; +} + +hr { + border: 1px solid silver; +} + +p { + margin-top: 0.5em; + margin-bottom: 0.5em; +} + +ul, ol, li > p { + margin-top: 0; +} +ul > li { color: #aaa; } +ul > li > * { color: black; } + +pre { + padding: 0; + margin: 0; +} + +#author { + color: #527bbd; + font-weight: bold; + font-size: 1.1em; +} +#email { +} +#revnumber, #revdate, #revremark { +} + +#footer { + font-size: small; + border-top: 2px solid silver; + padding-top: 0.5em; + margin-top: 4.0em; +} +#footer-text { + float: left; + padding-bottom: 0.5em; +} +#footer-badges { + float: right; + padding-bottom: 0.5em; +} + +#preamble { + margin-top: 1.5em; + margin-bottom: 1.5em; +} +div.imageblock, div.exampleblock, div.verseblock, +div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock, +div.admonitionblock { + margin-top: 1.0em; + margin-bottom: 1.5em; +} +div.admonitionblock { + margin-top: 2.0em; + margin-bottom: 2.0em; + margin-right: 10%; + color: #606060; +} + +div.content { /* Block element content. */ + padding: 0; +} + +/* Block element titles. */ +div.title, caption.title { + color: #527bbd; + font-weight: bold; + text-align: left; + margin-top: 1.0em; + margin-bottom: 0.5em; +} +div.title + * { + margin-top: 0; +} + +td div.title:first-child { + margin-top: 0.0em; +} +div.content div.title:first-child { + margin-top: 0.0em; +} +div.content + div.title { + margin-top: 0.0em; +} + +div.sidebarblock > div.content { + background: #ffffee; + border: 1px solid #dddddd; + border-left: 4px solid #f0f0f0; + padding: 0.5em; +} + +div.listingblock > div.content { + border: 1px solid #dddddd; + border-left: 5px solid #f0f0f0; + background: #f8f8f8; + padding: 0.5em; +} + +div.quoteblock, div.verseblock { + padding-left: 1.0em; + margin-left: 1.0em; + margin-right: 10%; + border-left: 5px solid #f0f0f0; + color: #777777; +} + +div.quoteblock > div.attribution { + padding-top: 0.5em; + text-align: right; +} + +div.verseblock > pre.content { + font-family: inherit; + font-size: inherit; +} +div.verseblock > div.attribution { + padding-top: 0.75em; + text-align: left; +} +/* DEPRECATED: Pre version 8.2.7 verse style literal block. */ +div.verseblock + div.attribution { + text-align: left; +} + +div.admonitionblock .icon { + vertical-align: top; + font-size: 1.1em; + font-weight: bold; + text-decoration: underline; + color: #527bbd; + padding-right: 0.5em; +} +div.admonitionblock td.content { + padding-left: 0.5em; + border-left: 3px solid #dddddd; +} + +div.exampleblock > div.content { + border-left: 3px solid #dddddd; + padding-left: 0.5em; +} + +div.imageblock div.content { padding-left: 0; } +span.image img { border-style: none; } +a.image:visited { color: white; } + +dl { + margin-top: 0.8em; + margin-bottom: 0.8em; +} +dt { + margin-top: 0.5em; + margin-bottom: 0; + font-style: normal; + color: navy; +} +dd > *:first-child { + margin-top: 0.1em; +} + +ul, ol { + list-style-position: outside; +} +ol.arabic { + list-style-type: decimal; +} +ol.loweralpha { + list-style-type: lower-alpha; +} +ol.upperalpha { + list-style-type: upper-alpha; +} +ol.lowerroman { + list-style-type: lower-roman; +} +ol.upperroman { + list-style-type: upper-roman; +} + +div.compact ul, div.compact ol, +div.compact p, div.compact p, +div.compact div, div.compact div { + margin-top: 0.1em; + margin-bottom: 0.1em; +} + +tfoot { + font-weight: bold; +} +td > div.verse { + white-space: pre; +} + +div.hdlist { + margin-top: 0.8em; + margin-bottom: 0.8em; +} +div.hdlist tr { + padding-bottom: 15px; +} +dt.hdlist1.strong, td.hdlist1.strong { + font-weight: bold; +} +td.hdlist1 { + vertical-align: top; + font-style: normal; + padding-right: 0.8em; + color: navy; +} +td.hdlist2 { + vertical-align: top; +} +div.hdlist.compact tr { + margin: 0; + padding-bottom: 0; +} + +.comment { + background: yellow; +} + +.footnote, .footnoteref { + font-size: 0.8em; +} + +span.footnote, span.footnoteref { + vertical-align: super; +} + +#footnotes { + margin: 20px 0 20px 0; + padding: 7px 0 0 0; +} + +#footnotes div.footnote { + margin: 0 0 5px 0; +} + +#footnotes hr { + border: none; + border-top: 1px solid silver; + height: 1px; + text-align: left; + margin-left: 0; + width: 20%; + min-width: 100px; +} + +div.colist td { + padding-right: 0.5em; + padding-bottom: 0.3em; + vertical-align: top; +} +div.colist td img { + margin-top: 0.3em; +} + +@media print { + #footer-badges { display: none; } +} + +#toc { + margin-bottom: 2.5em; +} + +#toctitle { + color: #527bbd; + font-size: 1.1em; + font-weight: bold; + margin-top: 1.0em; + margin-bottom: 0.1em; +} + +div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 { + margin-top: 0; + margin-bottom: 0; +} +div.toclevel2 { + margin-left: 2em; + font-size: 0.9em; +} +div.toclevel3 { + margin-left: 4em; + font-size: 0.9em; +} +div.toclevel4 { + margin-left: 6em; + font-size: 0.9em; +} + +span.aqua { color: aqua; } +span.black { color: black; } +span.blue { color: blue; } +span.fuchsia { color: fuchsia; } +span.gray { color: gray; } +span.green { color: green; } +span.lime { color: lime; } +span.maroon { color: maroon; } +span.navy { color: navy; } +span.olive { color: olive; } +span.purple { color: purple; } +span.red { color: red; } +span.silver { color: silver; } +span.teal { color: teal; } +span.white { color: white; } +span.yellow { color: yellow; } + +span.aqua-background { background: aqua; } +span.black-background { background: black; } +span.blue-background { background: blue; } +span.fuchsia-background { background: fuchsia; } +span.gray-background { background: gray; } +span.green-background { background: green; } +span.lime-background { background: lime; } +span.maroon-background { background: maroon; } +span.navy-background { background: navy; } +span.olive-background { background: olive; } +span.purple-background { background: purple; } +span.red-background { background: red; } +span.silver-background { background: silver; } +span.teal-background { background: teal; } +span.white-background { background: white; } +span.yellow-background { background: yellow; } + +span.big { font-size: 2em; } +span.small { font-size: 0.6em; } + +span.underline { text-decoration: underline; } +span.overline { text-decoration: overline; } +span.line-through { text-decoration: line-through; } + + +/* + * xhtml11 specific + * + * */ + +tt { + font-family: monospace; + font-size: inherit; + color: navy; +} + +div.tableblock { + margin-top: 1.0em; + margin-bottom: 1.5em; +} +div.tableblock > table { + border: 3px solid #527bbd; +} +thead, p.table.header { + font-weight: bold; + color: #527bbd; +} +p.table { + margin-top: 0; +} +/* Because the table frame attribute is overriden by CSS in most browsers. */ +div.tableblock > table[frame="void"] { + border-style: none; +} +div.tableblock > table[frame="hsides"] { + border-left-style: none; + border-right-style: none; +} +div.tableblock > table[frame="vsides"] { + border-top-style: none; + border-bottom-style: none; +} + + +/* + * html5 specific + * + * */ + +.monospaced { + font-family: monospace; + font-size: inherit; + color: navy; +} + +table.tableblock { + margin-top: 1.0em; + margin-bottom: 1.5em; +} +thead, p.tableblock.header { + font-weight: bold; + color: #527bbd; +} +p.tableblock { + margin-top: 0; +} +table.tableblock { + border-width: 3px; + border-spacing: 0px; + border-style: solid; + border-color: #527bbd; + border-collapse: collapse; +} +th.tableblock, td.tableblock { + border-width: 1px; + padding: 4px; + border-style: solid; + border-color: #527bbd; +} + +table.tableblock.frame-topbot { + border-left-style: hidden; + border-right-style: hidden; +} +table.tableblock.frame-sides { + border-top-style: hidden; + border-bottom-style: hidden; +} +table.tableblock.frame-none { + border-style: hidden; +} + +th.tableblock.halign-left, td.tableblock.halign-left { + text-align: left; +} +th.tableblock.halign-center, td.tableblock.halign-center { + text-align: center; +} +th.tableblock.halign-right, td.tableblock.halign-right { + text-align: right; +} + +th.tableblock.valign-top, td.tableblock.valign-top { + vertical-align: top; +} +th.tableblock.valign-middle, td.tableblock.valign-middle { + vertical-align: middle; +} +th.tableblock.valign-bottom, td.tableblock.valign-bottom { + vertical-align: bottom; +} + + +/* + * manpage specific + * + * */ + +body.manpage h1 { + padding-top: 0.5em; + padding-bottom: 0.5em; + border-top: 2px solid silver; + border-bottom: 2px solid silver; +} +body.manpage h2 { + border-style: none; +} +body.manpage div.sectionbody { + margin-left: 3em; +} + +@media print { + body.manpage div#toc { display: none; } +} + + +/* + * Theme specific overrides of the preceding (asciidoc.css) CSS. + * + */ +body { + font-family: Garamond, Georgia, serif; + font-size: 17px; + color: #3E4349; + line-height: 1.3em; +} +h1, h2, h3, h4, h5, h6, +div.title, caption.title, +thead, p.table.header, +#toctitle, +#author, #revnumber, #revdate, #revremark, +#footer { + font-family: Garmond, Georgia, serif; + font-weight: normal; + border-bottom-width: 0; + color: #3E4349; +} +div.title, caption.title { color: #596673; font-weight: bold; } +h1 { font-size: 240%; } +h2 { font-size: 180%; } +h3 { font-size: 150%; } +h4 { font-size: 130%; } +h5 { font-size: 115%; } +h6 { font-size: 100%; } +#header h1 { margin-top: 0; } +#toc { + color: #444444; + line-height: 1.5; + padding-top: 1.5em; +} +#toctitle { + font-size: 20px; +} +#toc a { + border-bottom: 1px dotted #999999; + color: #444444 !important; + text-decoration: none !important; +} +#toc a:hover { + border-bottom: 1px solid #6D4100; + color: #6D4100 !important; + text-decoration: none !important; +} +div.toclevel1 { margin-top: 0.2em; font-size: 16px; } +div.toclevel2 { margin-top: 0.15em; font-size: 14px; } +em, dt, td.hdlist1 { color: black; } +strong { color: #3E4349; } +a { color: #004B6B; text-decoration: none; border-bottom: 1px dotted #004B6B; } +a:visited { color: #615FA0; border-bottom: 1px dotted #615FA0; } +a:hover { color: #6D4100; border-bottom: 1px solid #6D4100; } +div.tableblock > table, table.tableblock { border: 3px solid #E8E8E8; } +th.tableblock, td.tableblock { border: 1px solid #E8E8E8; } +ul > li > * { color: #3E4349; } +pre, tt, .monospaced { font-family: Consolas,Menlo,'Deja Vu Sans Mono','Bitstream Vera Sans Mono',monospace; } +tt, .monospaced { font-size: 0.9em; color: black; +} +div.exampleblock > div.content, div.sidebarblock > div.content, div.listingblock > div.content { border-width: 0 0 0 3px; border-color: #E8E8E8; } +div.verseblock { border-left-width: 0; margin-left: 3em; } +div.quoteblock { border-left-width: 3px; margin-left: 0; margin-right: 0;} +div.admonitionblock td.content { border-left: 3px solid #E8E8E8; } diff --git a/asciidoc/themes/volnitsky/volnitsky.css b/asciidoc/themes/volnitsky/volnitsky.css new file mode 100644 index 0000000..c756ce5 --- /dev/null +++ b/asciidoc/themes/volnitsky/volnitsky.css @@ -0,0 +1,438 @@ +/* + * AsciiDoc 'volnitsky' theme for xhtml11 and html5 backends. + * Based on css from http://volnitsky.com, which was in turn based on default + * theme from AsciiDoc + * + * FIXME: The styling is still a bit rough in places. + * + */ + +/* Default font. */ +body { + font-family: Georgia,"Times New Roman",Times,serif; +} + +/* Title font. */ +h1, h2, h3, h4, h5, h6, +div.title, caption.title, +thead, p.table.header, +#toctitle, +#author, #revnumber, #revdate, #revremark, +#footer { + font-family: Candara,Arial,sans-serif; +} + + +#toc a { + border-bottom: 1px dotted #999999; + color: #3A3A4D !important; + text-decoration: none !important; +} +#toc a:hover { + border-bottom: 1px solid #6D4100; + color: #6D4100 !important; + text-decoration: none !important; +} +a { color: #666688; text-decoration: none; border-bottom: 1px dotted #666688; } +a:visited { color: #615FA0; border-bottom: 1px dotted #615FA0; } +a:hover { color: #6D4100; border-bottom: 1px solid #6D4100; } + +em { + font-style: italic; + color: #444466; +} + +strong { + font-weight: bold; + color: #444466; +} + +h1, h2, h3, h4, h5, h6 { + color: #666688; + margin-bottom: 0.5em; + line-height: 1.3; + letter-spacing:+0.15em; +} + +h1, h2, h3 { border-bottom: 2px solid #ccd; } +h2 { padding-top: 0.5em; } +h3 { float: left; } +h3 + * { clear: left; } + +div.sectionbody { + margin-left: 0; +} + +hr { + border: 1px solid #444466; +} + +p { + margin-top: 0.5em; + margin-bottom: 0.5em; +} + +ul, ol, li > p { + margin-top: 0; +} + +pre { + padding: 0; + margin: 0; +} + +#author { + color: #444466; + font-weight: bold; + font-size: 1.1em; +} + +#footer { + font-size: small; + border-top: 2px solid silver; + padding-top: 0.5em; + margin-top: 4.0em; +} + +#footer-text { + float: left; + padding-bottom: 0.5em; +} + +#footer-badges { + float: right; + padding-bottom: 0.5em; +} + +#preamble { + margin-top: 1.5em; + margin-bottom: 1.5em; +} + +div.tableblock, div.imageblock, div.exampleblock, div.verseblock, +div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock, +div.admonitionblock { + margin-top: 1.5em; + margin-bottom: 1.5em; +} + +div.admonitionblock { + margin-top: 2.5em; + margin-bottom: 2.5em; +} + +div.content { /* Block element content. */ + padding: 0; +} + +/* Block element titles. */ +div.title, caption.title { + color: #444466; + font-weight: bold; + text-align: left; + margin-top: 1.0em; + margin-bottom: 0.5em; +} +div.title + * { + margin-top: 0; +} + +td div.title:first-child { + margin-top: 0.0em; +} +div.content div.title:first-child { + margin-top: 0.0em; +} +div.content + div.title { + margin-top: 0.0em; +} + +div.sidebarblock > div.content { + background: #ffffee; + border: 1px solid silver; + padding: 0.5em; +} + +div.listingblock > div.content { + border: 1px solid silver; + background: #f4f4f4; + padding: 0.5em; +} + +div.quoteblock { + padding-left: 2.0em; + margin-right: 10%; +} +div.quoteblock > div.attribution { + padding-top: 0.5em; + text-align: right; +} + +div.verseblock { + padding-left: 2.0em; + margin-right: 10%; +} +div.verseblock > pre.content { + font-family: inherit; +} +div.verseblock > div.attribution { + padding-top: 0.75em; + text-align: left; +} +/* DEPRECATED: Pre version 8.2.7 verse style literal block. */ +div.verseblock + div.attribution { + text-align: left; +} + +div.admonitionblock .icon { + vertical-align: top; + font-size: 1.1em; + font-weight: bold; + text-decoration: underline; + color: #444466; + padding-right: 0.5em; +} +div.admonitionblock td.content { + padding-left: 0.5em; + border-left: 2px solid silver; +} + +div.exampleblock > div.content { + border-left: 2px solid silver; + padding: 0.5em; +} + +div.imageblock div.content { padding-left: 0; } +span.image img { border-style: none; } +a.image:visited { color: white; } + +dl { + margin-top: 0.8em; + margin-bottom: 0.8em; +} +dt { + margin-top: 0.5em; + margin-bottom: 0; + font-style: normal; + color: #444466; +} +dd > *:first-child { + margin-top: 0.1em; +} + +ul, ol { + list-style-position: outside; +} +ol.arabic { + list-style-type: decimal; +} +ol.loweralpha { + list-style-type: lower-alpha; +} +ol.upperalpha { + list-style-type: upper-alpha; +} +ol.lowerroman { + list-style-type: lower-roman; +} +ol.upperroman { + list-style-type: upper-roman; +} + +div.compact ul, div.compact ol, +div.compact p, div.compact p, +div.compact div, div.compact div { + margin-top: 0.1em; + margin-bottom: 0.1em; +} + +div.tableblock > table { + border: 3px solid #444466; +} +thead { + font-weight: bold; + color: #444466; +} +tfoot { + font-weight: bold; +} +td > div.verse { + white-space: pre; +} +p.table { + margin-top: 0; +} +/* Because the table frame attribute is overriden by CSS in most browsers. */ +div.tableblock > table[frame="void"] { + border-style: none; +} +div.tableblock > table[frame="hsides"] { + border-left-style: none; + border-right-style: none; +} +div.tableblock > table[frame="vsides"] { + border-top-style: none; + border-bottom-style: none; +} + + +div.hdlist { + margin-top: 0.8em; + margin-bottom: 0.8em; +} +div.hdlist tr { + padding-bottom: 15px; +} +dt.hdlist1.strong, td.hdlist1.strong { + font-weight: bold; +} +td.hdlist1 { + vertical-align: top; + font-style: normal; + padding-right: 0.8em; + color: #444466; +} +td.hdlist2 { + vertical-align: top; +} +div.hdlist.compact tr { + margin: 0; + padding-bottom: 0; +} + +.comment { + background: yellow; +} + +@media print { + #footer-badges { display: none; } +} + +#toctitle { + color: #666688; + font-size: 1.2em; + font-weight: bold; + margin-top: 1.0em; + margin-bottom: 0.1em; +} + +div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 { margin-top: 0; margin-bottom: 0; } +div.toclevel1 { margin-top: 0.3em; margin-left: 0; font-size: 1.0em; } +div.toclevel2 { margin-top: 0.25em; margin-left: 2em; font-size: 0.9em; } +div.toclevel3 { margin-left: 4em; font-size: 0.8em; } +div.toclevel4 { margin-left: 6em; font-size: 0.8em; } + +body { + margin: 1em 5%; + max-width: 55em; + padding-left: 0; + +} + +.monospaced, tt, div.listingblock > div.content { + font-family: Consolas, "Andale Mono", "Courier New", monospace; + color: #004400; + background: #f4f4f4; + max-width: 80em; + line-height: 1.2em; +} + +.paragraph p { + line-height: 1.5em; + margin-top: 1em; +} + +.paragraph p, li, dd, .content { max-width: 45em; } +.admonitionblock { max-width: 35em; } + +div.sectionbody div.ulist > ul > li { + list-style-type: square; + color: #aaa; +} + div.sectionbody div.ulist > ul > li > * { + color: black; + /*font-size: 50%;*/ + } + + +div.sectionbody div.ulist > ul > li div.ulist > ul > li { + color: #ccd ; +} + div.sectionbody div.ulist > ul > li div.ulist > ul > li > * { + color: black ; + } + +em { + font-style: normal ! important; + font-weight: bold ! important; + color: #662222 ! important; + letter-spacing:+0.08em ! important; +} + +span.underline { text-decoration: underline; } +span.overline { text-decoration: overline; } +span.line-through { text-decoration: line-through; } + +/* + * html5 specific + * + * */ + +table.tableblock { + margin-top: 1.0em; + margin-bottom: 1.5em; +} +thead, p.tableblock.header { + font-weight: bold; + color: #666688; +} +p.tableblock { + margin-top: 0; +} +table.tableblock { + border-width: 3px; + border-spacing: 0px; + border-style: solid; + border-color: #444466; + border-collapse: collapse; +} +th.tableblock, td.tableblock { + border-width: 1px; + padding: 4px; + border-style: solid; + border-color: #444466; +} + +table.tableblock.frame-topbot { + border-left-style: hidden; + border-right-style: hidden; +} +table.tableblock.frame-sides { + border-top-style: hidden; + border-bottom-style: hidden; +} +table.tableblock.frame-none { + border-style: hidden; +} + +th.tableblock.halign-left, td.tableblock.halign-left { + text-align: left; +} +th.tableblock.halign-center, td.tableblock.halign-center { + text-align: center; +} +th.tableblock.halign-right, td.tableblock.halign-right { + text-align: right; +} + +th.tableblock.valign-top, td.tableblock.valign-top { + vertical-align: top; +} +th.tableblock.valign-middle, td.tableblock.valign-middle { + vertical-align: middle; +} +th.tableblock.valign-bottom, td.tableblock.valign-bottom { + vertical-align: bottom; +} + + diff --git a/asciidoc/xhtml11-quirks.conf b/asciidoc/xhtml11-quirks.conf new file mode 100644 index 0000000..cd6c41e --- /dev/null +++ b/asciidoc/xhtml11-quirks.conf @@ -0,0 +1,61 @@ +# +# xhtml11-quirks.conf +# +# Workarounds for IE6's broken # and incomplete CSS2. +# + +[image-blockmacro] +
    +
    + +{data-uri%}{alt={target}} +{data-uri#}{alt={target}} +{link#} +
    +
    {caption={figure-caption} {counter:figure-number}: }{title}
    +
    + +[sidebarblock] +
    +
    +
    {title}
    +| +
    + +[quoteblock] +
    +
    {title}
    +
    +| +
    +
    +{citetitle}
    +— {attribution} +
    + +[verseblock] +
    +
    {title}
    +
    +|
+
    +
    +{citetitle}
    +— {attribution} +
    + +[exampleblock] +
    +
    {caption={example-caption} {counter:example-number}: }{title}
    +
    +| +
    + +[sect2] +
    +# The
    is because the IE6 adjacent-sibling CSS selector is broken. +{numbered?{sectnum} }{title}
    +| +
    + diff --git a/asciidoc/xhtml11.conf b/asciidoc/xhtml11.conf new file mode 100644 index 0000000..5ed28c3 --- /dev/null +++ b/asciidoc/xhtml11.conf @@ -0,0 +1,726 @@ +# +# xhtml11.conf +# +# Asciidoc configuration file. +# xhtml11 backend, generates XHTML 1.1 conformant markup. +# + +[miscellaneous] +outfilesuffix=.html + +[attributes] +basebackend=html +basebackend-html= +basebackend-xhtml11= + +[replacements2] +# Line break. +(?m)^(.*)\s\+$=\1
    + +[replacements] +ifdef::asciidoc7compatible[] +# Superscripts. +\^(.+?)\^=\1 +# Subscripts. +~(.+?)~=\1 +endif::asciidoc7compatible[] + +[ruler-blockmacro] +
    + +[pagebreak-blockmacro] +
    + +[blockdef-pass] +asciimath-style=template="asciimathblock",subs=() +latexmath-style=template="latexmathblock",subs=(),posattrs=(),filter="unwraplatex.py" + +[macros] +# math macros. +# Special characters are escaped in HTML math markup. +(?su)[\\]?(?Pasciimath):(?P\S*?)\[(?P.*?)(?asciimath)::(?P\S*?)(\[(?P.*?)\])$=#[specialcharacters] +(?su)[\\]?(?Platexmath):(?P\S*?)\[(?:\$\s*)?(?P.*?)(?:\s*\$)?(?latexmath)::(?P\S*?)(\[(?:\\\[\s*)?(?P.*?)(?:\s*\\\])?\])$=#[specialcharacters] + +[asciimath-inlinemacro] +`{passtext}` + +[asciimath-blockmacro] +
    +
    +
    {title}
    +`{passtext}` +
    + +[asciimathblock] +
    +
    +
    {title}
    +`|` +
    + +[latexmath-inlinemacro] +${passtext}$ + +[latexmath-blockmacro] +
    +
    +
    {title}
    +{backslash}[{passtext}{backslash}] +
    + +[latexmathblock] +
    +
    +
    {title}
    +\[|\] +
    + +[image-inlinemacro] + + +{data-uri%}{alt={target}} +{data-uri#}{alt={target}} +{link#} + + +[image-blockmacro] +
    +
    + +{data-uri%}{alt={target}} +{data-uri#}{alt={target}} +{link#} +
    +
    {caption={figure-caption} {counter:figure-number}. }{title}
    +
    + +[unfloat-blockmacro] +
    + +[toc-blockmacro] +template::[toc] + +[indexterm-inlinemacro] +# Index term. +{empty} + +[indexterm2-inlinemacro] +# Index term. +# Single entry index term that is visible in the primary text flow. +{1} + +[footnote-inlinemacro] +# footnote:[]. +
    [{0}]
     + +[footnoteref-inlinemacro] +# footnoteref:[], create reference to footnote. +{2%}
    [{1}]
     +# footnoteref:[,], create footnote with ID. +{2#}
    [{2}]
     + +[callout-inlinemacro] +ifndef::icons[] +<{index}> +endif::icons[] +ifdef::icons[] +ifndef::data-uri[] +{index} +endif::data-uri[] +ifdef::data-uri[] +{index} +endif::data-uri[] +endif::icons[] + +# Comment line macros. +[comment-inlinemacro] +{showcomments#}
    {passtext}
    + +[comment-blockmacro] +{showcomments#}

    {passtext}

    + +[literal-inlinemacro] +# Inline literal. +{passtext} + +# List tags. +[listtags-bulleted] +list=
    {title?
    {title}
    }
      |
    +item=
  • |
    • +text=

    |

    + +[listtags-numbered] +# The start attribute is not valid XHTML 1.1 but all browsers support it. +list=
    {title?
    {title}
    }
      |
    +item=
  • |
    • +text=

    |

    + +[listtags-labeled] +list=
    {title?
    {title}
    }
    |
    +entry= +label= +term=
    |
    +item=
    |
    +text=

    |

    + +[listtags-horizontal] +list=
    {title?
    {title}
    }{labelwidth?}{itemwidth?}|
    +label=| +term=|
    +entry=| +item=| +text=

    |

    + +[listtags-qanda] +list=
    {title?
    {title}
    }
      |
    +entry=
  • |
    • +label= +term=

    |

    +item= +text=

    |

    + +[listtags-callout] +ifndef::icons[] +list=
    {title?
    {title}
    }
      |
    +item=
  • |
    • +text=

    |

    +endif::icons[] +ifdef::icons[] +list=
    {title?
    {title}
    }|
    +ifndef::data-uri[] +item={listindex}| +endif::data-uri[] +ifdef::data-uri[] +item={listindex}| +endif::data-uri[] +text=| +endif::icons[] + +[listtags-glossary] +list=
    {title?
    {title}
    }
    |
    +label= +entry= +term=
    |
    +item=
    |
    +text=

    |

    + +[listtags-bibliography] +list=
    {title?
    {title}
    }
      |
    +item=
  • |
    • +text=

    |

    + +[tags] +# Quoted text. +emphasis={1?}|{1?} +strong={1?}|{1?} +monospaced={1?}|{1?} +singlequoted={lsquo}{1?}|{1?}{rsquo} +doublequoted={ldquo}{1?}|{1?}{rdquo} +unquoted={1?}|{1?} +superscript={1?}|{1?} +subscript={1?}|{1?} + +ifdef::deprecated-quotes[] +# Override with deprecated quote attributes. +emphasis={role?}|{role?} +strong={role?}|{role?} +monospaced={role?}|{role?} +singlequoted={role?}{1,2,3?}{amp}#8216;|{amp}#8217;{1,2,3?}{role?} +doublequoted={role?}{1,2,3?}{amp}#8220;|{amp}#8221;{1,2,3?}{role?} +unquoted={role?}{1,2,3?}|{1,2,3?}{role?} +superscript={role?}|{role?} +subscript={role?}|{role?} +endif::deprecated-quotes[] + +# Inline macros +[http-inlinemacro] +{0={name}:{target}} +[https-inlinemacro] +{0={name}:{target}} +[ftp-inlinemacro] +{0={name}:{target}} +[file-inlinemacro] +{0={name}:{target}} +[irc-inlinemacro] +{0={name}:{target}} +[mailto-inlinemacro] +{0={target}} +[link-inlinemacro] +{0={target}} +[callto-inlinemacro] +{0={target}} +# anchor:id[text] +[anchor-inlinemacro] + +# [[id,text]] +[anchor2-inlinemacro] + +# [[[id]]] +[anchor3-inlinemacro] +[{1}] +# xref:id[text] +[xref-inlinemacro] +{0=[{target}]} +# <> +[xref2-inlinemacro] +{2=[{1}]} + +# Special word substitution. +[emphasizedwords] +{words} +[monospacedwords] +{words} +[strongwords] +{words} + +# Paragraph substitution. +[paragraph] +
    {title?
    {title}
    }

    +| +

    + +[admonitionparagraph] +template::[admonitionblock] + +# Delimited blocks. +[listingblock] +
    +
    {caption=}{title}
    +
    +
    
+|
+
    +
    + +[literalblock] +
    +
    {title}
    +
    +
    
+|
+
    +
    + +[sidebarblock] +
    +
    +
    {title}
    +| +
    + +[openblock] +
    +
    {title}
    +
    +| +
    + +[partintroblock] +template::[openblock] + +[abstractblock] +template::[quoteblock] + +[quoteblock] +
    +
    {title}
    +
    +| +
    +
    +{citetitle}{attribution?
    } +— {attribution} +
    + +[verseblock] +
    +
    {title}
    +
    +|
+
    +
    +{citetitle}{attribution?
    } +— {attribution} +
    + +[exampleblock] +
    +
    {caption={example-caption} {counter:example-number}. }{title}
    +
    +| +
    + +[admonitionblock] +
    + + + +
    +{data-uri%}{icons#}{caption} +{data-uri#}{icons#}{caption} +{icons%}
    {caption}
    +    		 +
    {title}
    +| +
    +
    + +# Tables. +[tabletags-default] +colspec= +bodyrow=| +headdata=| +bodydata=| +paragraph=

    |

    + +[tabletags-header] +paragraph=

    |

    + +[tabletags-emphasis] +paragraph=

    |

    + +[tabletags-strong] +paragraph=

    |

    + +[tabletags-monospaced] +paragraph=

    |

    + +[tabletags-verse] +bodydata=
    |
    +paragraph= + +[tabletags-literal] +bodydata=
    |
    +paragraph= + +[tabletags-asciidoc] +bodydata=
    |
    +paragraph= + +[table] +
    + + +{colspecs} +{headrows#} +{headrows} +{headrows#} +{footrows#} +{footrows} +{footrows#} + +{bodyrows} + +
    {caption={table-caption} {counter:table-number}. }{title}
    +
    + +#-------------------------------------------------------------------- +# Deprecated old table definitions. +# + +[miscellaneous] +# Screen width in pixels. +pagewidth=800 +pageunits= + +[old_tabledef-default] +template=old_table +colspec= +bodyrow=| +headdata=| +footdata=| +bodydata=| + +[old_table] +
    + + +{colspecs} +{headrows#} +{headrows} +{headrows#} +{footrows#} +{footrows} +{footrows#} + +{bodyrows} + +
    {caption={table-caption}}{title}
    +
    + +# End of deprecated old table definitions. +#-------------------------------------------------------------------- + +[floatingtitle] +{title} + +[preamble] +# Untitled elements between header and first section title. +
    +
    +| +
    +
    + +# Document sections. +[sect0] +{title} +| + +[sect1] +
    +{numbered?{sectnum} }{title} +
    +| +
    +
    + +[sect2] +
    +{numbered?{sectnum} }{title} +| +
    + +[sect3] +
    +{numbered?{sectnum} }{title} +| +
    + +[sect4] +
    +{title} +| +
    + +[appendix] +
    +{numbered?{sectnum} }{appendix-caption} {counter:appendix-number:A}: {title} +
    +| +
    +
    + +[toc] +
    +
    {toc-title}
    + +
    + +[header] + + + + + + + + +{title} +{title%}{doctitle=} +ifdef::linkcss[] + +ifdef::quirks[] + +endif::quirks[] +ifeval::["{source-highlighter}"=="pygments"] + +endif::[] + +# DEPRECATED: 'pygments' attribute. +ifdef::pygments[] + +ifdef::toc2[] + +endif::linkcss[] +ifndef::linkcss[] + +endif::linkcss[] +ifndef::disable-javascript[] +ifdef::linkcss[] + + + +endif::linkcss[] +ifndef::linkcss[] + +endif::linkcss[] +endif::disable-javascript[] +ifdef::asciimath[] +ifdef::linkcss[] + +endif::linkcss[] +ifndef::linkcss[] + +endif::linkcss[] +endif::asciimath[] +ifdef::latexmath[] +ifdef::linkcss[] + +endif::linkcss[] +ifndef::linkcss[] + +endif::linkcss[] +endif::latexmath[] +ifdef::mathjax[] + + +endif::mathjax[] +{docinfo1,docinfo2#}{include:{docdir}/docinfo.html} +{docinfo,docinfo2#}{include:{docdir}/{docname}-docinfo.html} +template::[docinfo] + + +# Article, book header. +ifndef::doctype-manpage[] + +endif::doctype-manpage[] +# Man page header. +ifdef::doctype-manpage[] + +endif::doctype-manpage[] +
    + +[footer] +
    +{disable-javascript%
    } + + + + +[footer-date] +# Default footer date is document modification time +ifeval::["{footer-style=default}"!="revdate"] + {docdate} {doctime} +endif::[] +# If set to "revdate", it'll be set to the revision date +ifeval::["{footer-style=default}"=="revdate"] + {revdate} +endif::[] + +ifdef::doctype-manpage[] +[synopsis] +template::[sect1] +endif::doctype-manpage[] + +ifdef::quirks[] +include::xhtml11-quirks.conf[] +endif::quirks[] diff --git a/asound.conf b/asound.conf new file mode 100644 index 0000000..da7ab7c --- /dev/null +++ b/asound.conf @@ -0,0 +1,3 @@ +# +# Place your global alsa-lib configuration here... +# diff --git a/at.deny b/at.deny new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/at.deny @@ -0,0 +1 @@ + diff --git a/audit/audit-stop.rules b/audit/audit-stop.rules new file mode 100644 index 0000000..7e23cff --- /dev/null +++ b/audit/audit-stop.rules @@ -0,0 +1,8 @@ +# These rules are loaded when the audit daemon stops +# if configured to do so. + +# Disable auditing +-e 0 + +# Delete all rules +-D diff --git a/audit/audit.rules b/audit/audit.rules new file mode 100644 index 0000000..e947da4 --- /dev/null +++ b/audit/audit.rules @@ -0,0 +1,85 @@ +## This file is automatically generated from /etc/audit/rules.d +-D +-b 8192 +-f 1 +--backlog_wait_time 60000 +-w /var/log/audit/ -k auditlog +-w /etc/audit/ -p wa -k auditconfig +-w /etc/libaudit.conf -p wa -k auditconfig +-w /etc/audisp/ -p wa -k audispconfig +-w /sbin/auditctl -p x -k audittools +-w /sbin/auditd -p x -k audittools +-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles +-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles +-a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount +-a exit,always -F arch=b64 -S mount -S umount2 -k mount +-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time +-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time +-w /etc/localtime -p wa -k localtime +-w /usr/sbin/stunnel -p x -k stunnel +-w /etc/cron.allow -p wa -k cron +-w /etc/cron.deny -p wa -k cron +-w /etc/cron.d/ -p wa -k cron +-w /etc/cron.daily/ -p wa -k cron +-w /etc/cron.hourly/ -p wa -k cron +-w /etc/cron.monthly/ -p wa -k cron +-w /etc/cron.weekly/ -p wa -k cron +-w /etc/crontab -p wa -k cron +-w /var/spool/cron/crontabs/ -k cron +-w /etc/group -p wa -k etcgroup +-w /etc/passwd -p wa -k etcpasswd +-w /etc/gshadow -k etcgroup +-w /etc/shadow -k etcpasswd +-w /etc/security/opasswd -k opasswd +-w /usr/bin/passwd -p x -k passwd_modification +-w /usr/sbin/groupadd -p x -k group_modification +-w /usr/sbin/groupmod -p x -k group_modification +-w /usr/sbin/addgroup -p x -k group_modification +-w /usr/sbin/useradd -p x -k user_modification +-w /usr/sbin/usermod -p x -k user_modification +-w /usr/sbin/adduser -p x -k user_modification +-w /etc/login.defs -p wa -k login +-w /etc/securetty -p wa -k login +-w /var/log/faillog -p wa -k login +-w /var/log/lastlog -p wa -k login +-w /var/log/tallylog -p wa -k login +-w /etc/hosts -p wa -k hosts +-w /etc/network/ -p wa -k network +-w /etc/inittab -p wa -k init +-w /etc/init.d/ -p wa -k init +-w /etc/init/ -p wa -k init +-w /etc/ld.so.conf -p wa -k libpath +-w /etc/sysctl.conf -p wa -k sysctl +-w /etc/modprobe.conf -p wa -k modprobe +-w /etc/pam.d/ -p wa -k pam +-w /etc/security/limits.conf -p wa -k pam +-w /etc/security/pam_env.conf -p wa -k pam +-w /etc/security/namespace.conf -p wa -k pam +-w /etc/security/namespace.init -p wa -k pam +-w /etc/puppetlabs/puppet/ssl -p wa -k puppet_ssl +-w /etc/aliases -p wa -k mail +-w /etc/postfix/ -p wa -k mail +-w /etc/ssh/sshd_config -k sshd +-a exit,always -F arch=b32 -S sethostname -k hostname +-a exit,always -F arch=b64 -S sethostname -k hostname +-w /etc/issue -p wa -k etcissue +-w /etc/issue.net -p wa -k etcissue +-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd +-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd +-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess +-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess +-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess +-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess +-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess +-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess +-a exit,always -F arch=b64 -S open -F dir=/usr/local/bin -F success=0 -k unauthedfileacess +-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess +-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess +-w /bin/su -p x -k priv_esc +-w /usr/bin/sudo -p x -k priv_esc +-w /etc/sudoers -p rw -k priv_esc +-w /sbin/halt -p x -k power +-w /sbin/poweroff -p x -k power +-w /sbin/reboot -p x -k power +-w /sbin/shutdown -p x -k power +-e 2 diff --git a/audit/audit.rules.prev b/audit/audit.rules.prev new file mode 100644 index 0000000..d3d6609 --- /dev/null +++ b/audit/audit.rules.prev @@ -0,0 +1,6 @@ +## This file is automatically generated from /etc/audit/rules.d +-D +-b 8192 +-f 1 +--backlog_wait_time 60000 + diff --git a/audit/auditd.conf b/audit/auditd.conf new file mode 100644 index 0000000..ff6a335 --- /dev/null +++ b/audit/auditd.conf @@ -0,0 +1,39 @@ +# +# This file controls the configuration of the audit daemon +# + +local_events = yes +write_logs = yes +log_file = /var/log/audit/audit.log +log_group = root +log_format = ENRICHED +flush = INCREMENTAL_ASYNC +freq = 50 +max_log_file = 8 +num_logs = 5 +priority_boost = 4 +name_format = NONE +##name = mydomain +max_log_file_action = ROTATE +space_left = 75 +space_left_action = SYSLOG +verify_email = yes +action_mail_acct = root +admin_space_left = 50 +admin_space_left_action = SUSPEND +disk_full_action = SUSPEND +disk_error_action = SUSPEND +use_libwrap = yes +##tcp_listen_port = 60 +tcp_listen_queue = 5 +tcp_max_per_addr = 1 +##tcp_client_ports = 1024-65535 +tcp_client_max_idle = 0 +transport = TCP +krb5_principal = auditd +##krb5_key_file = /etc/audit/audit.key +distribute_network = no +q_depth = 400 +overflow_action = SYSLOG +max_restarts = 10 +plugin_dir = /etc/audit/plugins.d diff --git a/audit/plugins.d/af_unix.conf b/audit/plugins.d/af_unix.conf new file mode 100644 index 0000000..a5ba8b1 --- /dev/null +++ b/audit/plugins.d/af_unix.conf @@ -0,0 +1,14 @@ + +# This file controls the configuration of the +# af_unix socket plugin. It simply takes events +# and writes them to a unix domain socket. This +# plugin can take 2 arguments, the path for the +# socket and the socket permissions in octal. + +active = no +direction = out +path = builtin_af_unix +type = builtin +args = 0640 /var/run/audispd_events +format = string + diff --git a/audit/plugins.d/af_wazuh.conf b/audit/plugins.d/af_wazuh.conf new file mode 120000 index 0000000..e91a083 --- /dev/null +++ b/audit/plugins.d/af_wazuh.conf @@ -0,0 +1 @@ +/var/ossec/etc/af_wazuh.conf \ No newline at end of file diff --git a/audit/rules.d/99-finalize.rules b/audit/rules.d/99-finalize.rules new file mode 100644 index 0000000..bc95eba --- /dev/null +++ b/audit/rules.d/99-finalize.rules @@ -0,0 +1 @@ +-e 2 diff --git a/audit/rules.d/audit.rules b/audit/rules.d/audit.rules new file mode 100644 index 0000000..fc4f433 --- /dev/null +++ b/audit/rules.d/audit.rules @@ -0,0 +1,204 @@ +## First rule - delete all +-D + +## Increase the buffers to survive stress events. +## Make this bigger for busy systems +-b 8192 + +## This determine how long to wait in burst of events +--backlog_wait_time 60000 + +## Set failure mode to syslog +-f 1 + +################### +# Audit the audit logs. +################### +-w /var/log/audit/ -k auditlog + +################### +## Auditd configuration +################### +## Modifications to audit configuration that occur while the audit (check your paths) +-w /etc/audit/ -p wa -k auditconfig +-w /etc/libaudit.conf -p wa -k auditconfig +-w /etc/audisp/ -p wa -k audispconfig + +################### +# Monitor for use of audit management tools +################### +# Check your paths +-w /sbin/auditctl -p x -k audittools +-w /sbin/auditd -p x -k audittools + +################### +# Special files +################### +-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles +-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles + +################### +# Mount operations +################### +-a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount +-a exit,always -F arch=b64 -S mount -S umount2 -k mount + +################### +# Changes to the time +################### +-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time +-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time +-w /etc/localtime -p wa -k localtime + +################### +# Use of stunnel +################### +-w /usr/sbin/stunnel -p x -k stunnel + +################### +# Schedule jobs +################### +-w /etc/cron.allow -p wa -k cron +-w /etc/cron.deny -p wa -k cron +-w /etc/cron.d/ -p wa -k cron +-w /etc/cron.daily/ -p wa -k cron +-w /etc/cron.hourly/ -p wa -k cron +-w /etc/cron.monthly/ -p wa -k cron +-w /etc/cron.weekly/ -p wa -k cron +-w /etc/crontab -p wa -k cron +-w /var/spool/cron/crontabs/ -k cron + +## user, group, password databases +-w /etc/group -p wa -k etcgroup +-w /etc/passwd -p wa -k etcpasswd +-w /etc/gshadow -k etcgroup +-w /etc/shadow -k etcpasswd +-w /etc/security/opasswd -k opasswd + +################### +# Monitor usage of passwd command +################### +-w /usr/bin/passwd -p x -k passwd_modification + +################### +# Monitor user/group tools +################### +-w /usr/sbin/groupadd -p x -k group_modification +-w /usr/sbin/groupmod -p x -k group_modification +-w /usr/sbin/addgroup -p x -k group_modification +-w /usr/sbin/useradd -p x -k user_modification +-w /usr/sbin/usermod -p x -k user_modification +-w /usr/sbin/adduser -p x -k user_modification + +################### +# Login configuration and stored info +################### +-w /etc/login.defs -p wa -k login +-w /etc/securetty -p wa -k login +-w /var/log/faillog -p wa -k login +-w /var/log/lastlog -p wa -k login +-w /var/log/tallylog -p wa -k login + +################### +# Network configuration +################### +-w /etc/hosts -p wa -k hosts +-w /etc/network/ -p wa -k network + +################### +## system startup scripts +################### +-w /etc/inittab -p wa -k init +-w /etc/init.d/ -p wa -k init +-w /etc/init/ -p wa -k init + +################### +# Library search paths +################### +-w /etc/ld.so.conf -p wa -k libpath + +################### +# Kernel parameters and modules +################### +-w /etc/sysctl.conf -p wa -k sysctl +-w /etc/modprobe.conf -p wa -k modprobe +################### + +################### +# PAM configuration +################### +-w /etc/pam.d/ -p wa -k pam +-w /etc/security/limits.conf -p wa -k pam +-w /etc/security/pam_env.conf -p wa -k pam +-w /etc/security/namespace.conf -p wa -k pam +-w /etc/security/namespace.init -p wa -k pam + +################### +# Puppet (SSL) +################### +-w /etc/puppetlabs/puppet/ssl -p wa -k puppet_ssl + +################### +# Postfix configuration +################### +-w /etc/aliases -p wa -k mail +-w /etc/postfix/ -p wa -k mail +################### + +################### +# SSH configuration +################### +-w /etc/ssh/sshd_config -k sshd + +################### +# Hostname +################### +-a exit,always -F arch=b32 -S sethostname -k hostname +-a exit,always -F arch=b64 -S sethostname -k hostname + +################### +# Changes to issue +################### +-w /etc/issue -p wa -k etcissue +-w /etc/issue.net -p wa -k etcissue + +################### +# Log all commands executed by root +################### +-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd +-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd + +################### +## Capture all failures to access on critical elements +################### +-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess +-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess +-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess +-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess +-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess +-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess +-a exit,always -F arch=b64 -S open -F dir=/usr/local/bin -F success=0 -k unauthedfileacess +-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess +-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess + +################### +## su/sudo +################### +-w /bin/su -p x -k priv_esc +-w /usr/bin/sudo -p x -k priv_esc +-w /etc/sudoers -p rw -k priv_esc + +################### +# Poweroff/reboot tools +################### +-w /sbin/halt -p x -k power +-w /sbin/poweroff -p x -k power +-w /sbin/reboot -p x -k power +-w /sbin/shutdown -p x -k power + +################### +# Make the configuration immutable +################### +-e 2 + +# EOF diff --git a/authselect/authselect.conf b/authselect/authselect.conf new file mode 100644 index 0000000..6f4467b --- /dev/null +++ b/authselect/authselect.conf @@ -0,0 +1,2 @@ +sssd + diff --git a/authselect/dconf-db b/authselect/dconf-db new file mode 100644 index 0000000..4f6a686 --- /dev/null +++ b/authselect/dconf-db @@ -0,0 +1,8 @@ +# Generated by authselect on Wed Mar 31 16:42:09 2021 +# Do not modify this file manually. + +[org/gnome/login-screen] +enable-smartcard-authentication=false +enable-fingerprint-authentication=false +enable-password-authentication=true + diff --git a/authselect/dconf-locks b/authselect/dconf-locks new file mode 100644 index 0000000..871fa14 --- /dev/null +++ b/authselect/dconf-locks @@ -0,0 +1,6 @@ +# Generated by authselect on Wed Mar 31 16:42:09 2021 +# Do not modify this file manually. + +/org/gnome/login-screen/enable-smartcard-authentication +/org/gnome/login-screen/enable-fingerprint-authentication +/org/gnome/login-screen/enable-password-authentication diff --git a/authselect/fingerprint-auth b/authselect/fingerprint-auth new file mode 100644 index 0000000..7802ffe --- /dev/null +++ b/authselect/fingerprint-auth @@ -0,0 +1,3 @@ +# Generated by authselect on Wed Mar 31 16:42:09 2021 +# Do not modify this file manually. + diff --git a/authselect/nsswitch.conf b/authselect/nsswitch.conf new file mode 100644 index 0000000..e3eec65 --- /dev/null +++ b/authselect/nsswitch.conf @@ -0,0 +1,96 @@ +# Generated by authselect on Wed Mar 31 16:42:09 2021 +# Do not modify this file manually. + +# If you want to make changes to nsswitch.conf please modify +# /etc/authselect/user-nsswitch.conf and run 'authselect apply-changes'. +# +# Note that your changes may not be applied as they may be +# overwritten by selected profile. Maps set in the authselect +# profile takes always precedence and overwrites the same maps +# set in the user file. Only maps that are not set by the profile +# are applied from the user file. +# +# For example, if the profile sets: +# passwd: sss files +# and /etc/authselect/user-nsswitch.conf contains: +# passwd: files +# hosts: files dns +# the resulting generated nsswitch.conf will be: +# passwd: sss files # from profile +# hosts: files dns # from user file + +passwd: sss files systemd +group: sss files systemd +netgroup: sss files +automount: sss files +services: sss files + +# Included from /etc/authselect/user-nsswitch.conf + +# +# /etc/nsswitch.conf +# +# Name Service Switch config file. This file should be +# sorted with the most-used services at the beginning. +# +# Valid databases are: aliases, ethers, group, gshadow, hosts, +# initgroups, netgroup, networks, passwd, protocols, publickey, +# rpc, services, and shadow. +# +# Valid service provider entries include (in alphabetical order): +# +# compat Use /etc files plus *_compat pseudo-db +# db Use the pre-processed /var/db files +# dns Use DNS (Domain Name Service) +# files Use the local files in /etc +# hesiod Use Hesiod (DNS) for user lookups +# nis Use NIS (NIS version 2), also called YP +# nisplus Use NIS+ (NIS version 3) +# +# See `info libc 'NSS Basics'` for more information. +# +# Commonly used alternative service providers (may need installation): +# +# ldap Use LDAP directory server +# myhostname Use systemd host names +# mymachines Use systemd machine names +# mdns*, mdns*_minimal Use Avahi mDNS/DNS-SD +# resolve Use systemd resolved resolver +# sss Use System Security Services Daemon (sssd) +# systemd Use systemd for dynamic user option +# winbind Use Samba winbind support +# wins Use Samba wins support +# wrapper Use wrapper module for testing +# +# Notes: +# +# 'sssd' performs its own 'files'-based caching, so it should generally +# come before 'files'. +# +# WARNING: Running nscd with a secondary caching service like sssd may +# lead to unexpected behaviour, especially with how long +# entries are cached. +# +# Installation instructions: +# +# To use 'db', install the appropriate package(s) (provide 'makedb' and +# libnss_db.so.*), and place the 'db' in front of 'files' for entries +# you want to be looked up first in the databases, like this: +# +# passwd: db files +# shadow: db files +# group: db files + +# In order of likelihood of use to accelerate lookup. +shadow: files sss +hosts: files dns myhostname + +aliases: files +ethers: files +gshadow: files +# Allow initgroups to default to the setting for group. +# initgroups: files +networks: files dns +protocols: files +publickey: files +rpc: files diff --git a/authselect/password-auth b/authselect/password-auth new file mode 100644 index 0000000..dc2ccfe --- /dev/null +++ b/authselect/password-auth @@ -0,0 +1,29 @@ +# Generated by authselect on Wed Mar 31 16:42:09 2021 +# Do not modify this file manually. + +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular +auth [default=1 ignore=ignore success=ok] pam_localuser.so +auth sufficient pam_unix.so nullok try_first_pass +auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular +auth sufficient pam_sss.so forward_pass +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_usertype.so issystem +account [default=bad success=ok user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_pwquality.so try_first_pass local_users_only +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_sss.so diff --git a/authselect/postlogin b/authselect/postlogin new file mode 100644 index 0000000..65710c7 --- /dev/null +++ b/authselect/postlogin @@ -0,0 +1,7 @@ +#%PAM-1.0 +# +session optional pam_umask.so silent +session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet +session [default=1] pam_lastlog.so nowtmp showfailed +session optional pam_lastlog.so silent noupdate showfailed + diff --git a/authselect/smartcard-auth b/authselect/smartcard-auth new file mode 100644 index 0000000..7802ffe --- /dev/null +++ b/authselect/smartcard-auth @@ -0,0 +1,3 @@ +# Generated by authselect on Wed Mar 31 16:42:09 2021 +# Do not modify this file manually. + diff --git a/authselect/system-auth b/authselect/system-auth new file mode 100644 index 0000000..dc2ccfe --- /dev/null +++ b/authselect/system-auth @@ -0,0 +1,29 @@ +# Generated by authselect on Wed Mar 31 16:42:09 2021 +# Do not modify this file manually. + +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular +auth [default=1 ignore=ignore success=ok] pam_localuser.so +auth sufficient pam_unix.so nullok try_first_pass +auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular +auth sufficient pam_sss.so forward_pass +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_usertype.so issystem +account [default=bad success=ok user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_pwquality.so try_first_pass local_users_only +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_sss.so diff --git a/authselect/user-nsswitch.conf b/authselect/user-nsswitch.conf new file mode 100644 index 0000000..59829b3 --- /dev/null +++ b/authselect/user-nsswitch.conf @@ -0,0 +1,72 @@ +# +# /etc/nsswitch.conf +# +# Name Service Switch config file. This file should be +# sorted with the most-used services at the beginning. +# +# Valid databases are: aliases, ethers, group, gshadow, hosts, +# initgroups, netgroup, networks, passwd, protocols, publickey, +# rpc, services, and shadow. +# +# Valid service provider entries include (in alphabetical order): +# +# compat Use /etc files plus *_compat pseudo-db +# db Use the pre-processed /var/db files +# dns Use DNS (Domain Name Service) +# files Use the local files in /etc +# hesiod Use Hesiod (DNS) for user lookups +# nis Use NIS (NIS version 2), also called YP +# nisplus Use NIS+ (NIS version 3) +# +# See `info libc 'NSS Basics'` for more information. +# +# Commonly used alternative service providers (may need installation): +# +# ldap Use LDAP directory server +# myhostname Use systemd host names +# mymachines Use systemd machine names +# mdns*, mdns*_minimal Use Avahi mDNS/DNS-SD +# resolve Use systemd resolved resolver +# sss Use System Security Services Daemon (sssd) +# systemd Use systemd for dynamic user option +# winbind Use Samba winbind support +# wins Use Samba wins support +# wrapper Use wrapper module for testing +# +# Notes: +# +# 'sssd' performs its own 'files'-based caching, so it should generally +# come before 'files'. +# +# WARNING: Running nscd with a secondary caching service like sssd may +# lead to unexpected behaviour, especially with how long +# entries are cached. +# +# Installation instructions: +# +# To use 'db', install the appropriate package(s) (provide 'makedb' and +# libnss_db.so.*), and place the 'db' in front of 'files' for entries +# you want to be looked up first in the databases, like this: +# +# passwd: db files +# shadow: db files +# group: db files + +# In order of likelihood of use to accelerate lookup. +passwd: sss files systemd +shadow: files sss +group: sss files systemd +hosts: files dns myhostname +services: files sss +netgroup: sss +automount: files sss + +aliases: files +ethers: files +gshadow: files +# Allow initgroups to default to the setting for group. +# initgroups: files +networks: files dns +protocols: files +publickey: files +rpc: files diff --git a/awstats/awstats.192.168.1.2.conf b/awstats/awstats.192.168.1.2.conf new file mode 100644 index 0000000..697295b --- /dev/null +++ b/awstats/awstats.192.168.1.2.conf @@ -0,0 +1,1619 @@ +# AWSTATS CONFIGURE FILE 7.3 +#----------------------------------------------------------------------------- +# Copy this file into awstats.www.mydomain.conf and edit this new config file +# to setup AWStats (See documentation in docs/ directory). +# The config file must be in /etc/awstats, /usr/local/etc/awstats or /etc (for +# Unix/Linux) or same directory as awstats.pl (Windows, Mac, Unix/Linux...) +# To include an environment variable in any parameter (AWStats will replace +# it with its value when reading it), follow the example: +# Parameter="__ENVNAME__" +# Note that environment variable AWSTATS_CURRENT_CONFIG is always defined with +# the config value in an AWStats running session and can be used like others. +#----------------------------------------------------------------------------- + + + +#----------------------------------------------------------------------------- +# MAIN SETUP SECTION (Required to make AWStats work) +#----------------------------------------------------------------------------- + +# "LogFile" contains the web, ftp or mail server log file to analyze. +# Possible values: A full path, or a relative path from awstats.pl directory. +# Example: "/var/log/apache/access.log" +# Example: "../logs/mycombinedlog.log" +# You can also use tags in this filename if you need a dynamic file name +# depending on date or time (Replacement is made by AWStats at the beginning +# of its execution). These are the available tags : +# %YYYY-n is replaced with 4 digits year we were n hours ago +# %YY-n is replaced with 2 digits year we were n hours ago +# %MM-n is replaced with 2 digits month we were n hours ago +# %MO-n is replaced with 3 letters month we were n hours ago +# %DD-n is replaced with day we were n hours ago +# %HH-n is replaced with hour we were n hours ago +# %NS-n is replaced with number of seconds at 00:00 since 1970 +# %WM-n is replaced with the week number in month (1-5) +# %Wm-n is replaced with the week number in month (0-4) +# %WY-n is replaced with the week number in year (01-52) +# %Wy-n is replaced with the week number in year (00-51) +# %DW-n is replaced with the day number in week (1-7, 1=sunday) +# use n=24 if you need (1-7, 1=monday) +# %Dw-n is replaced with the day number in week (0-6, 0=sunday) +# use n=24 if you need (0-6, 0=monday) +# Use 0 for n if you need current year, month, day, hour... +# Example: "/var/log/access_log.%YYYY-0%MM-0%DD-0.log" +# Example: "C:/WINNT/system32/LogFiles/W3SVC1/ex%YY-24%MM-24%DD-24.log" +# You can also use a pipe if log file come from a pipe : +# Example: "gzip -cd /var/log/apache/access.log.gz |" +# If there are several log files from load balancing servers : +# Example: "/pathtotools/logresolvemerge.pl *.log |" +# +LogFile="/var/log/httpd/access_log" + + +# Enter the log file type you want to analyze. +# Possible values: +# W - For a web log file +# S - For a streaming log file +# M - For a mail log file +# F - For an ftp log file +# Example: W +# Default: W +# +LogType=W + + +# Enter here your log format (Must match your web server config. See setup +# instructions in documentation to know how to configure your web server to +# have the required log format). +# Possible values: 1,2,3,4 or "your_own_personalized_log_format" +# 1 - Apache or Lotus Notes/Domino native combined log format (NCSA combined/XLF/ELF log format) +# 2 - IIS or ISA format (IIS W3C log format). See FAQ-COM115 For ISA. +# 3 - Webstar native log format. +# 4 - Apache or Squid native common log format (NCSA common/CLF log format) +# With LogFormat=4, some features (browsers, os, keywords...) can't work. +# "your_own_personalized_log_format" = If your log is ftp, mail or other format, +# you must use following keys to define the log format string (See FAQ for +# ftp, mail or exotic web log format examples): +# %host Client hostname or IP address (or Sender host for mail log) +# %host_r Receiver hostname or IP address (for mail log) +# %lognamequot Authenticated login/user with format: "john" +# %logname Authenticated login/user with format: john +# %time1 Date and time with format: [dd/mon/yyyy:hh:mm:ss +0000] or [dd/mon/yyyy:hh:mm:ss] +# %time2 Date and time with format: yyyy-mm-dd hh:mm:ss +# %time3 Date and time with format: Mon dd hh:mm:ss or Mon dd hh:mm:ss yyyy +# %time4 Date and time with unix timestamp format: dddddddddd +# %time5 Date and time with format iso: yyyy-mm-ddThh:mm:ss, with optional timezone specification (ignored) +# %time6 Date and time with format: dd/mm/yyyy, hh:mm:ss +# %methodurl Method and URL with format: "GET /index.html HTTP/x.x" +# %methodurlnoprot Method and URL with format: "GET /index.html" +# %method Method with format: GET +# %url URL only with format: /index.html +# %query Query string (used by URLWithQuery option) +# %code Return code status (with format for web log: 999) +# %bytesd Size of document in bytes +# %refererquot Referer page with format: "http://from.com/from.htm" +# %referer Referer page with format: http://from.com/from.htm +# %uabracket User agent with format: [Mozilla/4.0 (compatible, ...)] +# %uaquot User agent with format: "Mozilla/4.0 (compatible, ...)" +# %ua User agent with format: Mozilla/4.0_(compatible...) +# %gzipin mod_gzip compression input bytes: In:XXX +# %gzipout mod_gzip compression output bytes & ratio: Out:YYY:ZZpct. +# %gzipratio mod_gzip compression ratio: ZZpct. +# %deflateratio mod_deflate compression ratio with format: (ZZ) +# %email EMail sender (for mail log) +# %email_r EMail receiver (for mail log) +# %virtualname Web sever virtual hostname. Use this tag when same log +# contains data of several virtual web servers. AWStats +# will discard records not in SiteDomain nor HostAliases +# %cluster If log file is provided from several computers (merged by +# logresolvemerge.pl), use this to define cluster id field. +# %extraX Another field that you plan to use for building a +# personalized report with ExtraSection feature (See later). +# If your log format has some fields not included in this list, use: +# %other Means another not used field +# %otherquot Means another not used double quoted field +# If your log format has some literal strings, which precede data fields, use +# status=%code Means your log files have HTTP status logged as "status=200" +# Literal strings that follow data field must be separated from said data fields by space. +# +# Examples for Apache combined logs (following two examples are equivalent): +# LogFormat = 1 +# LogFormat = "%host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot" +# +# Example for IIS: +# LogFormat = 2 +# +LogFormat=1 + + +# If your log field's separator is not a space, you can change this parameter. +# This parameter is not used if LogFormat is a predefined value (1,2,3,4) +# Backslash can be used as escape character. +# Example: " " +# Example: "\t" +# Example: "\|" +# Example: "," +# Default: " " +# +LogSeparator=" " + + +# "SiteDomain" must contain the main domain name, or the main intranet web +# server name, used to reach the web site. +# If you share the same log file for several virtual web servers, this +# parameter is used to tell AWStats to filter record that contains records for +# this virtual host name only (So check that this virtual hostname can be +# found in your log file and use a personalized log format that include the +# %virtualname tag). +# But for multi hosting a better solution is to have one log file for each +# virtual web server. In this case, this parameter is only used to generate +# full URL's links when ShowLinksOnUrl option is set to 1. +# If analyzing mail log, enter here the domain name of mail server. +# Example: "myintranetserver" +# Example: "www.domain.com" +# Example: "ftp.domain.com" +# Example: "domain.com" +# +SiteDomain="zira.898.ro" + + +# Enter here all other possible domain names, addresses or virtual host +# aliases someone can use to access your site. Try to keep only the minimum +# number of possible names/addresses to have the best performances. +# You can repeat the "SiteDomain" value in this list. +# This parameter is used to analyze referer field in log file and to help +# AWStats to know if a referer URL is a local URL of same site or a URL of +# another site. +# Note: Use space between each value. +# Note: You can use regular expression values writing value with REGEX[value]. +# Note: You can also use @/mypath/myfile if list of aliases are in a file. +# Example: "www.myserver.com localhost 127.0.0.1 REGEX[mydomain\.(net|org)$]" +# +HostAliases="REGEX[^.*zira\.898\.ro$]" + + +# If you want to have hosts reported by name instead of ip address, AWStats +# needs to make reverse DNS lookups (if not already done in your log file). +# With DNSLookup to 0, all hosts will be reported by their IP addresses and +# not by the full hostname of visitors (except if names are already available +# in log file). +# If you want/need to set DNSLookup to 1, don't forget that this will +# dramatically reduce AWStats's update process speed. Do not use on large web +# sites. +# Note: Reverse DNS lookup is done on IPv4 only (Enable ipv6 plugin for IPv6). +# Note: Result of DNS Lookup can be used to build the Country report. However +# it is highly recommanded to enable the plugin 'geoip', 'geoipfree', or 'geoip2' +# to have an accurate Country report with no need for DNS Lookup. +# Possible values: +# 0 - No DNS Lookup +# 1 - DNS Lookup is fully enabled +# 2 - DNS Lookup is made only from static DNS cache file (if it exists) +# Default: 2 +# +DNSLookup=2 + + +# For very large sites, setting DNSLookup to 0 (or 2) might be the only +# reasonable choice. DynamicDNSLookup allows to resolve host names for +# items shown in html tables only, when data is output on reports instead +# of resolving once during log analysis step. +# Possible values: +# 0 - No dynamic DNS lookup +# 1 - Dynamic DNS lookup enabled +# 2 - Dynamic DNS lookup enabled (including static DNS cache file as a second +# source) +# Default: 0 +# +DynamicDNSLookup=0 + + +# When AWStats updates its statistics, it stores results of its analysis in +# files (AWStats database). All those files are written in the directory +# defined by the "DirData" parameter. Set this value to the directory where +# you want AWStats to save its database and working files into. +# Warning: If you want to be able to use the "AllowToUpdateStatsFromBrowser" +# feature (see later), you need "Write" permissions by web server user on this +# directory (and "Modify" for Windows NTFS file systems). +# Example: "/var/lib/awstats" +# Example: "../data" +# Example: "C:/awstats_data_dir" +# Default: "." (means same directory as awstats.pl) +# +DirData="/var/lib/awstats" + + +# Relative or absolute web URL of your awstats cgi-bin directory. +# This parameter is used only when AWStats is run from command line +# with -output option (to generate links in HTML reported page). +# Example: "/awstats" +# Default: "/cgi-bin" (means awstats.pl is in "/yourwwwroot/cgi-bin") +# +DirCgi="/awstats" + + +# Relative or absolute web URL of your awstats icon directory. +# If you build static reports ("... -output > outputpath/output.html"), enter +# path of icon directory relative to the output directory 'outputpath'. +# Example: "/awstatsicons" +# Example: "../icon" +# Default: "/icon" (means you must copy icon directories in "/mywwwroot/icon") +# +DirIcons="/awstatsicons" + + +# When this parameter is set to 1, AWStats adds a button on the report page to +# allow to "update" statistics from a web browser. Warning, when "update" is +# made from a browser, AWStats is run as a CGI by the web server user defined +# in your web server (user "nobody" by default with Apache, "IUSR_XXX" with +# IIS), so the "DirData" directory and all already existing history files +# awstatsMMYYYY[.xxx].txt must be writable by this user. Change permissions if +# necessary to "Read/Write" (and "Modify" for Windows NTFS file systems). +# Warning: Update process can be long so you might experience "time out" +# browser errors if you don't launch AWStats frequently enough. +# When set to 0, update is only made when AWStats is run from the command +# line interface (or a task scheduler). +# Possible values: 0 or 1 +# Default: 0 +# +AllowToUpdateStatsFromBrowser=0 + + +# AWStats saves and sorts its database on a monthly basis (except if using +# databasebreak option from command line). +# However, if you choose the -month=all from command line or +# value '-Year-' from CGI combo form to have a report for all year, AWStats +# needs to reload all data for full year (each month), and sort them, +# requiring a large amount of time, memory and CPU. This might be a problem +# for web hosting providers that offer AWStats for large sites, on shared +# servers, to non CPU cautious customers. +# For this reason, the 'full year' is only enabled on Command Line by default. +# You can change this by setting this parameter to 0, 1, 2 or 3. +# Possible values: +# 0 - Never allowed +# 1 - Allowed on CLI only, -Year- value in combo is not visible +# 2 - Allowed on CLI only, -Year- value in combo is visible but not allowed +# 3 - Possible on CLI and CGI +# Default: 2 +# +AllowFullYearView=2 + + + +#----------------------------------------------------------------------------- +# OPTIONAL SETUP SECTION (Not required but enhances AWStats's functionality) +#----------------------------------------------------------------------------- + +# When the update process runs, AWStats can set a lock file in TEMP or TMP +# directory. This lock is to avoid to have 2 update processes running at the +# same time to prevent unknown conflicts problems and avoid DoS attacks when +# AllowToUpdateStatsFromBrowser is set to 1. +# Because, when you use lock file, you can sometimes experience problems if +# lock file is not correctly removed (killed process for example requires that +# you remove the file manually), this option is not enabled by default (Do +# not enable this option with no console server access). +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +EnableLockForUpdate=1 + + +# AWStats can do reverse DNS lookups through a static DNS cache file that was +# previously created manually. If no path is given in static DNS cache file +# name, AWStats will search DirData directory. This file is never changed. +# This option is not used if DNSLookup=0. +# Note: DNS cache file format is 'minsince1970 ipaddress resolved_hostname' +# or just 'ipaddress resolved_hostname' +# Change : Effective for new updates only +# Example: "/mydnscachedir/dnscache" +# Default: "dnscache.txt" +# +DNSStaticCacheFile="dnscache.txt" + + +# AWStats can do reverse DNS lookups through a DNS cache file that was created +# by a previous run of AWStats. This file is erased and recreated after each +# statistics update process. You don't need to create and/or edit it. +# AWStats will read and save this file in DirData directory. +# This option is used only if DNSLookup=1. +# Note: If a DNSStaticCacheFile is available, AWStats will check for DNS +# lookup in DNSLastUpdateCacheFile after checking into DNSStaticCacheFile. +# Change : Effective for new updates only +# Example: "/mydnscachedir/dnscachelastupdate" +# Default: "dnscachelastupdate.txt" +# +DNSLastUpdateCacheFile="dnscachelastupdate.txt" + + +# You can specify specific IP addresses that should NOT be looked up in DNS. +# This option is used only if DNSLookup=1. +# Note: Use space between each value. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "123.123.123.123 REGEX[^192\.168\.]" +# Default: "" +# +SkipDNSLookupFor="" + + +# The following two parameters allow you to protect a config file from being +# read by AWStats when called from a browser if the web user has not been +# authenticated. Your AWStats program must be in a web protected "realm" (With +# Apache, you can use .htaccess files to do so. With other web servers, see +# your server setup manual). +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +AllowAccessFromWebToAuthenticatedUsersOnly=0 + + +# This parameter gives the list of all authorized authenticated users to view +# statistics for this domain/config file. This parameter is used only if +# AllowAccessFromWebToAuthenticatedUsersOnly is set to 1. +# Change : Effective immediately +# Example: "user1 user2" +# Example: "__REMOTE_USER__" +# Default: "" +# +AllowAccessFromWebToFollowingAuthenticatedUsers="" + + +# When this parameter is defined to something, the IP address of the user that +# reads its statistics from a browser (when AWStats is used as a CGI) is +# checked and must match one of the IP address values or ranges. +# Change : Effective immediately +# Example: "127.0.0.1 123.123.123.1-123.123.123.255" +# Default: "" +# +AllowAccessFromWebToFollowingIPAddresses="" + + +# If the "DirData" directory (see above) does not exist, AWStats returns an +# error. However, you can ask AWStats to create it. +# This option can be used by some Web Hosting Providers that have defined a +# dynamic value for DirData (for example DirData="/home/__REMOTE_USER__") and +# don't want to have to create a new directory each time they add a new user. +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +CreateDirDataIfNotExists=0 + + +# You can choose in which format the AWStats history database is saved. +# Note: Using "xml" format makes AWStats database files three times larger than +# using "text" format. +# Change : Database format is switched after next update +# Possible values: text or xml +# Default: text +# +BuildHistoryFormat=text + + +# If you prefer having the report output pages be built as XML compliant pages +# instead of simple HTML pages, you can set this to 'xhtml' (May not work +# properly with old browsers). +# Change : Effective immediately +# Possible values: html or xhtml +# Default: html +# +BuildReportFormat=html + + +# AWStats databases can be updated from command line or from a browser (when +# used as a cgi program). So AWStats database files need write permission +# for both command line user and default web server user ('nobody' for Unix, +# 'IUSR_xxx' for IIS/Windows,...). +# To avoid permission problems between update process (run by an admin user) +# and CGI process (ran by a low level user), AWStats can save its database +# files with read and write permissions for everyone. +# By default, AWStats keeps default user permissions on updated files. If you +# set AllowToUpdateStatsFromBrowser to 1, you can change this parameter to 1. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +SaveDatabaseFilesWithPermissionsForEveryone=0 + + +# AWStats can purge log file, after analyzing it. Note that AWStats is able +# to detect new lines in a log file, to process only them, so you can launch +# AWStats as often as you want, even with this parameter to 0. +# With 0, no purge is made, so you must use a scheduled task or a web server +# that make this purge frequently. +# With 1, the purge of the log file is made each time AWStats update is run. +# This parameter doesn't work with IIS (This web server doesn't let its log +# file to be purged). +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +PurgeLogFile=0 + + +# When PurgeLogFile is set to 1, AWStats will clean your log file after +# processing it. You can however keep an archive file of all processed log +# records by setting this parameter (For example if you want to use another +# log analyzer). The archived log file is saved in "DirData" with name +# awstats_archive.configname[.suffix].log +# This parameter is not used if PurgeLogFile=0 +# Change : Effective for new updates only +# Possible values: 0, 1, or tags (See LogFile parameter) for suffix +# Example: 1 +# Example: %YYYY%MM%DD +# Default: 0 +# +ArchiveLogRecords=0 + + +# Each time you run the update process, AWStats overwrites the 'historic file' +# for the month (awstatsMMYYYY[.*].txt) with the updated one. +# When write errors occur (IO, disk full,...), this historic file can be +# corrupted and must be deleted. Because this file contains information of all +# past processed log files, you will lose old stats if removed. So you can +# ask AWStats to save last non corrupted file in a .bak file. This file is +# stored in "DirData" directory with other 'historic files'. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +KeepBackupOfHistoricFiles=0 + + +# Default index page name for your web server. +# Change : Effective for new updates only +# Example: "index.php index.html default.html" +# Default: "index.php index.html" +# +DefaultFile="index.php index.html" + + +# Do not include access from clients that match following criteria. +# If your log file contains IP addresses in host field, you must enter here +# matching IP addresses criteria. +# If DNS lookup is already done in your log file, you must enter here hostname +# criteria, else enter ip address criteria. +# The opposite parameter of "SkipHosts" is "OnlyHosts". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "127.0.0.1 REGEX[^192\.168\.] REGEX[^10\.]" +# Example: "localhost REGEX[^.*\.localdomain$]" +# Default: "" +# +SkipHosts="127.0.0.1" + + +# Do not include access from clients with a user agent that match following +# criteria. If you want to exclude a robot, you should update the robots.pm +# file instead of this parameter. +# The opposite parameter of "SkipUserAgents" is "OnlyUserAgents". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "konqueror REGEX[ua_test_v\d\.\d]" +# Default: "" +# +SkipUserAgents="" + + +# Use SkipFiles to ignore access to URLs that match one of following entries. +# You can enter a list of not important URLs (like framed menus, hidden pages, +# etc...) to exclude them from statistics. You must enter here exact relative +# URL as found in log file, or a matching REGEX value. Check apply on URL with +# all its query paramaters. +# For example, to ignore /badpage.php, just add "/badpage.php". To ignore all +# pages in a particular directory, add "REGEX[^\/directorytoexclude]". +# The opposite parameter of "SkipFiles" is "OnlyFiles". +# Note: Use space between each value. This parameter is or not case sensitive +# depending on URLNotCaseSensitive parameter. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "/badpage.php /page.php?param=x REGEX[^\/excludedirectory]" +# Default: "" +# +SkipFiles="" + + +# Use SkipReferrersBlackList if you want to exclude records coming from a SPAM +# referrer. Parameter must receive a local file name containing rules applied +# on referrer field. If parameter is empty, no filter is applied. +# An example of such a file is available in lib/blacklist.txt +# Change : Effective for new updates only +# Example: "/mylibpath/blacklist.txt" +# Default: "" +# +# WARNING!! Using this feature make AWStats running very slower (5 times slower +# with black list file provided with AWStats ! +# +SkipReferrersBlackList="" + + +# Include in stats, only accesses from hosts that match one of following +# entries. For example, if you want AWStats to filter access to keep only +# stats for visits from particular hosts, you can add those host names in +# this parameter. +# If DNS lookup is already done in your log file, you must enter here hostname +# criteria, else enter ip address criteria. +# The opposite parameter of "OnlyHosts" is "SkipHosts". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "127.0.0.1 REGEX[^192\.168\.] REGEX[^10\.]" +# Default: "" +# +OnlyHosts="" + + +# Include in stats, only accesses from user agent that match one of following +# entries. For example, if you want AWStats to filter access to keep only +# stats for visits from particular browsers, you can add their user agents +# string in this parameter. +# The opposite parameter of "OnlyUserAgents" is "SkipUserAgents". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "msie" +# Default: "" +# +OnlyUserAgents="" + + +# Include in stats, only accesses from authenticated users that match one of +# following entries. For example, if you want AWStats to filter access to keep +# only stats for authenticated users, you can add those users names in +# this parameter. Useful for statistics for per user ftp logs. +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "john bob REGEX[^testusers]" +# Default: "" +# +OnlyUsers="" + + +# Include in stats, only accesses to URLs that match one of following entries. +# For example, if you want AWStats to filter access to keep only stats that +# match a particular string, like a particular directory, you can add this +# directory name in this parameter. +# The opposite parameter of "OnlyFiles" is "SkipFiles". +# Note: Use space between each value. This parameter is or not case sensitive +# depending on URLNotCaseSensitive parameter. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "REGEX[marketing_directory] REGEX[office\/.*\.(csv|sxw)$]" +# Default: "" +# +OnlyFiles="" + + +# Add here a list of kind of url (file extension) that must be counted as +# "Hit only" and not as a "Hit" and "Page/Download". You can set here all +# image extensions as they are hit downloaded that must be counted but they +# are not viewed pages. URLs with such extensions are not included in the TOP +# Pages/URL report. +# Note: If you want to exclude particular URLs from stats (No Pages and no +# Hits reported), you must use SkipFiles parameter. +# Change : Effective for new updates only +# Example: "css js class gif jpg jpeg png bmp ico rss xml swf zip arj rar gz z bz2 wav mp3 wma mpg avi" +# Example: "" +# Default: "css js class gif jpg jpeg png bmp ico rss xml swf eot woff woff2" +# +NotPageList="css js class gif jpg jpeg png bmp ico rss xml swf eot woff woff2" + + +# By default, AWStats considers that records found in web log file are +# successful hits if HTTP code returned by server is a valid HTTP code (200 +# and 304). Any other code are reported in HTTP status chart. +# Note that HTTP 'control codes', like redirection (302, 305) are not added by +# default in this list as they are not pages seen by a visitor but are +# protocol exchange codes to tell the browser to ask another page. Because +# this other page will be counted and seen with a 200 or 304 code, if you +# add such codes, you will have 2 pages viewed reported for only one in facts. +# Change : Effective for new updates only +# Example: "200 304 302 305" +# Default: "200 304" +# +ValidHTTPCodes="200 304" + + +# By default, AWStats considers that records found in mail log file are +# successful mail transfers if field that represent return code in analyzed +# log file match values defined by this parameter. +# Change : Effective for new updates only +# Example: "1 250 200" +# Default: "1 250" +# +ValidSMTPCodes="1 250" + + +# By default, AWStats only records info on 404 'Document Not Found' errors. +# At the cost of additional processing time, further info pages can be made +# available by adding codes below. +# Change : Effective for new updates only +# Example: "403 404" +# Default: "404" +# +TrapInfosForHTTPErrorCodes = "400 403 404" + + +# Some web servers on some Operating systems (IIS-Windows) consider that a +# login with same value but different case are the same login. To tell AWStats +# to also consider them as one, set this parameter to 1. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +AuthenticatedUsersNotCaseSensitive=0 + + +# Some web servers on some Operating systems (IIS-Windows) considers that two +# URLs with same value but different case are the same URL. To tell AWStats to +# also considers them as one, set this parameter to 1. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +URLNotCaseSensitive=0 + + +# Keep or remove the anchor string you can find in some URLs. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +URLWithAnchor=0 + + +# In URL links, "?" char is used to add parameter's list in URLs. Syntax is: +# /mypage.html?param1=value1¶m2=value2 +# However, some servers/sites use also other chars to isolate dynamic part of +# their URLs. You can complete this list with all such characters. +# Change : Effective for new updates only +# Example: "?;," +# Default: "?;" +# +URLQuerySeparators="?;" + + +# Keep or remove the query string to the URL in the statistics for individual +# pages. This is primarily used to differentiate between the URLs of dynamic +# pages. If set to 1, mypage.html?id=x and mypage.html?id=y are counted as two +# different pages. +# Warning, when set to 1, memory required to run AWStats is dramatically +# increased if you have a lot of changing URLs (for example URLs with a random +# id inside). Such web sites should not set this option to 1 or use seriously +# the next parameter URLWithQueryWithOnlyFollowingParameters (or eventually +# URLWithQueryWithoutFollowingParameters). +# Change : Effective for new updates only +# Possible values: +# 0 - URLs are cleaned from the query string (ie: "/mypage.html") +# 1 - Full URL with query string is used (ie: "/mypage.html?p=x&q=y") +# Default: 0 +# +URLWithQuery=0 + + +# When URLWithQuery is on, you will get the full URL with all parameters in +# URL reports. But among thoose parameters, sometimes you don't need a +# particular parameter because it does not identify the page or because it's +# a random ID changing for each access even if URL points to same page. In +# such cases, it is higly recommanded to ask AWStats to keep only parameters +# you need (if you know them) before counting, manipulating and storing URL. +# Enter here list of wanted parameters. For example, with "param", one hit on +# /mypage.cgi?param=abc&id=Yo4UomP9d and /mypage.cgi?param=abc&id=Mu8fdxl3r +# will be reported as 2 hits on /mypage.cgi?param=abc +# This parameter is not used when URLWithQuery is 0 and can't be used with +# URLWithQueryWithoutFollowingParameters. +# Change : Effective for new updates only +# Example: "param" +# Default: "" +# +URLWithQueryWithOnlyFollowingParameters="" + + +# When URLWithQuery is on, you will get the full URL with all parameters in +# URL reports. But among thoose parameters, sometimes you don't need a +# particular parameter because it does not identify the page or because it's +# a random ID changing for each access even if URL points to same page. In +# such cases, it is higly recommanded to ask AWStats to remove such parameters +# from the URL before counting, manipulating and storing URL. Enter here list +# of all non wanted parameters. For example if you enter "id", one hit on +# /mypage.cgi?param=abc&id=Yo4UomP9d and /mypage.cgi?param=abc&id=Mu8fdxl3r +# will be reported as 2 hits on /mypage.cgi?param=abc +# This parameter is not used when URLWithQuery is 0 and can't be used with +# URLWithQueryWithOnlyFollowingParameters. +# Change : Effective for new updates only +# Example: "PHPSESSID jsessionid" +# Default: "" +# +URLWithQueryWithoutFollowingParameters="" + + +# Keep or remove the query string to the referrer URL in the statistics for +# external referrer pages. This is used to differentiate between the URLs of +# dynamic referrer pages. If set to 1, mypage.html?id=x and mypage.html?id=y +# are counted as two different referrer pages. +# Change : Effective for new updates only +# Possible values: +# 0 - Referrer URLs are cleaned from the query string (ie: "/mypage.html") +# 1 - Full URL with query string is used (ie: "/mypage.html?p=x&q=y") +# Default: 0 +# +URLReferrerWithQuery=0 + + +# AWStats can detect setup problems or show you important informations to have +# a better use. Keep this to 1, except if AWStats says you can change it. +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 1 +# +WarningMessages=1 + + +# When an error occurs, AWStats outputs a message related to errors. If you +# want (in most cases for security reasons) to have no error messages, you +# can set this parameter to your personalized generic message. +# Change : Effective immediately +# Example: "An error occurred. Contact your Administrator" +# Default: "" +# +ErrorMessages="" + + +# AWStat can be run with debug=x parameter to output various informations +# to help in debugging or solving troubles. If you want to allow this (not +# enabled by default for security reasons), set this parameter to 0. +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +DebugMessages=0 + + +# To help you to detect if your log format is good, AWStats reports an error +# if all the first NbOfLinesForCorruptedLog lines have a format that does not +# match the LogFormat parameter. +# However, some worm virus attack on your web server can result in a very high +# number of corrupted lines in your log. So if you experience awstats stop +# because of bad virus records at the beginning of your log file, you can +# increase this parameter (very rare). +# Change : Effective for new updates only +# Default: 50 +# +NbOfLinesForCorruptedLog=50 + + +# For some particular integration needs, you may want to have CGI links to +# point to another script than awstats.pl. +# Use the name of this script in WrapperScript parameter. +# Change : Effective immediately +# Example: "awstatslauncher.pl" +# Example: "awstatswrapper.cgi?key=123" +# Default: "" +# +WrapperScript="" + + +# DecodeUA must be set to 1 if you use Roxen web server. This server converts +# all spaces in user agent field into %20. This make the AWStats robots, OS +# and browsers detection fail in some cases. Just change it to 1 if and only +# if your web server is Roxen. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +DecodeUA=0 + + +# MiscTrackerUrl can be used to make AWStats able to detect some miscellaneous +# things, that can not be tracked on other way, like: +# - Javascript disabled +# - Java enabled +# - Screen size +# - Color depth +# - Macromedia Director plugin +# - Macromedia Shockwave plugin +# - Realplayer G2 plugin +# - QuickTime plugin +# - Mediaplayer plugin +# - Acrobat PDF plugin +# To enable all these features, you must copy the awstats_misc_tracker.js file +# into a /js/ directory stored in your web document root and add the following +# HTML code at the end of your index page (but before ) : +# +# +# +# +# If code is not added in index page, all those detection capabilities will be +# disabled. You must also check that ShowScreenSizeStats and ShowMiscStats +# parameters are set to 1 to make results appear in AWStats report page. +# If you want to use another directory than /js/, you must also change the +# awstatsmisctrackerurl variable into the awstats_misc_tracker.js file. +# Change : Effective for new updates only. +# Possible value: URL of javascript tracker file added in your HTML code. +# Default: "/js/awstats_misc_tracker.js" +# +MiscTrackerUrl="/js/awstats_misc_tracker.js" + + +# AddLinkToExternalCGIWrapper can be used to add a link to a wrapper script +# into each title of Dolibarr reports. This can be used to add a wrapper +# to download data into a CSV file for example. +# +# AddLinkToExternalCGIWrapper="/awstats/awdownloadcsv.pl" + + + +#----------------------------------------------------------------------------- +# OPTIONAL ACCURACY SETUP SECTION (Not required but increase AWStats features) +#----------------------------------------------------------------------------- + +# The following values allow you to define accuracy of AWStats entities +# (robots, browsers, os, referers, file types) detection. +# It might be a good idea for large web sites or ISP that provides AWStats to +# high number of customers, to set this parameter to 1 (or 0), instead of 2. +# Possible values: +# 0 = No detection, +# 1 = Medium/Standard detection +# 2 = Full detection +# Change : Effective for new updates only +# Note : LevelForBrowsersDetection can also accept value "allphones". This +# enable detailed detection of phone/pda browsers. +# Default: 2 (0 for LevelForWormsDetection) +# +LevelForBrowsersDetection=2 # 0 disables Browsers detection. + # 2 reduces AWStats speed by 2% + # allphones reduces AWStats speed by 5% +LevelForOSDetection=2 # 0 disables OS detection. + # 2 reduces AWStats speed by 3% +LevelForRefererAnalyze=2 # 0 disables Origin detection. + # 2 reduces AWStats speed by 14% +LevelForRobotsDetection=2 # 0 disables Robots detection. + # 2 reduces AWStats speed by 2.5% +LevelForSearchEnginesDetection=2 # 0 disables Search engines detection. + # 2 reduces AWStats speed by 9% +LevelForKeywordsDetection=2 # 0 disables Keyphrases/Keywords detection. + # 2 reduces AWStats speed by 1% +LevelForFileTypesDetection=2 # 0 disables File types detection. + # 2 reduces AWStats speed by 1% +LevelForWormsDetection=0 # 0 disables Worms detection. + # 2 reduces AWStats speed by 15% + + + +#----------------------------------------------------------------------------- +# OPTIONAL APPEARANCE SETUP SECTION (Not required but increase AWStats features) +#----------------------------------------------------------------------------- + +# When you use AWStats as a CGI, you can have the reports shown in HTML frames. +# Frames are only available for report viewed dynamically. When you build +# pages from command line, this option is not used and no frames are built. +# Possible values: 0 or 1 +# Default: 1 +# +UseFramesWhenCGI=1 + + +# This parameter asks your browser to open detailed reports into a different +# window than the main page. +# Possible values: +# 0 - Open all in same browser window +# 1 - Open detailed reports in another window except if using frames +# 2 - Open always in a different window even if reports are framed +# Default: 1 +# +DetailedReportsOnNewWindows=1 + + +# You can add, in the HTML report page, a cache lifetime (in seconds) that +# will be returned to the browser in HTTP header answer by server. +# This parameter is not used when reports are built with -staticlinks option. +# Example: 3600 +# Default: 0 +# +Expires=3600 + + +# To avoid too large web pages, you can ask AWStats to limit number of rows of +# all reported charts to this number when no other limits apply. +# Default: 10000 +# +MaxRowsInHTMLOutput=10000 + + +# Set your primary language (ISO-639-1 language codes). +# Possible values: +# Albanian=al, Bosnian=ba, Bulgarian=bg, Catalan=ca, +# Chinese (Taiwan)=tw, Chinese (Simpliefied)=cn, Croatian=hr, Czech=cz, +# Danish=dk, Dutch=nl, English=en, Estonian=et, Euskara=eu, Finnish=fi, +# French=fr, Galician=gl, German=de, Greek=gr, Hebrew=he, Hungarian=hu, +# Icelandic=is, Indonesian=id, Italian=it, Japanese=jp, Korean=ko, +# Latvian=lv, Norwegian (Nynorsk)=nn, Norwegian (Bokmal)=nb, Polish=pl, +# Portuguese=pt, Portuguese (Brazilian)=br, Romanian=ro, Russian=ru, +# Serbian=sr, Slovak=sk, Slovenian=si, Spanish=es, Swedish=se, Turkish=tr, +# Ukrainian=ua, Welsh=cy. +# First available language accepted by browser=auto +# Default: "auto" +# +Lang="auto" + + +# Set the location of language files. +# Example: "/usr/share/awstats/lang" +# Default: "./lang" (means lang directory is in same location than awstats.pl) +# +DirLang="./lang" + + +# Show menu header with reports' links +# Possible values: 0 or 1 +# Default: 1 +# +ShowMenu=1 + + +# You choose here which reports you want to see in the main page and what you +# want to see in those reports. +# Possible values: +# 0 - Report is not shown at all +# 1 - Report is shown in main page with an entry in menu and default columns +# XYZ - Report shows column informations defined by code X,Y,Z... +# X,Y,Z... are code letters among the following: +# U = Unique visitors +# V = Visits +# P = Number of pages +# H = Number of hits (or mails) +# B = Bandwidth (or total mail size for mail logs) +# L = Last access date +# E = Entry pages +# X = Exit pages +# C = Web compression (mod_gzip,mod_deflate) +# M = Average mail size (mail logs) +# + +# Show monthly summary +# Context: Web, Streaming, Mail, Ftp +# Default: UVPHB, Possible column codes: UVPHB +ShowSummary=UVPHB + +# Show monthly chart +# Context: Web, Streaming, Mail, Ftp +# Default: UVPHB, Possible column codes: UVPHB +ShowMonthStats=UVPHB + +# Show days of month chart +# Context: Web, Streaming, Mail, Ftp +# Default: VPHB, Possible column codes: VPHB +ShowDaysOfMonthStats=VPHB + +# Show days of week chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHB, Possible column codes: PHB +ShowDaysOfWeekStats=PHB + +# Show hourly chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHB, Possible column codes: PHB +ShowHoursStats=PHB + +# Show domains/country chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHB, Possible column codes: UVPHB +ShowDomainsStats=PHB + +# Show hosts chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHBL, Possible column codes: PHBL +ShowHostsStats=PHBL + +# Show authenticated users chart +# Context: Web, Streaming, Ftp +# Default: 0, Possible column codes: PHBL +ShowAuthenticatedUsers=0 + +# Show robots chart +# Context: Web, Streaming +# Default: HBL, Possible column codes: HBL +ShowRobotsStats=HBL + +# Show worms chart +# Context: Web, Streaming +# Default: 0 (If set to other than 0, see also LevelForWormsDetection), Possible column codes: HBL +ShowWormsStats=0 + +# Show email senders chart (For use when analyzing mail log files) +# Context: Mail +# Default: 0, Possible column codes: HBML +ShowEMailSenders=0 + +# Show email receivers chart (For use when analyzing mail log files) +# Context: Mail +# Default: 0, Possible column codes: HBML +ShowEMailReceivers=0 + +# Show session chart +# Context: Web, Streaming, Ftp +# Default: 1, Possible column codes: None +ShowSessionsStats=1 + +# Show pages-url chart. +# Context: Web, Streaming, Ftp +# Default: PBEX, Possible column codes: PBEX +ShowPagesStats=PBEX + +# Show file types chart. +# Context: Web, Streaming, Ftp +# Default: HB, Possible column codes: HBC +ShowFileTypesStats=HB + +# Show file size chart (Not yet available) +# Context: Web, Streaming, Mail, Ftp +# Default: 1, Possible column codes: None +ShowFileSizesStats=0 + +# Show downloads chart. +# Context: Web, Streaming, Ftp +# Default: HB, Possible column codes: HB +ShowDownloadsStats=HB + +# Show operating systems chart +# Context: Web, Streaming, Ftp +# Default: 1, Possible column codes: None +ShowOSStats=1 + +# Show browsers chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowBrowsersStats=1 + +# Show screen size chart +# Context: Web, Streaming +# Default: 0 (If set to 1, see also MiscTrackerUrl), Possible column codes: None +ShowScreenSizeStats=0 + +# Show origin chart +# Context: Web, Streaming +# Default: PH, Possible column codes: PH +ShowOriginStats=PH + +# Show keyphrases chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowKeyphrasesStats=1 + +# Show keywords chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowKeywordsStats=1 + +# Show misc chart +# Context: Web, Streaming +# Default: a (See also MiscTrackerUrl parameter), Possible column codes: anjdfrqwp +ShowMiscStats=a + +# Show http errors chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowHTTPErrorsStats=1 + +# Show http error page details +# Context: Web, Streaming +# Default: R, Possible column codes: RH +ShowHTTPErrorsPageDetail=R + +# Show smtp errors chart (For use when analyzing mail log files) +# Context: Mail +# Default: 0, Possible column codes: None +ShowSMTPErrorsStats=0 + +# Show the cluster report (Your LogFormat must contains the %cluster tag) +# Context: Web, Streaming, Ftp +# Default: 0, Possible column codes: PHB +ShowClusterStats=0 + + +# Some graphical reports are followed by the data array of values. +# If you don't want this array (to reduce the report size for example), you +# can set thoose options to 0. +# Possible values: 0 or 1 +# Default: 1 +# +# Data array values for the ShowMonthStats report +AddDataArrayMonthStats=1 +# Data array values for the ShowDaysOfMonthStats report +AddDataArrayShowDaysOfMonthStats=1 +# Data array values for the ShowDaysOfWeekStats report +AddDataArrayShowDaysOfWeekStats=1 +# Data array values for the ShowHoursStats report +AddDataArrayShowHoursStats=1 + + +# In the Origin chart, you have stats on where your hits came from. You can +# include hits on pages that come from pages of same sites in this chart. +# Possible values: 0 or 1 +# Default: 0 +# +IncludeInternalLinksInOriginSection=0 + + +# The following parameters can be used to choose the maximum number of lines +# shown for the particular following reports. +# +# Stats by countries/domains +MaxNbOfDomain = 10 +MinHitDomain = 1 +# Stats by hosts +MaxNbOfHostsShown = 10 +MinHitHost = 1 +# Stats by authenticated users +MaxNbOfLoginShown = 10 +MinHitLogin = 1 +# Stats by robots +MaxNbOfRobotShown = 10 +MinHitRobot = 1 +# Stats for Downloads +MaxNbOfDownloadsShown = 10 +MinHitDownloads = 1 +# Stats by pages +MaxNbOfPageShown = 10 +MinHitFile = 1 +# Stats by OS +MaxNbOfOsShown = 10 +MinHitOs = 1 +# Stats by browsers +MaxNbOfBrowsersShown = 10 +MinHitBrowser = 1 +# Stats by screen size +MaxNbOfScreenSizesShown = 5 +MinHitScreenSize = 1 +# Stats by window size (following 2 parameters are not yet used) +MaxNbOfWindowSizesShown = 5 +MinHitWindowSize = 1 +# Stats by referers +MaxNbOfRefererShown = 10 +MinHitRefer = 1 +# Stats for keyphrases +MaxNbOfKeyphrasesShown = 10 +MinHitKeyphrase = 1 +# Stats for keywords +MaxNbOfKeywordsShown = 10 +MinHitKeyword = 1 +# Stats for sender or receiver emails +MaxNbOfEMailsShown = 20 +MinHitEMail = 1 + + +# Choose if you want the week report to start on sunday or monday +# Possible values: +# 0 - Week starts on sunday +# 1 - Week starts on monday +# Default: 1 +# +FirstDayOfWeek=1 + + +# List of visible flags that link to other language translations. +# See Lang parameter for list of allowed flag/language codes. +# If you don't want any flag link, set ShowFlagLinks to "". +# This parameter is used only if ShowMenu parameter is set to 1. +# Possible values: "" or "language_codes_separated_by_space" +# Example: "en es fr nl de" +# Default: "" +# +ShowFlagLinks="" + + +# Each URL, shown in stats report views, are links you can click. +# Possible values: 0 or 1 +# Default: 1 +# +ShowLinksOnUrl=1 + + +# When AWStats builds HTML links in its report pages, it starts those links +# with "http://". However some links might be HTTPS links, so you can enter +# here the root of all your HTTPS links. If all your site is a SSL web site, +# just enter "/". +# This parameter is not used if ShowLinksOnUrl is 0. +# Example: "/shopping" +# Example: "/" +# Default: "" +# +UseHTTPSLinkForUrl="" + + +# Maximum length of URL part shown on stats page (number of characters). +# This affects only URL visible text, links still work. +# Default: 64 +# +MaxLengthOfShownURL=64 + + +# You can enter HTML code that will be added at the top of AWStats reports. +# Default: "" +# +HTMLHeadSection="" + + +# You can enter HTML code that will be added at the end of AWStats reports. +# Great to add advert ban. +# Default: "" +# +HTMLEndSection="" + + +# By default AWStats page contains meta tag robots=noindex,nofollow +# If you want to have your statistics to be indexed, set this option to 1. +# Default: 0 +# +MetaRobot=0 + + +# You can set Logo and LogoLink to use your own logo. +# Logo must be the name of image file (must be in $DirIcons/other directory). +# LogoLink is the expected URL when clicking on Logo. +# Default: "awstats_logo6.png" +# +Logo="awstats_logo6.png" +LogoLink="http://www.awstats.org" + + +# Value of maximum bar width/height for horizontal/vertical HTML graphics bars. +# Default: 260/90 +# +BarWidth = 260 +BarHeight = 90 + + +# You can ask AWStats to use a particular CSS (Cascading Style Sheet) to +# change its look. To create a style sheet, you can use samples provided with +# AWStats in wwwroot/css directory. +# Example: "/awstatscss/awstats_bw.css" +# Example: "/css/awstats_bw.css" +# Default: "" +# +StyleSheet="" + + +# Those color parameters can be used (if StyleSheet parameter is not used) +# to change AWStats look. +# Example: color_name="RRGGBB" # RRGGBB is Red Green Blue components in Hex +# +color_Background="FFFFFF" # Background color for main page (Default = "FFFFFF") +color_TableBGTitle="CCCCDD" # Background color for table title (Default = "CCCCDD") +color_TableTitle="000000" # Table title font color (Default = "000000") +color_TableBG="CCCCDD" # Background color for table (Default = "CCCCDD") +color_TableRowTitle="FFFFFF" # Table row title font color (Default = "FFFFFF") +color_TableBGRowTitle="ECECEC" # Background color for row title (Default = "ECECEC") +color_TableBorder="ECECEC" # Table border color (Default = "ECECEC") +color_text="000000" # Color of text (Default = "000000") +color_textpercent="606060" # Color of text for percent values (Default = "606060") +color_titletext="000000" # Color of text title within colored Title Rows (Default = "000000") +color_weekend="EAEAEA" # Color for week-end days (Default = "EAEAEA") +color_link="0011BB" # Color of HTML links (Default = "0011BB") +color_hover="605040" # Color of HTML on-mouseover links (Default = "605040") +color_u="FFAA66" # Background color for number of unique visitors (Default = "FFAA66") +color_v="F4F090" # Background color for number of visites (Default = "F4F090") +color_p="4477DD" # Background color for number of pages (Default = "4477DD") +color_h="66DDEE" # Background color for number of hits (Default = "66DDEE") +color_k="2EA495" # Background color for number of bytes (Default = "2EA495") +color_s="8888DD" # Background color for number of search (Default = "8888DD") +color_e="CEC2E8" # Background color for number of entry pages (Default = "CEC2E8") +color_x="C1B2E2" # Background color for number of exit pages (Default = "C1B2E2") + + + +#----------------------------------------------------------------------------- +# PLUGINS +#----------------------------------------------------------------------------- + +# Add here all plugin files you want to load. +# Plugin files must be .pm files stored in 'plugins' directory. +# Uncomment LoadPlugin lines to enable a plugin after checking that perl +# modules required by the plugin are installed. + +# PLUGIN: Tooltips +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add tooltips pop-up help boxes to HTML report pages. +# NOTE: This will increased HTML report pages size, thus server load and bandwidth. +# +#LoadPlugin="tooltips" + +# PLUGIN: DecodeUTFKeys +# REQUIRED MODULES: Encode and URI::Escape +# PARAMETERS: None +# DESCRIPTION: Allow AWStats to show correctly (in language charset) +# keywords/keyphrases strings even if they were UTF8 coded by the +# referer search engine. +# +#LoadPlugin="decodeutfkeys" + +# PLUGIN: IPv6 +# PARAMETERS: None +# REQUIRED MODULES: Net::IP and Net::DNS +# DESCRIPTION: This plugin gives AWStats capability to make reverse DNS +# lookup on IPv6 addresses. +# +#LoadPlugin="ipv6" + +# PLUGIN: HashFiles +# REQUIRED MODULES: Storable +# PARAMETERS: None +# DESCRIPTION: AWStats DNS cache files are read/saved as native hash files. +# This increases DNS cache files loading speed, above all for very large web sites. +# +#LoadPlugin="hashfiles" + + +# PLUGIN: UserInfo +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add a text (Firtname, Lastname, Office Department, ...) in +# authenticated user reports for each login value. +# A text file called userinfo.myconfig.txt, with two fields (first is login, +# second is text to show, separated by a tab char) must be created in DirData +# directory. +# +#LoadPlugin="userinfo" + +# PLUGIN: HostInfo +# REQUIRED MODULES: Net::XWhois +# PARAMETERS: None +# DESCRIPTION: Add a column into host chart with a link to open a popup window that shows +# info on host (like whois records). +# +#LoadPlugin="hostinfo" + +# PLUGIN: ClusterInfo +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add a text (for example a full hostname) in cluster reports for each cluster +# number. A text file called clusterinfo.myconfig.txt, with two fields (first is +# cluster number, second is text to show) separated by a tab char. must be +# created into DirData directory. +# Note this plugin is useless if ShowClusterStats is set to 0 or if you don't +# use a personalized log format that contains %cluster tag. +# +#LoadPlugin="clusterinfo" + +# PLUGIN: UrlAliases +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add a text (Page title, description...) in URL reports before URL value. +# A text file called urlalias.myconfig.txt, with two fields (first is URL, +# second is text to show, separated by a tab char) must be created into +# DirData directory. +# +#LoadPlugin="urlalias" + +# PLUGIN: TimeHiRes +# REQUIRED MODULES: Time::HiRes (if Perl < 5.8) +# PARAMETERS: None +# DESCRIPTION: Time reported by -showsteps option is in millisecond. For debug purpose. +# +#LoadPlugin="timehires" + +# PLUGIN: TimeZone +# REQUIRED MODULES: Time::Local +# PARAMETERS: [timezone offset] +# DESCRIPTION: Allow AWStats to adjust time stamps for a different timezone +# This plugin reduces AWStats speed of 10% !!!!!!! +# LoadPlugin="timezone" +# LoadPlugin="timezone +2" +# LoadPlugin="timezone CET" +# +#LoadPlugin="timezone +2" + +# PLUGIN: Rawlog +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: This plugin adds a form in AWStats main page to allow users to see raw +# content of current log files. A filter is also available. +# +#LoadPlugin="rawlog" + +# PLUGIN: GraphApplet +# REQUIRED MODULES: None +# PARAMETERS: [CSS classes to override] +# DESCRIPTION: Supported charts are built by a 3D graphic applet. +# +#LoadPlugin="graphapplet /awstatsclasses" # EXPERIMENTAL FEATURE + +# PLUGIN: GraphGoogleChartAPI +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Replaces the standard charts with free Google API generated images +# in HTML reports. If country data is available and more than one country has hits, +# a map will be generated using Google Visualizations. +# Note: The machine where reports are displayed must have Internet access for the +# charts to be generated. The only data sent to Google includes the statistic numbers, +# legend names and country names. +# Warning: This plugin is not compatible with option BuildReportFormat=xhtml. +# +#LoadPlugin="graphgooglechartapi" + +# PLUGIN: GeoIPfree +# REQUIRED MODULES: Geo::IPfree version 0.2+ (from Graciliano M.P.) +# PARAMETERS: None +# DESCRIPTION: Country chart is built from an Internet IP-Country database. +# This plugin is useless for intranet only log files. +# Note: You must choose between using this plugin (need Perl Geo::IPfree +# module, database is free but not up to date) or the GeoIP plugin (need +# Perl Geo::IP module from Maxmind, database is also free and up to date). +# Note: Activestate provide a corrupted version of Geo::IPfree 0.2 Perl +# module, so install it from elsewhere (from www.cpan.org for example). +# This plugin reduces AWStats speed by up to 10% ! +# +#LoadPlugin="geoipfree" + +# MAXMIND GEO IP MODULES: Please see documentation for notes on all Maxmind modules + +# PLUGIN: GeoIP +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/geoip.dat[+/pathto/override.txt]] +# DESCRIPTION: Builds a country chart and adds an entry to the hosts +# table with country name +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip GEOIP_STANDARD /pathto/GeoIP.dat" + +# PLUGIN: GeoIP2 +# REQUIRED MODULES: GeoIP2::Database::Reader (from Maxmind) +# PARAMETERS: [/pathto/GeoLite2-Country.mmdb[+/pathto/override.txt]] +# DESCRIPTION: Builds a country chart and adds an entry to the hosts +# table with country name. This uses the new schema of GeoIP2 replacing +# the now expired Legacy schema. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip2_country /pathto/GeoLite2-Country.mmdb" + +# PLUGIN: GeoIP6 +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind, version >= 1.40) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/geoipv6.dat[+/pathto/override.txt]] +# DESCRIPTION: Builds a country chart and adds an entry to the hosts +# table with country name +# works with IPv4 and also IPv6 addresses +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip6 GEOIP_STANDARD /pathto/GeoIPv6.dat" + +# PLUGIN: GeoIP_City_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPCity.dat[+/pathto/override.txt]] +# DESCRIPTION: This plugin adds a column under the hosts field and tracks the pageviews +# and hits by city including regions. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_city_maxmind GEOIP_STANDARD /pathto/GeoIPCity.dat" + +# PLUGIN: GeoIP2_City +# REQUIRED MODULES: GeoIP2::Database::Reader (from Maxmind) +# PARAMETERS: [/pathto/GeoLite2-City.mmdb[+/pathto/override.txt]] +# DESCRIPTION: This plugin adds a column under the hosts field and tracks the pageviews +# and hits by city including regions. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip2_city /pathto/GeoLite2-City.mmdb" + +# PLUGIN: GeoIP_ASN_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPASN.dat[+/pathto/override.txt][+http://linktoASlookup]] +# DESCRIPTION: This plugin adds a chart of AS numbers where the host IP address is registered. +# This plugin can display some ISP information if included in the database. You can also provide +# a link that will be used to lookup additional registration data. Put the link at the end of +# the parameter string and the report page will include the link with the full AS number at the end. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_asn_maxmind GEOIP_STANDARD /usr/local/geoip.dat+http://enc.com.au/itools/autnum.php?asn=" + +# PLUGIN: GeoIP_Region_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPRegion.dat[+/pathto/override.txt]] +# DESCRIPTION:This plugin adds a chart of hits by regions. Only regions for US and +# Canada can be detected. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_region_maxmind GEOIP_STANDARD /pathto/GeoIPRegion.dat" + +# PLUGIN: GeoIP_ISP_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPISP.dat[+/pathto/override.txt]] +# DESCRIPTION: This plugin adds a chart of hits by ISP. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_isp_maxmind GEOIP_STANDARD /pathto/GeoIPISP.dat" + +# PLUGIN: GeoIP_Org_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPOrg.dat[+/pathto/override.txt]] +# DESCRIPTION: This plugin add a chart of hits by Organization name +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_org_maxmind GEOIP_STANDARD /pathto/GeoIPOrg.dat" + + +#----------------------------------------------------------------------------- +# EXTRA SECTIONS +#----------------------------------------------------------------------------- + +# You can define your own charts, you choose here what are rows and columns +# keys. This feature is particularly useful for marketing purpose, tracking +# products orders for example. +# For this, edit all parameters of Extra section. Each set of parameter is a +# different chart. For several charts, duplicate section changing the number. +# Note: Each Extra section reduces AWStats speed by 8%. +# +# WARNING: A wrong setup of Extra section might result in too large arrays +# that will consume all your memory, making AWStats unusable after several +# updates, so be sure to setup it correctly. +# In most cases, you don't need this feature. +# +# ExtraSectionNameX is title of your personalized chart. +# ExtraSectionCodeFilterX is list of codes the record code field must match. +# Put an empty string for no test on code. +# ExtraSectionConditionX are conditions you can use to count or not the hit, +# Use one of the field condition +# (URL,URLWITHQUERY,QUERY_STRING,REFERER,UA,HOSTINLOG,HOST,VHOST,extraX) +# and a regex to match, after a coma. Use "||" for "OR". +# ExtraSectionFirstColumnTitleX is the first column title of the chart. +# ExtraSectionFirstColumnValuesX is a string to tell AWStats which field to +# extract value from +# (URL,URLWITHQUERY,QUERY_STRING,REFERER,UA,HOSTINLOG,HOST,VHOST,extraX) +# and how to extract the value (using regex syntax). Each different value +# found will appear in first column of report on a different row. Be sure +# that list of different possible values will not grow indefinitely. +# ExtraSectionFirstColumnFormatX is the string used to write value. +# ExtraSectionStatTypesX are things you want to count. You can use standard +# code letters (P for pages,H for hits,B for bandwidth,L for last access). +# ExtraSectionAddAverageRowX add a row at bottom of chart with average values. +# ExtraSectionAddSumRowX add a row at bottom of chart with sum values. +# MaxNbOfExtraX is maximum number of rows shown in chart. +# MinHitExtraX is minimum number of hits required to be shown in chart. +# + +# Example to report the 20 products the most ordered by "order.cgi" script +#ExtraSectionName1="Product orders" +#ExtraSectionCodeFilter1="200 304" +#ExtraSectionCondition1="URL,\/cgi\-bin\/order\.cgi||URL,\/cgi\-bin\/order2\.cgi" +#ExtraSectionFirstColumnTitle1="Product ID" +#ExtraSectionFirstColumnValues1="QUERY_STRING,productid=([^&]+)" +#ExtraSectionFirstColumnFormat1="%s" +#ExtraSectionStatTypes1=PL +#ExtraSectionAddAverageRow1=0 +#ExtraSectionAddSumRow1=1 +#MaxNbOfExtra1=20 +#MinHitExtra1=1 + + +# There is also a global parameter ExtraTrackedRowsLimit that limits the +# number of possible rows an ExtraSection can report. This parameter is +# here to protect too much memory use when you make a bad setup in your +# ExtraSection. It applies to all ExtraSection independently meaning that +# none ExtraSection can report more rows than value defined by ExtraTrackedRowsLimit. +# If you know an ExtraSection will report more rows than its value, you should +# increase this parameter or AWStats will stop with an error. +# Example: 2000 +# Default: 500 +# +ExtraTrackedRowsLimit=500 + + +#----------------------------------------------------------------------------- +# INCLUDES +#----------------------------------------------------------------------------- + +# You can include other config files using the directive with the name of the +# config file. +# This is particularly useful for users who have a lot of virtual servers, so +# a lot of config files and want to maintain common values in only one file. +# Note that when a variable is defined both in a config file and in an +# included file, AWStats will use the last value read for parameters that +# contains one value and AWStats will concat all values from both files for +# parameters that are lists of values. +# + +#Include "" diff --git a/awstats/awstats.club3d.ro.conf b/awstats/awstats.club3d.ro.conf new file mode 100644 index 0000000..003035e --- /dev/null +++ b/awstats/awstats.club3d.ro.conf @@ -0,0 +1,1619 @@ +# AWSTATS CONFIGURE FILE 7.3 +#----------------------------------------------------------------------------- +# Copy this file into awstats.www.mydomain.conf and edit this new config file +# to setup AWStats (See documentation in docs/ directory). +# The config file must be in /etc/awstats, /usr/local/etc/awstats or /etc (for +# Unix/Linux) or same directory as awstats.pl (Windows, Mac, Unix/Linux...) +# To include an environment variable in any parameter (AWStats will replace +# it with its value when reading it), follow the example: +# Parameter="__ENVNAME__" +# Note that environment variable AWSTATS_CURRENT_CONFIG is always defined with +# the config value in an AWStats running session and can be used like others. +#----------------------------------------------------------------------------- + + + +#----------------------------------------------------------------------------- +# MAIN SETUP SECTION (Required to make AWStats work) +#----------------------------------------------------------------------------- + +# "LogFile" contains the web, ftp or mail server log file to analyze. +# Possible values: A full path, or a relative path from awstats.pl directory. +# Example: "/var/log/apache/access.log" +# Example: "../logs/mycombinedlog.log" +# You can also use tags in this filename if you need a dynamic file name +# depending on date or time (Replacement is made by AWStats at the beginning +# of its execution). These are the available tags : +# %YYYY-n is replaced with 4 digits year we were n hours ago +# %YY-n is replaced with 2 digits year we were n hours ago +# %MM-n is replaced with 2 digits month we were n hours ago +# %MO-n is replaced with 3 letters month we were n hours ago +# %DD-n is replaced with day we were n hours ago +# %HH-n is replaced with hour we were n hours ago +# %NS-n is replaced with number of seconds at 00:00 since 1970 +# %WM-n is replaced with the week number in month (1-5) +# %Wm-n is replaced with the week number in month (0-4) +# %WY-n is replaced with the week number in year (01-52) +# %Wy-n is replaced with the week number in year (00-51) +# %DW-n is replaced with the day number in week (1-7, 1=sunday) +# use n=24 if you need (1-7, 1=monday) +# %Dw-n is replaced with the day number in week (0-6, 0=sunday) +# use n=24 if you need (0-6, 0=monday) +# Use 0 for n if you need current year, month, day, hour... +# Example: "/var/log/access_log.%YYYY-0%MM-0%DD-0.log" +# Example: "C:/WINNT/system32/LogFiles/W3SVC1/ex%YY-24%MM-24%DD-24.log" +# You can also use a pipe if log file come from a pipe : +# Example: "gzip -cd /var/log/apache/access.log.gz |" +# If there are several log files from load balancing servers : +# Example: "/pathtotools/logresolvemerge.pl *.log |" +# +LogFile="/var/log/nginx/club3d.ro.access.log" + + +# Enter the log file type you want to analyze. +# Possible values: +# W - For a web log file +# S - For a streaming log file +# M - For a mail log file +# F - For an ftp log file +# Example: W +# Default: W +# +LogType=W + + +# Enter here your log format (Must match your web server config. See setup +# instructions in documentation to know how to configure your web server to +# have the required log format). +# Possible values: 1,2,3,4 or "your_own_personalized_log_format" +# 1 - Apache or Lotus Notes/Domino native combined log format (NCSA combined/XLF/ELF log format) +# 2 - IIS or ISA format (IIS W3C log format). See FAQ-COM115 For ISA. +# 3 - Webstar native log format. +# 4 - Apache or Squid native common log format (NCSA common/CLF log format) +# With LogFormat=4, some features (browsers, os, keywords...) can't work. +# "your_own_personalized_log_format" = If your log is ftp, mail or other format, +# you must use following keys to define the log format string (See FAQ for +# ftp, mail or exotic web log format examples): +# %host Client hostname or IP address (or Sender host for mail log) +# %host_r Receiver hostname or IP address (for mail log) +# %lognamequot Authenticated login/user with format: "john" +# %logname Authenticated login/user with format: john +# %time1 Date and time with format: [dd/mon/yyyy:hh:mm:ss +0000] or [dd/mon/yyyy:hh:mm:ss] +# %time2 Date and time with format: yyyy-mm-dd hh:mm:ss +# %time3 Date and time with format: Mon dd hh:mm:ss or Mon dd hh:mm:ss yyyy +# %time4 Date and time with unix timestamp format: dddddddddd +# %time5 Date and time with format iso: yyyy-mm-ddThh:mm:ss, with optional timezone specification (ignored) +# %time6 Date and time with format: dd/mm/yyyy, hh:mm:ss +# %methodurl Method and URL with format: "GET /index.html HTTP/x.x" +# %methodurlnoprot Method and URL with format: "GET /index.html" +# %method Method with format: GET +# %url URL only with format: /index.html +# %query Query string (used by URLWithQuery option) +# %code Return code status (with format for web log: 999) +# %bytesd Size of document in bytes +# %refererquot Referer page with format: "http://from.com/from.htm" +# %referer Referer page with format: http://from.com/from.htm +# %uabracket User agent with format: [Mozilla/4.0 (compatible, ...)] +# %uaquot User agent with format: "Mozilla/4.0 (compatible, ...)" +# %ua User agent with format: Mozilla/4.0_(compatible...) +# %gzipin mod_gzip compression input bytes: In:XXX +# %gzipout mod_gzip compression output bytes & ratio: Out:YYY:ZZpct. +# %gzipratio mod_gzip compression ratio: ZZpct. +# %deflateratio mod_deflate compression ratio with format: (ZZ) +# %email EMail sender (for mail log) +# %email_r EMail receiver (for mail log) +# %virtualname Web sever virtual hostname. Use this tag when same log +# contains data of several virtual web servers. AWStats +# will discard records not in SiteDomain nor HostAliases +# %cluster If log file is provided from several computers (merged by +# logresolvemerge.pl), use this to define cluster id field. +# %extraX Another field that you plan to use for building a +# personalized report with ExtraSection feature (See later). +# If your log format has some fields not included in this list, use: +# %other Means another not used field +# %otherquot Means another not used double quoted field +# If your log format has some literal strings, which precede data fields, use +# status=%code Means your log files have HTTP status logged as "status=200" +# Literal strings that follow data field must be separated from said data fields by space. +# +# Examples for Apache combined logs (following two examples are equivalent): +# LogFormat = 1 +# LogFormat = "%host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot" +# +# Example for IIS: +# LogFormat = 2 +# +LogFormat=1 + + +# If your log field's separator is not a space, you can change this parameter. +# This parameter is not used if LogFormat is a predefined value (1,2,3,4) +# Backslash can be used as escape character. +# Example: " " +# Example: "\t" +# Example: "\|" +# Example: "," +# Default: " " +# +LogSeparator=" " + + +# "SiteDomain" must contain the main domain name, or the main intranet web +# server name, used to reach the web site. +# If you share the same log file for several virtual web servers, this +# parameter is used to tell AWStats to filter record that contains records for +# this virtual host name only (So check that this virtual hostname can be +# found in your log file and use a personalized log format that include the +# %virtualname tag). +# But for multi hosting a better solution is to have one log file for each +# virtual web server. In this case, this parameter is only used to generate +# full URL's links when ShowLinksOnUrl option is set to 1. +# If analyzing mail log, enter here the domain name of mail server. +# Example: "myintranetserver" +# Example: "www.domain.com" +# Example: "ftp.domain.com" +# Example: "domain.com" +# +SiteDomain="zira.898.ro" + + +# Enter here all other possible domain names, addresses or virtual host +# aliases someone can use to access your site. Try to keep only the minimum +# number of possible names/addresses to have the best performances. +# You can repeat the "SiteDomain" value in this list. +# This parameter is used to analyze referer field in log file and to help +# AWStats to know if a referer URL is a local URL of same site or a URL of +# another site. +# Note: Use space between each value. +# Note: You can use regular expression values writing value with REGEX[value]. +# Note: You can also use @/mypath/myfile if list of aliases are in a file. +# Example: "www.myserver.com localhost 127.0.0.1 REGEX[mydomain\.(net|org)$]" +# +HostAliases="REGEX[^.*zira\.898\.ro$]" + + +# If you want to have hosts reported by name instead of ip address, AWStats +# needs to make reverse DNS lookups (if not already done in your log file). +# With DNSLookup to 0, all hosts will be reported by their IP addresses and +# not by the full hostname of visitors (except if names are already available +# in log file). +# If you want/need to set DNSLookup to 1, don't forget that this will +# dramatically reduce AWStats's update process speed. Do not use on large web +# sites. +# Note: Reverse DNS lookup is done on IPv4 only (Enable ipv6 plugin for IPv6). +# Note: Result of DNS Lookup can be used to build the Country report. However +# it is highly recommanded to enable the plugin 'geoip', 'geoipfree', or 'geoip2' +# to have an accurate Country report with no need for DNS Lookup. +# Possible values: +# 0 - No DNS Lookup +# 1 - DNS Lookup is fully enabled +# 2 - DNS Lookup is made only from static DNS cache file (if it exists) +# Default: 2 +# +DNSLookup=2 + + +# For very large sites, setting DNSLookup to 0 (or 2) might be the only +# reasonable choice. DynamicDNSLookup allows to resolve host names for +# items shown in html tables only, when data is output on reports instead +# of resolving once during log analysis step. +# Possible values: +# 0 - No dynamic DNS lookup +# 1 - Dynamic DNS lookup enabled +# 2 - Dynamic DNS lookup enabled (including static DNS cache file as a second +# source) +# Default: 0 +# +DynamicDNSLookup=0 + + +# When AWStats updates its statistics, it stores results of its analysis in +# files (AWStats database). All those files are written in the directory +# defined by the "DirData" parameter. Set this value to the directory where +# you want AWStats to save its database and working files into. +# Warning: If you want to be able to use the "AllowToUpdateStatsFromBrowser" +# feature (see later), you need "Write" permissions by web server user on this +# directory (and "Modify" for Windows NTFS file systems). +# Example: "/var/lib/awstats" +# Example: "../data" +# Example: "C:/awstats_data_dir" +# Default: "." (means same directory as awstats.pl) +# +DirData="/var/lib/awstats" + + +# Relative or absolute web URL of your awstats cgi-bin directory. +# This parameter is used only when AWStats is run from command line +# with -output option (to generate links in HTML reported page). +# Example: "/awstats" +# Default: "/cgi-bin" (means awstats.pl is in "/yourwwwroot/cgi-bin") +# +DirCgi="/awstats" + + +# Relative or absolute web URL of your awstats icon directory. +# If you build static reports ("... -output > outputpath/output.html"), enter +# path of icon directory relative to the output directory 'outputpath'. +# Example: "/awstatsicons" +# Example: "../icon" +# Default: "/icon" (means you must copy icon directories in "/mywwwroot/icon") +# +DirIcons="/awstatsicons" + + +# When this parameter is set to 1, AWStats adds a button on the report page to +# allow to "update" statistics from a web browser. Warning, when "update" is +# made from a browser, AWStats is run as a CGI by the web server user defined +# in your web server (user "nobody" by default with Apache, "IUSR_XXX" with +# IIS), so the "DirData" directory and all already existing history files +# awstatsMMYYYY[.xxx].txt must be writable by this user. Change permissions if +# necessary to "Read/Write" (and "Modify" for Windows NTFS file systems). +# Warning: Update process can be long so you might experience "time out" +# browser errors if you don't launch AWStats frequently enough. +# When set to 0, update is only made when AWStats is run from the command +# line interface (or a task scheduler). +# Possible values: 0 or 1 +# Default: 0 +# +AllowToUpdateStatsFromBrowser=0 + + +# AWStats saves and sorts its database on a monthly basis (except if using +# databasebreak option from command line). +# However, if you choose the -month=all from command line or +# value '-Year-' from CGI combo form to have a report for all year, AWStats +# needs to reload all data for full year (each month), and sort them, +# requiring a large amount of time, memory and CPU. This might be a problem +# for web hosting providers that offer AWStats for large sites, on shared +# servers, to non CPU cautious customers. +# For this reason, the 'full year' is only enabled on Command Line by default. +# You can change this by setting this parameter to 0, 1, 2 or 3. +# Possible values: +# 0 - Never allowed +# 1 - Allowed on CLI only, -Year- value in combo is not visible +# 2 - Allowed on CLI only, -Year- value in combo is visible but not allowed +# 3 - Possible on CLI and CGI +# Default: 2 +# +AllowFullYearView=2 + + + +#----------------------------------------------------------------------------- +# OPTIONAL SETUP SECTION (Not required but enhances AWStats's functionality) +#----------------------------------------------------------------------------- + +# When the update process runs, AWStats can set a lock file in TEMP or TMP +# directory. This lock is to avoid to have 2 update processes running at the +# same time to prevent unknown conflicts problems and avoid DoS attacks when +# AllowToUpdateStatsFromBrowser is set to 1. +# Because, when you use lock file, you can sometimes experience problems if +# lock file is not correctly removed (killed process for example requires that +# you remove the file manually), this option is not enabled by default (Do +# not enable this option with no console server access). +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +EnableLockForUpdate=1 + + +# AWStats can do reverse DNS lookups through a static DNS cache file that was +# previously created manually. If no path is given in static DNS cache file +# name, AWStats will search DirData directory. This file is never changed. +# This option is not used if DNSLookup=0. +# Note: DNS cache file format is 'minsince1970 ipaddress resolved_hostname' +# or just 'ipaddress resolved_hostname' +# Change : Effective for new updates only +# Example: "/mydnscachedir/dnscache" +# Default: "dnscache.txt" +# +DNSStaticCacheFile="dnscache.txt" + + +# AWStats can do reverse DNS lookups through a DNS cache file that was created +# by a previous run of AWStats. This file is erased and recreated after each +# statistics update process. You don't need to create and/or edit it. +# AWStats will read and save this file in DirData directory. +# This option is used only if DNSLookup=1. +# Note: If a DNSStaticCacheFile is available, AWStats will check for DNS +# lookup in DNSLastUpdateCacheFile after checking into DNSStaticCacheFile. +# Change : Effective for new updates only +# Example: "/mydnscachedir/dnscachelastupdate" +# Default: "dnscachelastupdate.txt" +# +DNSLastUpdateCacheFile="dnscachelastupdate.txt" + + +# You can specify specific IP addresses that should NOT be looked up in DNS. +# This option is used only if DNSLookup=1. +# Note: Use space between each value. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "123.123.123.123 REGEX[^192\.168\.]" +# Default: "" +# +SkipDNSLookupFor="" + + +# The following two parameters allow you to protect a config file from being +# read by AWStats when called from a browser if the web user has not been +# authenticated. Your AWStats program must be in a web protected "realm" (With +# Apache, you can use .htaccess files to do so. With other web servers, see +# your server setup manual). +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +AllowAccessFromWebToAuthenticatedUsersOnly=0 + + +# This parameter gives the list of all authorized authenticated users to view +# statistics for this domain/config file. This parameter is used only if +# AllowAccessFromWebToAuthenticatedUsersOnly is set to 1. +# Change : Effective immediately +# Example: "user1 user2" +# Example: "__REMOTE_USER__" +# Default: "" +# +AllowAccessFromWebToFollowingAuthenticatedUsers="" + + +# When this parameter is defined to something, the IP address of the user that +# reads its statistics from a browser (when AWStats is used as a CGI) is +# checked and must match one of the IP address values or ranges. +# Change : Effective immediately +# Example: "127.0.0.1 123.123.123.1-123.123.123.255" +# Default: "" +# +AllowAccessFromWebToFollowingIPAddresses="" + + +# If the "DirData" directory (see above) does not exist, AWStats returns an +# error. However, you can ask AWStats to create it. +# This option can be used by some Web Hosting Providers that have defined a +# dynamic value for DirData (for example DirData="/home/__REMOTE_USER__") and +# don't want to have to create a new directory each time they add a new user. +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +CreateDirDataIfNotExists=0 + + +# You can choose in which format the AWStats history database is saved. +# Note: Using "xml" format makes AWStats database files three times larger than +# using "text" format. +# Change : Database format is switched after next update +# Possible values: text or xml +# Default: text +# +BuildHistoryFormat=text + + +# If you prefer having the report output pages be built as XML compliant pages +# instead of simple HTML pages, you can set this to 'xhtml' (May not work +# properly with old browsers). +# Change : Effective immediately +# Possible values: html or xhtml +# Default: html +# +BuildReportFormat=html + + +# AWStats databases can be updated from command line or from a browser (when +# used as a cgi program). So AWStats database files need write permission +# for both command line user and default web server user ('nobody' for Unix, +# 'IUSR_xxx' for IIS/Windows,...). +# To avoid permission problems between update process (run by an admin user) +# and CGI process (ran by a low level user), AWStats can save its database +# files with read and write permissions for everyone. +# By default, AWStats keeps default user permissions on updated files. If you +# set AllowToUpdateStatsFromBrowser to 1, you can change this parameter to 1. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +SaveDatabaseFilesWithPermissionsForEveryone=0 + + +# AWStats can purge log file, after analyzing it. Note that AWStats is able +# to detect new lines in a log file, to process only them, so you can launch +# AWStats as often as you want, even with this parameter to 0. +# With 0, no purge is made, so you must use a scheduled task or a web server +# that make this purge frequently. +# With 1, the purge of the log file is made each time AWStats update is run. +# This parameter doesn't work with IIS (This web server doesn't let its log +# file to be purged). +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +PurgeLogFile=0 + + +# When PurgeLogFile is set to 1, AWStats will clean your log file after +# processing it. You can however keep an archive file of all processed log +# records by setting this parameter (For example if you want to use another +# log analyzer). The archived log file is saved in "DirData" with name +# awstats_archive.configname[.suffix].log +# This parameter is not used if PurgeLogFile=0 +# Change : Effective for new updates only +# Possible values: 0, 1, or tags (See LogFile parameter) for suffix +# Example: 1 +# Example: %YYYY%MM%DD +# Default: 0 +# +ArchiveLogRecords=0 + + +# Each time you run the update process, AWStats overwrites the 'historic file' +# for the month (awstatsMMYYYY[.*].txt) with the updated one. +# When write errors occur (IO, disk full,...), this historic file can be +# corrupted and must be deleted. Because this file contains information of all +# past processed log files, you will lose old stats if removed. So you can +# ask AWStats to save last non corrupted file in a .bak file. This file is +# stored in "DirData" directory with other 'historic files'. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +KeepBackupOfHistoricFiles=0 + + +# Default index page name for your web server. +# Change : Effective for new updates only +# Example: "index.php index.html default.html" +# Default: "index.php index.html" +# +DefaultFile="index.php index.html" + + +# Do not include access from clients that match following criteria. +# If your log file contains IP addresses in host field, you must enter here +# matching IP addresses criteria. +# If DNS lookup is already done in your log file, you must enter here hostname +# criteria, else enter ip address criteria. +# The opposite parameter of "SkipHosts" is "OnlyHosts". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "127.0.0.1 REGEX[^192\.168\.] REGEX[^10\.]" +# Example: "localhost REGEX[^.*\.localdomain$]" +# Default: "" +# +SkipHosts="127.0.0.1" + + +# Do not include access from clients with a user agent that match following +# criteria. If you want to exclude a robot, you should update the robots.pm +# file instead of this parameter. +# The opposite parameter of "SkipUserAgents" is "OnlyUserAgents". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "konqueror REGEX[ua_test_v\d\.\d]" +# Default: "" +# +SkipUserAgents="" + + +# Use SkipFiles to ignore access to URLs that match one of following entries. +# You can enter a list of not important URLs (like framed menus, hidden pages, +# etc...) to exclude them from statistics. You must enter here exact relative +# URL as found in log file, or a matching REGEX value. Check apply on URL with +# all its query paramaters. +# For example, to ignore /badpage.php, just add "/badpage.php". To ignore all +# pages in a particular directory, add "REGEX[^\/directorytoexclude]". +# The opposite parameter of "SkipFiles" is "OnlyFiles". +# Note: Use space between each value. This parameter is or not case sensitive +# depending on URLNotCaseSensitive parameter. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "/badpage.php /page.php?param=x REGEX[^\/excludedirectory]" +# Default: "" +# +SkipFiles="" + + +# Use SkipReferrersBlackList if you want to exclude records coming from a SPAM +# referrer. Parameter must receive a local file name containing rules applied +# on referrer field. If parameter is empty, no filter is applied. +# An example of such a file is available in lib/blacklist.txt +# Change : Effective for new updates only +# Example: "/mylibpath/blacklist.txt" +# Default: "" +# +# WARNING!! Using this feature make AWStats running very slower (5 times slower +# with black list file provided with AWStats ! +# +SkipReferrersBlackList="" + + +# Include in stats, only accesses from hosts that match one of following +# entries. For example, if you want AWStats to filter access to keep only +# stats for visits from particular hosts, you can add those host names in +# this parameter. +# If DNS lookup is already done in your log file, you must enter here hostname +# criteria, else enter ip address criteria. +# The opposite parameter of "OnlyHosts" is "SkipHosts". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "127.0.0.1 REGEX[^192\.168\.] REGEX[^10\.]" +# Default: "" +# +OnlyHosts="" + + +# Include in stats, only accesses from user agent that match one of following +# entries. For example, if you want AWStats to filter access to keep only +# stats for visits from particular browsers, you can add their user agents +# string in this parameter. +# The opposite parameter of "OnlyUserAgents" is "SkipUserAgents". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "msie" +# Default: "" +# +OnlyUserAgents="" + + +# Include in stats, only accesses from authenticated users that match one of +# following entries. For example, if you want AWStats to filter access to keep +# only stats for authenticated users, you can add those users names in +# this parameter. Useful for statistics for per user ftp logs. +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "john bob REGEX[^testusers]" +# Default: "" +# +OnlyUsers="" + + +# Include in stats, only accesses to URLs that match one of following entries. +# For example, if you want AWStats to filter access to keep only stats that +# match a particular string, like a particular directory, you can add this +# directory name in this parameter. +# The opposite parameter of "OnlyFiles" is "SkipFiles". +# Note: Use space between each value. This parameter is or not case sensitive +# depending on URLNotCaseSensitive parameter. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "REGEX[marketing_directory] REGEX[office\/.*\.(csv|sxw)$]" +# Default: "" +# +OnlyFiles="" + + +# Add here a list of kind of url (file extension) that must be counted as +# "Hit only" and not as a "Hit" and "Page/Download". You can set here all +# image extensions as they are hit downloaded that must be counted but they +# are not viewed pages. URLs with such extensions are not included in the TOP +# Pages/URL report. +# Note: If you want to exclude particular URLs from stats (No Pages and no +# Hits reported), you must use SkipFiles parameter. +# Change : Effective for new updates only +# Example: "css js class gif jpg jpeg png bmp ico rss xml swf zip arj rar gz z bz2 wav mp3 wma mpg avi" +# Example: "" +# Default: "css js class gif jpg jpeg png bmp ico rss xml swf eot woff woff2" +# +NotPageList="css js class gif jpg jpeg png bmp ico rss xml swf eot woff woff2" + + +# By default, AWStats considers that records found in web log file are +# successful hits if HTTP code returned by server is a valid HTTP code (200 +# and 304). Any other code are reported in HTTP status chart. +# Note that HTTP 'control codes', like redirection (302, 305) are not added by +# default in this list as they are not pages seen by a visitor but are +# protocol exchange codes to tell the browser to ask another page. Because +# this other page will be counted and seen with a 200 or 304 code, if you +# add such codes, you will have 2 pages viewed reported for only one in facts. +# Change : Effective for new updates only +# Example: "200 304 302 305" +# Default: "200 304" +# +ValidHTTPCodes="200 304" + + +# By default, AWStats considers that records found in mail log file are +# successful mail transfers if field that represent return code in analyzed +# log file match values defined by this parameter. +# Change : Effective for new updates only +# Example: "1 250 200" +# Default: "1 250" +# +ValidSMTPCodes="1 250" + + +# By default, AWStats only records info on 404 'Document Not Found' errors. +# At the cost of additional processing time, further info pages can be made +# available by adding codes below. +# Change : Effective for new updates only +# Example: "403 404" +# Default: "404" +# +TrapInfosForHTTPErrorCodes = "400 403 404" + + +# Some web servers on some Operating systems (IIS-Windows) consider that a +# login with same value but different case are the same login. To tell AWStats +# to also consider them as one, set this parameter to 1. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +AuthenticatedUsersNotCaseSensitive=0 + + +# Some web servers on some Operating systems (IIS-Windows) considers that two +# URLs with same value but different case are the same URL. To tell AWStats to +# also considers them as one, set this parameter to 1. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +URLNotCaseSensitive=0 + + +# Keep or remove the anchor string you can find in some URLs. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +URLWithAnchor=0 + + +# In URL links, "?" char is used to add parameter's list in URLs. Syntax is: +# /mypage.html?param1=value1¶m2=value2 +# However, some servers/sites use also other chars to isolate dynamic part of +# their URLs. You can complete this list with all such characters. +# Change : Effective for new updates only +# Example: "?;," +# Default: "?;" +# +URLQuerySeparators="?;" + + +# Keep or remove the query string to the URL in the statistics for individual +# pages. This is primarily used to differentiate between the URLs of dynamic +# pages. If set to 1, mypage.html?id=x and mypage.html?id=y are counted as two +# different pages. +# Warning, when set to 1, memory required to run AWStats is dramatically +# increased if you have a lot of changing URLs (for example URLs with a random +# id inside). Such web sites should not set this option to 1 or use seriously +# the next parameter URLWithQueryWithOnlyFollowingParameters (or eventually +# URLWithQueryWithoutFollowingParameters). +# Change : Effective for new updates only +# Possible values: +# 0 - URLs are cleaned from the query string (ie: "/mypage.html") +# 1 - Full URL with query string is used (ie: "/mypage.html?p=x&q=y") +# Default: 0 +# +URLWithQuery=0 + + +# When URLWithQuery is on, you will get the full URL with all parameters in +# URL reports. But among thoose parameters, sometimes you don't need a +# particular parameter because it does not identify the page or because it's +# a random ID changing for each access even if URL points to same page. In +# such cases, it is higly recommanded to ask AWStats to keep only parameters +# you need (if you know them) before counting, manipulating and storing URL. +# Enter here list of wanted parameters. For example, with "param", one hit on +# /mypage.cgi?param=abc&id=Yo4UomP9d and /mypage.cgi?param=abc&id=Mu8fdxl3r +# will be reported as 2 hits on /mypage.cgi?param=abc +# This parameter is not used when URLWithQuery is 0 and can't be used with +# URLWithQueryWithoutFollowingParameters. +# Change : Effective for new updates only +# Example: "param" +# Default: "" +# +URLWithQueryWithOnlyFollowingParameters="" + + +# When URLWithQuery is on, you will get the full URL with all parameters in +# URL reports. But among thoose parameters, sometimes you don't need a +# particular parameter because it does not identify the page or because it's +# a random ID changing for each access even if URL points to same page. In +# such cases, it is higly recommanded to ask AWStats to remove such parameters +# from the URL before counting, manipulating and storing URL. Enter here list +# of all non wanted parameters. For example if you enter "id", one hit on +# /mypage.cgi?param=abc&id=Yo4UomP9d and /mypage.cgi?param=abc&id=Mu8fdxl3r +# will be reported as 2 hits on /mypage.cgi?param=abc +# This parameter is not used when URLWithQuery is 0 and can't be used with +# URLWithQueryWithOnlyFollowingParameters. +# Change : Effective for new updates only +# Example: "PHPSESSID jsessionid" +# Default: "" +# +URLWithQueryWithoutFollowingParameters="" + + +# Keep or remove the query string to the referrer URL in the statistics for +# external referrer pages. This is used to differentiate between the URLs of +# dynamic referrer pages. If set to 1, mypage.html?id=x and mypage.html?id=y +# are counted as two different referrer pages. +# Change : Effective for new updates only +# Possible values: +# 0 - Referrer URLs are cleaned from the query string (ie: "/mypage.html") +# 1 - Full URL with query string is used (ie: "/mypage.html?p=x&q=y") +# Default: 0 +# +URLReferrerWithQuery=0 + + +# AWStats can detect setup problems or show you important informations to have +# a better use. Keep this to 1, except if AWStats says you can change it. +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 1 +# +WarningMessages=1 + + +# When an error occurs, AWStats outputs a message related to errors. If you +# want (in most cases for security reasons) to have no error messages, you +# can set this parameter to your personalized generic message. +# Change : Effective immediately +# Example: "An error occurred. Contact your Administrator" +# Default: "" +# +ErrorMessages="" + + +# AWStat can be run with debug=x parameter to output various informations +# to help in debugging or solving troubles. If you want to allow this (not +# enabled by default for security reasons), set this parameter to 0. +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +DebugMessages=0 + + +# To help you to detect if your log format is good, AWStats reports an error +# if all the first NbOfLinesForCorruptedLog lines have a format that does not +# match the LogFormat parameter. +# However, some worm virus attack on your web server can result in a very high +# number of corrupted lines in your log. So if you experience awstats stop +# because of bad virus records at the beginning of your log file, you can +# increase this parameter (very rare). +# Change : Effective for new updates only +# Default: 50 +# +NbOfLinesForCorruptedLog=50 + + +# For some particular integration needs, you may want to have CGI links to +# point to another script than awstats.pl. +# Use the name of this script in WrapperScript parameter. +# Change : Effective immediately +# Example: "awstatslauncher.pl" +# Example: "awstatswrapper.cgi?key=123" +# Default: "" +# +WrapperScript="" + + +# DecodeUA must be set to 1 if you use Roxen web server. This server converts +# all spaces in user agent field into %20. This make the AWStats robots, OS +# and browsers detection fail in some cases. Just change it to 1 if and only +# if your web server is Roxen. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +DecodeUA=0 + + +# MiscTrackerUrl can be used to make AWStats able to detect some miscellaneous +# things, that can not be tracked on other way, like: +# - Javascript disabled +# - Java enabled +# - Screen size +# - Color depth +# - Macromedia Director plugin +# - Macromedia Shockwave plugin +# - Realplayer G2 plugin +# - QuickTime plugin +# - Mediaplayer plugin +# - Acrobat PDF plugin +# To enable all these features, you must copy the awstats_misc_tracker.js file +# into a /js/ directory stored in your web document root and add the following +# HTML code at the end of your index page (but before ) : +# +# +# +# +# If code is not added in index page, all those detection capabilities will be +# disabled. You must also check that ShowScreenSizeStats and ShowMiscStats +# parameters are set to 1 to make results appear in AWStats report page. +# If you want to use another directory than /js/, you must also change the +# awstatsmisctrackerurl variable into the awstats_misc_tracker.js file. +# Change : Effective for new updates only. +# Possible value: URL of javascript tracker file added in your HTML code. +# Default: "/js/awstats_misc_tracker.js" +# +MiscTrackerUrl="/js/awstats_misc_tracker.js" + + +# AddLinkToExternalCGIWrapper can be used to add a link to a wrapper script +# into each title of Dolibarr reports. This can be used to add a wrapper +# to download data into a CSV file for example. +# +# AddLinkToExternalCGIWrapper="/awstats/awdownloadcsv.pl" + + + +#----------------------------------------------------------------------------- +# OPTIONAL ACCURACY SETUP SECTION (Not required but increase AWStats features) +#----------------------------------------------------------------------------- + +# The following values allow you to define accuracy of AWStats entities +# (robots, browsers, os, referers, file types) detection. +# It might be a good idea for large web sites or ISP that provides AWStats to +# high number of customers, to set this parameter to 1 (or 0), instead of 2. +# Possible values: +# 0 = No detection, +# 1 = Medium/Standard detection +# 2 = Full detection +# Change : Effective for new updates only +# Note : LevelForBrowsersDetection can also accept value "allphones". This +# enable detailed detection of phone/pda browsers. +# Default: 2 (0 for LevelForWormsDetection) +# +LevelForBrowsersDetection=2 # 0 disables Browsers detection. + # 2 reduces AWStats speed by 2% + # allphones reduces AWStats speed by 5% +LevelForOSDetection=2 # 0 disables OS detection. + # 2 reduces AWStats speed by 3% +LevelForRefererAnalyze=2 # 0 disables Origin detection. + # 2 reduces AWStats speed by 14% +LevelForRobotsDetection=2 # 0 disables Robots detection. + # 2 reduces AWStats speed by 2.5% +LevelForSearchEnginesDetection=2 # 0 disables Search engines detection. + # 2 reduces AWStats speed by 9% +LevelForKeywordsDetection=2 # 0 disables Keyphrases/Keywords detection. + # 2 reduces AWStats speed by 1% +LevelForFileTypesDetection=2 # 0 disables File types detection. + # 2 reduces AWStats speed by 1% +LevelForWormsDetection=0 # 0 disables Worms detection. + # 2 reduces AWStats speed by 15% + + + +#----------------------------------------------------------------------------- +# OPTIONAL APPEARANCE SETUP SECTION (Not required but increase AWStats features) +#----------------------------------------------------------------------------- + +# When you use AWStats as a CGI, you can have the reports shown in HTML frames. +# Frames are only available for report viewed dynamically. When you build +# pages from command line, this option is not used and no frames are built. +# Possible values: 0 or 1 +# Default: 1 +# +UseFramesWhenCGI=1 + + +# This parameter asks your browser to open detailed reports into a different +# window than the main page. +# Possible values: +# 0 - Open all in same browser window +# 1 - Open detailed reports in another window except if using frames +# 2 - Open always in a different window even if reports are framed +# Default: 1 +# +DetailedReportsOnNewWindows=1 + + +# You can add, in the HTML report page, a cache lifetime (in seconds) that +# will be returned to the browser in HTTP header answer by server. +# This parameter is not used when reports are built with -staticlinks option. +# Example: 3600 +# Default: 0 +# +Expires=3600 + + +# To avoid too large web pages, you can ask AWStats to limit number of rows of +# all reported charts to this number when no other limits apply. +# Default: 10000 +# +MaxRowsInHTMLOutput=10000 + + +# Set your primary language (ISO-639-1 language codes). +# Possible values: +# Albanian=al, Bosnian=ba, Bulgarian=bg, Catalan=ca, +# Chinese (Taiwan)=tw, Chinese (Simpliefied)=cn, Croatian=hr, Czech=cz, +# Danish=dk, Dutch=nl, English=en, Estonian=et, Euskara=eu, Finnish=fi, +# French=fr, Galician=gl, German=de, Greek=gr, Hebrew=he, Hungarian=hu, +# Icelandic=is, Indonesian=id, Italian=it, Japanese=jp, Korean=ko, +# Latvian=lv, Norwegian (Nynorsk)=nn, Norwegian (Bokmal)=nb, Polish=pl, +# Portuguese=pt, Portuguese (Brazilian)=br, Romanian=ro, Russian=ru, +# Serbian=sr, Slovak=sk, Slovenian=si, Spanish=es, Swedish=se, Turkish=tr, +# Ukrainian=ua, Welsh=cy. +# First available language accepted by browser=auto +# Default: "auto" +# +Lang="auto" + + +# Set the location of language files. +# Example: "/usr/share/awstats/lang" +# Default: "./lang" (means lang directory is in same location than awstats.pl) +# +DirLang="./lang" + + +# Show menu header with reports' links +# Possible values: 0 or 1 +# Default: 1 +# +ShowMenu=1 + + +# You choose here which reports you want to see in the main page and what you +# want to see in those reports. +# Possible values: +# 0 - Report is not shown at all +# 1 - Report is shown in main page with an entry in menu and default columns +# XYZ - Report shows column informations defined by code X,Y,Z... +# X,Y,Z... are code letters among the following: +# U = Unique visitors +# V = Visits +# P = Number of pages +# H = Number of hits (or mails) +# B = Bandwidth (or total mail size for mail logs) +# L = Last access date +# E = Entry pages +# X = Exit pages +# C = Web compression (mod_gzip,mod_deflate) +# M = Average mail size (mail logs) +# + +# Show monthly summary +# Context: Web, Streaming, Mail, Ftp +# Default: UVPHB, Possible column codes: UVPHB +ShowSummary=UVPHB + +# Show monthly chart +# Context: Web, Streaming, Mail, Ftp +# Default: UVPHB, Possible column codes: UVPHB +ShowMonthStats=UVPHB + +# Show days of month chart +# Context: Web, Streaming, Mail, Ftp +# Default: VPHB, Possible column codes: VPHB +ShowDaysOfMonthStats=VPHB + +# Show days of week chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHB, Possible column codes: PHB +ShowDaysOfWeekStats=PHB + +# Show hourly chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHB, Possible column codes: PHB +ShowHoursStats=PHB + +# Show domains/country chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHB, Possible column codes: UVPHB +ShowDomainsStats=PHB + +# Show hosts chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHBL, Possible column codes: PHBL +ShowHostsStats=PHBL + +# Show authenticated users chart +# Context: Web, Streaming, Ftp +# Default: 0, Possible column codes: PHBL +ShowAuthenticatedUsers=0 + +# Show robots chart +# Context: Web, Streaming +# Default: HBL, Possible column codes: HBL +ShowRobotsStats=HBL + +# Show worms chart +# Context: Web, Streaming +# Default: 0 (If set to other than 0, see also LevelForWormsDetection), Possible column codes: HBL +ShowWormsStats=0 + +# Show email senders chart (For use when analyzing mail log files) +# Context: Mail +# Default: 0, Possible column codes: HBML +ShowEMailSenders=0 + +# Show email receivers chart (For use when analyzing mail log files) +# Context: Mail +# Default: 0, Possible column codes: HBML +ShowEMailReceivers=0 + +# Show session chart +# Context: Web, Streaming, Ftp +# Default: 1, Possible column codes: None +ShowSessionsStats=1 + +# Show pages-url chart. +# Context: Web, Streaming, Ftp +# Default: PBEX, Possible column codes: PBEX +ShowPagesStats=PBEX + +# Show file types chart. +# Context: Web, Streaming, Ftp +# Default: HB, Possible column codes: HBC +ShowFileTypesStats=HB + +# Show file size chart (Not yet available) +# Context: Web, Streaming, Mail, Ftp +# Default: 1, Possible column codes: None +ShowFileSizesStats=0 + +# Show downloads chart. +# Context: Web, Streaming, Ftp +# Default: HB, Possible column codes: HB +ShowDownloadsStats=HB + +# Show operating systems chart +# Context: Web, Streaming, Ftp +# Default: 1, Possible column codes: None +ShowOSStats=1 + +# Show browsers chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowBrowsersStats=1 + +# Show screen size chart +# Context: Web, Streaming +# Default: 0 (If set to 1, see also MiscTrackerUrl), Possible column codes: None +ShowScreenSizeStats=0 + +# Show origin chart +# Context: Web, Streaming +# Default: PH, Possible column codes: PH +ShowOriginStats=PH + +# Show keyphrases chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowKeyphrasesStats=1 + +# Show keywords chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowKeywordsStats=1 + +# Show misc chart +# Context: Web, Streaming +# Default: a (See also MiscTrackerUrl parameter), Possible column codes: anjdfrqwp +ShowMiscStats=a + +# Show http errors chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowHTTPErrorsStats=1 + +# Show http error page details +# Context: Web, Streaming +# Default: R, Possible column codes: RH +ShowHTTPErrorsPageDetail=R + +# Show smtp errors chart (For use when analyzing mail log files) +# Context: Mail +# Default: 0, Possible column codes: None +ShowSMTPErrorsStats=0 + +# Show the cluster report (Your LogFormat must contains the %cluster tag) +# Context: Web, Streaming, Ftp +# Default: 0, Possible column codes: PHB +ShowClusterStats=0 + + +# Some graphical reports are followed by the data array of values. +# If you don't want this array (to reduce the report size for example), you +# can set thoose options to 0. +# Possible values: 0 or 1 +# Default: 1 +# +# Data array values for the ShowMonthStats report +AddDataArrayMonthStats=1 +# Data array values for the ShowDaysOfMonthStats report +AddDataArrayShowDaysOfMonthStats=1 +# Data array values for the ShowDaysOfWeekStats report +AddDataArrayShowDaysOfWeekStats=1 +# Data array values for the ShowHoursStats report +AddDataArrayShowHoursStats=1 + + +# In the Origin chart, you have stats on where your hits came from. You can +# include hits on pages that come from pages of same sites in this chart. +# Possible values: 0 or 1 +# Default: 0 +# +IncludeInternalLinksInOriginSection=0 + + +# The following parameters can be used to choose the maximum number of lines +# shown for the particular following reports. +# +# Stats by countries/domains +MaxNbOfDomain = 10 +MinHitDomain = 1 +# Stats by hosts +MaxNbOfHostsShown = 10 +MinHitHost = 1 +# Stats by authenticated users +MaxNbOfLoginShown = 10 +MinHitLogin = 1 +# Stats by robots +MaxNbOfRobotShown = 10 +MinHitRobot = 1 +# Stats for Downloads +MaxNbOfDownloadsShown = 10 +MinHitDownloads = 1 +# Stats by pages +MaxNbOfPageShown = 10 +MinHitFile = 1 +# Stats by OS +MaxNbOfOsShown = 10 +MinHitOs = 1 +# Stats by browsers +MaxNbOfBrowsersShown = 10 +MinHitBrowser = 1 +# Stats by screen size +MaxNbOfScreenSizesShown = 5 +MinHitScreenSize = 1 +# Stats by window size (following 2 parameters are not yet used) +MaxNbOfWindowSizesShown = 5 +MinHitWindowSize = 1 +# Stats by referers +MaxNbOfRefererShown = 10 +MinHitRefer = 1 +# Stats for keyphrases +MaxNbOfKeyphrasesShown = 10 +MinHitKeyphrase = 1 +# Stats for keywords +MaxNbOfKeywordsShown = 10 +MinHitKeyword = 1 +# Stats for sender or receiver emails +MaxNbOfEMailsShown = 20 +MinHitEMail = 1 + + +# Choose if you want the week report to start on sunday or monday +# Possible values: +# 0 - Week starts on sunday +# 1 - Week starts on monday +# Default: 1 +# +FirstDayOfWeek=1 + + +# List of visible flags that link to other language translations. +# See Lang parameter for list of allowed flag/language codes. +# If you don't want any flag link, set ShowFlagLinks to "". +# This parameter is used only if ShowMenu parameter is set to 1. +# Possible values: "" or "language_codes_separated_by_space" +# Example: "en es fr nl de" +# Default: "" +# +ShowFlagLinks="" + + +# Each URL, shown in stats report views, are links you can click. +# Possible values: 0 or 1 +# Default: 1 +# +ShowLinksOnUrl=1 + + +# When AWStats builds HTML links in its report pages, it starts those links +# with "http://". However some links might be HTTPS links, so you can enter +# here the root of all your HTTPS links. If all your site is a SSL web site, +# just enter "/". +# This parameter is not used if ShowLinksOnUrl is 0. +# Example: "/shopping" +# Example: "/" +# Default: "" +# +UseHTTPSLinkForUrl="" + + +# Maximum length of URL part shown on stats page (number of characters). +# This affects only URL visible text, links still work. +# Default: 64 +# +MaxLengthOfShownURL=64 + + +# You can enter HTML code that will be added at the top of AWStats reports. +# Default: "" +# +HTMLHeadSection="" + + +# You can enter HTML code that will be added at the end of AWStats reports. +# Great to add advert ban. +# Default: "" +# +HTMLEndSection="" + + +# By default AWStats page contains meta tag robots=noindex,nofollow +# If you want to have your statistics to be indexed, set this option to 1. +# Default: 0 +# +MetaRobot=0 + + +# You can set Logo and LogoLink to use your own logo. +# Logo must be the name of image file (must be in $DirIcons/other directory). +# LogoLink is the expected URL when clicking on Logo. +# Default: "awstats_logo6.png" +# +Logo="awstats_logo6.png" +LogoLink="http://www.awstats.org" + + +# Value of maximum bar width/height for horizontal/vertical HTML graphics bars. +# Default: 260/90 +# +BarWidth = 260 +BarHeight = 90 + + +# You can ask AWStats to use a particular CSS (Cascading Style Sheet) to +# change its look. To create a style sheet, you can use samples provided with +# AWStats in wwwroot/css directory. +# Example: "/awstatscss/awstats_bw.css" +# Example: "/css/awstats_bw.css" +# Default: "" +# +StyleSheet="" + + +# Those color parameters can be used (if StyleSheet parameter is not used) +# to change AWStats look. +# Example: color_name="RRGGBB" # RRGGBB is Red Green Blue components in Hex +# +color_Background="FFFFFF" # Background color for main page (Default = "FFFFFF") +color_TableBGTitle="CCCCDD" # Background color for table title (Default = "CCCCDD") +color_TableTitle="000000" # Table title font color (Default = "000000") +color_TableBG="CCCCDD" # Background color for table (Default = "CCCCDD") +color_TableRowTitle="FFFFFF" # Table row title font color (Default = "FFFFFF") +color_TableBGRowTitle="ECECEC" # Background color for row title (Default = "ECECEC") +color_TableBorder="ECECEC" # Table border color (Default = "ECECEC") +color_text="000000" # Color of text (Default = "000000") +color_textpercent="606060" # Color of text for percent values (Default = "606060") +color_titletext="000000" # Color of text title within colored Title Rows (Default = "000000") +color_weekend="EAEAEA" # Color for week-end days (Default = "EAEAEA") +color_link="0011BB" # Color of HTML links (Default = "0011BB") +color_hover="605040" # Color of HTML on-mouseover links (Default = "605040") +color_u="FFAA66" # Background color for number of unique visitors (Default = "FFAA66") +color_v="F4F090" # Background color for number of visites (Default = "F4F090") +color_p="4477DD" # Background color for number of pages (Default = "4477DD") +color_h="66DDEE" # Background color for number of hits (Default = "66DDEE") +color_k="2EA495" # Background color for number of bytes (Default = "2EA495") +color_s="8888DD" # Background color for number of search (Default = "8888DD") +color_e="CEC2E8" # Background color for number of entry pages (Default = "CEC2E8") +color_x="C1B2E2" # Background color for number of exit pages (Default = "C1B2E2") + + + +#----------------------------------------------------------------------------- +# PLUGINS +#----------------------------------------------------------------------------- + +# Add here all plugin files you want to load. +# Plugin files must be .pm files stored in 'plugins' directory. +# Uncomment LoadPlugin lines to enable a plugin after checking that perl +# modules required by the plugin are installed. + +# PLUGIN: Tooltips +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add tooltips pop-up help boxes to HTML report pages. +# NOTE: This will increased HTML report pages size, thus server load and bandwidth. +# +#LoadPlugin="tooltips" + +# PLUGIN: DecodeUTFKeys +# REQUIRED MODULES: Encode and URI::Escape +# PARAMETERS: None +# DESCRIPTION: Allow AWStats to show correctly (in language charset) +# keywords/keyphrases strings even if they were UTF8 coded by the +# referer search engine. +# +#LoadPlugin="decodeutfkeys" + +# PLUGIN: IPv6 +# PARAMETERS: None +# REQUIRED MODULES: Net::IP and Net::DNS +# DESCRIPTION: This plugin gives AWStats capability to make reverse DNS +# lookup on IPv6 addresses. +# +#LoadPlugin="ipv6" + +# PLUGIN: HashFiles +# REQUIRED MODULES: Storable +# PARAMETERS: None +# DESCRIPTION: AWStats DNS cache files are read/saved as native hash files. +# This increases DNS cache files loading speed, above all for very large web sites. +# +#LoadPlugin="hashfiles" + + +# PLUGIN: UserInfo +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add a text (Firtname, Lastname, Office Department, ...) in +# authenticated user reports for each login value. +# A text file called userinfo.myconfig.txt, with two fields (first is login, +# second is text to show, separated by a tab char) must be created in DirData +# directory. +# +#LoadPlugin="userinfo" + +# PLUGIN: HostInfo +# REQUIRED MODULES: Net::XWhois +# PARAMETERS: None +# DESCRIPTION: Add a column into host chart with a link to open a popup window that shows +# info on host (like whois records). +# +#LoadPlugin="hostinfo" + +# PLUGIN: ClusterInfo +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add a text (for example a full hostname) in cluster reports for each cluster +# number. A text file called clusterinfo.myconfig.txt, with two fields (first is +# cluster number, second is text to show) separated by a tab char. must be +# created into DirData directory. +# Note this plugin is useless if ShowClusterStats is set to 0 or if you don't +# use a personalized log format that contains %cluster tag. +# +#LoadPlugin="clusterinfo" + +# PLUGIN: UrlAliases +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add a text (Page title, description...) in URL reports before URL value. +# A text file called urlalias.myconfig.txt, with two fields (first is URL, +# second is text to show, separated by a tab char) must be created into +# DirData directory. +# +#LoadPlugin="urlalias" + +# PLUGIN: TimeHiRes +# REQUIRED MODULES: Time::HiRes (if Perl < 5.8) +# PARAMETERS: None +# DESCRIPTION: Time reported by -showsteps option is in millisecond. For debug purpose. +# +#LoadPlugin="timehires" + +# PLUGIN: TimeZone +# REQUIRED MODULES: Time::Local +# PARAMETERS: [timezone offset] +# DESCRIPTION: Allow AWStats to adjust time stamps for a different timezone +# This plugin reduces AWStats speed of 10% !!!!!!! +# LoadPlugin="timezone" +# LoadPlugin="timezone +2" +# LoadPlugin="timezone CET" +# +#LoadPlugin="timezone +2" + +# PLUGIN: Rawlog +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: This plugin adds a form in AWStats main page to allow users to see raw +# content of current log files. A filter is also available. +# +#LoadPlugin="rawlog" + +# PLUGIN: GraphApplet +# REQUIRED MODULES: None +# PARAMETERS: [CSS classes to override] +# DESCRIPTION: Supported charts are built by a 3D graphic applet. +# +#LoadPlugin="graphapplet /awstatsclasses" # EXPERIMENTAL FEATURE + +# PLUGIN: GraphGoogleChartAPI +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Replaces the standard charts with free Google API generated images +# in HTML reports. If country data is available and more than one country has hits, +# a map will be generated using Google Visualizations. +# Note: The machine where reports are displayed must have Internet access for the +# charts to be generated. The only data sent to Google includes the statistic numbers, +# legend names and country names. +# Warning: This plugin is not compatible with option BuildReportFormat=xhtml. +# +#LoadPlugin="graphgooglechartapi" + +# PLUGIN: GeoIPfree +# REQUIRED MODULES: Geo::IPfree version 0.2+ (from Graciliano M.P.) +# PARAMETERS: None +# DESCRIPTION: Country chart is built from an Internet IP-Country database. +# This plugin is useless for intranet only log files. +# Note: You must choose between using this plugin (need Perl Geo::IPfree +# module, database is free but not up to date) or the GeoIP plugin (need +# Perl Geo::IP module from Maxmind, database is also free and up to date). +# Note: Activestate provide a corrupted version of Geo::IPfree 0.2 Perl +# module, so install it from elsewhere (from www.cpan.org for example). +# This plugin reduces AWStats speed by up to 10% ! +# +#LoadPlugin="geoipfree" + +# MAXMIND GEO IP MODULES: Please see documentation for notes on all Maxmind modules + +# PLUGIN: GeoIP +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/geoip.dat[+/pathto/override.txt]] +# DESCRIPTION: Builds a country chart and adds an entry to the hosts +# table with country name +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip GEOIP_STANDARD /pathto/GeoIP.dat" + +# PLUGIN: GeoIP2 +# REQUIRED MODULES: GeoIP2::Database::Reader (from Maxmind) +# PARAMETERS: [/pathto/GeoLite2-Country.mmdb[+/pathto/override.txt]] +# DESCRIPTION: Builds a country chart and adds an entry to the hosts +# table with country name. This uses the new schema of GeoIP2 replacing +# the now expired Legacy schema. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip2_country /pathto/GeoLite2-Country.mmdb" + +# PLUGIN: GeoIP6 +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind, version >= 1.40) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/geoipv6.dat[+/pathto/override.txt]] +# DESCRIPTION: Builds a country chart and adds an entry to the hosts +# table with country name +# works with IPv4 and also IPv6 addresses +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip6 GEOIP_STANDARD /pathto/GeoIPv6.dat" + +# PLUGIN: GeoIP_City_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPCity.dat[+/pathto/override.txt]] +# DESCRIPTION: This plugin adds a column under the hosts field and tracks the pageviews +# and hits by city including regions. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_city_maxmind GEOIP_STANDARD /pathto/GeoIPCity.dat" + +# PLUGIN: GeoIP2_City +# REQUIRED MODULES: GeoIP2::Database::Reader (from Maxmind) +# PARAMETERS: [/pathto/GeoLite2-City.mmdb[+/pathto/override.txt]] +# DESCRIPTION: This plugin adds a column under the hosts field and tracks the pageviews +# and hits by city including regions. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip2_city /pathto/GeoLite2-City.mmdb" + +# PLUGIN: GeoIP_ASN_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPASN.dat[+/pathto/override.txt][+http://linktoASlookup]] +# DESCRIPTION: This plugin adds a chart of AS numbers where the host IP address is registered. +# This plugin can display some ISP information if included in the database. You can also provide +# a link that will be used to lookup additional registration data. Put the link at the end of +# the parameter string and the report page will include the link with the full AS number at the end. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_asn_maxmind GEOIP_STANDARD /usr/local/geoip.dat+http://enc.com.au/itools/autnum.php?asn=" + +# PLUGIN: GeoIP_Region_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPRegion.dat[+/pathto/override.txt]] +# DESCRIPTION:This plugin adds a chart of hits by regions. Only regions for US and +# Canada can be detected. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_region_maxmind GEOIP_STANDARD /pathto/GeoIPRegion.dat" + +# PLUGIN: GeoIP_ISP_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPISP.dat[+/pathto/override.txt]] +# DESCRIPTION: This plugin adds a chart of hits by ISP. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_isp_maxmind GEOIP_STANDARD /pathto/GeoIPISP.dat" + +# PLUGIN: GeoIP_Org_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPOrg.dat[+/pathto/override.txt]] +# DESCRIPTION: This plugin add a chart of hits by Organization name +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_org_maxmind GEOIP_STANDARD /pathto/GeoIPOrg.dat" + + +#----------------------------------------------------------------------------- +# EXTRA SECTIONS +#----------------------------------------------------------------------------- + +# You can define your own charts, you choose here what are rows and columns +# keys. This feature is particularly useful for marketing purpose, tracking +# products orders for example. +# For this, edit all parameters of Extra section. Each set of parameter is a +# different chart. For several charts, duplicate section changing the number. +# Note: Each Extra section reduces AWStats speed by 8%. +# +# WARNING: A wrong setup of Extra section might result in too large arrays +# that will consume all your memory, making AWStats unusable after several +# updates, so be sure to setup it correctly. +# In most cases, you don't need this feature. +# +# ExtraSectionNameX is title of your personalized chart. +# ExtraSectionCodeFilterX is list of codes the record code field must match. +# Put an empty string for no test on code. +# ExtraSectionConditionX are conditions you can use to count or not the hit, +# Use one of the field condition +# (URL,URLWITHQUERY,QUERY_STRING,REFERER,UA,HOSTINLOG,HOST,VHOST,extraX) +# and a regex to match, after a coma. Use "||" for "OR". +# ExtraSectionFirstColumnTitleX is the first column title of the chart. +# ExtraSectionFirstColumnValuesX is a string to tell AWStats which field to +# extract value from +# (URL,URLWITHQUERY,QUERY_STRING,REFERER,UA,HOSTINLOG,HOST,VHOST,extraX) +# and how to extract the value (using regex syntax). Each different value +# found will appear in first column of report on a different row. Be sure +# that list of different possible values will not grow indefinitely. +# ExtraSectionFirstColumnFormatX is the string used to write value. +# ExtraSectionStatTypesX are things you want to count. You can use standard +# code letters (P for pages,H for hits,B for bandwidth,L for last access). +# ExtraSectionAddAverageRowX add a row at bottom of chart with average values. +# ExtraSectionAddSumRowX add a row at bottom of chart with sum values. +# MaxNbOfExtraX is maximum number of rows shown in chart. +# MinHitExtraX is minimum number of hits required to be shown in chart. +# + +# Example to report the 20 products the most ordered by "order.cgi" script +#ExtraSectionName1="Product orders" +#ExtraSectionCodeFilter1="200 304" +#ExtraSectionCondition1="URL,\/cgi\-bin\/order\.cgi||URL,\/cgi\-bin\/order2\.cgi" +#ExtraSectionFirstColumnTitle1="Product ID" +#ExtraSectionFirstColumnValues1="QUERY_STRING,productid=([^&]+)" +#ExtraSectionFirstColumnFormat1="%s" +#ExtraSectionStatTypes1=PL +#ExtraSectionAddAverageRow1=0 +#ExtraSectionAddSumRow1=1 +#MaxNbOfExtra1=20 +#MinHitExtra1=1 + + +# There is also a global parameter ExtraTrackedRowsLimit that limits the +# number of possible rows an ExtraSection can report. This parameter is +# here to protect too much memory use when you make a bad setup in your +# ExtraSection. It applies to all ExtraSection independently meaning that +# none ExtraSection can report more rows than value defined by ExtraTrackedRowsLimit. +# If you know an ExtraSection will report more rows than its value, you should +# increase this parameter or AWStats will stop with an error. +# Example: 2000 +# Default: 500 +# +ExtraTrackedRowsLimit=500 + + +#----------------------------------------------------------------------------- +# INCLUDES +#----------------------------------------------------------------------------- + +# You can include other config files using the directive with the name of the +# config file. +# This is particularly useful for users who have a lot of virtual servers, so +# a lot of config files and want to maintain common values in only one file. +# Note that when a variable is defined both in a config file and in an +# included file, AWStats will use the last value read for parameters that +# contains one value and AWStats will concat all values from both files for +# parameters that are lists of values. +# + +#Include "" diff --git a/awstats/awstats.localhost.localdomain.conf b/awstats/awstats.localhost.localdomain.conf new file mode 100644 index 0000000..a3662a8 --- /dev/null +++ b/awstats/awstats.localhost.localdomain.conf @@ -0,0 +1,1619 @@ +# AWSTATS CONFIGURE FILE 7.3 +#----------------------------------------------------------------------------- +# Copy this file into awstats.www.mydomain.conf and edit this new config file +# to setup AWStats (See documentation in docs/ directory). +# The config file must be in /etc/awstats, /usr/local/etc/awstats or /etc (for +# Unix/Linux) or same directory as awstats.pl (Windows, Mac, Unix/Linux...) +# To include an environment variable in any parameter (AWStats will replace +# it with its value when reading it), follow the example: +# Parameter="__ENVNAME__" +# Note that environment variable AWSTATS_CURRENT_CONFIG is always defined with +# the config value in an AWStats running session and can be used like others. +#----------------------------------------------------------------------------- + + + +#----------------------------------------------------------------------------- +# MAIN SETUP SECTION (Required to make AWStats work) +#----------------------------------------------------------------------------- + +# "LogFile" contains the web, ftp or mail server log file to analyze. +# Possible values: A full path, or a relative path from awstats.pl directory. +# Example: "/var/log/apache/access.log" +# Example: "../logs/mycombinedlog.log" +# You can also use tags in this filename if you need a dynamic file name +# depending on date or time (Replacement is made by AWStats at the beginning +# of its execution). These are the available tags : +# %YYYY-n is replaced with 4 digits year we were n hours ago +# %YY-n is replaced with 2 digits year we were n hours ago +# %MM-n is replaced with 2 digits month we were n hours ago +# %MO-n is replaced with 3 letters month we were n hours ago +# %DD-n is replaced with day we were n hours ago +# %HH-n is replaced with hour we were n hours ago +# %NS-n is replaced with number of seconds at 00:00 since 1970 +# %WM-n is replaced with the week number in month (1-5) +# %Wm-n is replaced with the week number in month (0-4) +# %WY-n is replaced with the week number in year (01-52) +# %Wy-n is replaced with the week number in year (00-51) +# %DW-n is replaced with the day number in week (1-7, 1=sunday) +# use n=24 if you need (1-7, 1=monday) +# %Dw-n is replaced with the day number in week (0-6, 0=sunday) +# use n=24 if you need (0-6, 0=monday) +# Use 0 for n if you need current year, month, day, hour... +# Example: "/var/log/access_log.%YYYY-0%MM-0%DD-0.log" +# Example: "C:/WINNT/system32/LogFiles/W3SVC1/ex%YY-24%MM-24%DD-24.log" +# You can also use a pipe if log file come from a pipe : +# Example: "gzip -cd /var/log/apache/access.log.gz |" +# If there are several log files from load balancing servers : +# Example: "/pathtotools/logresolvemerge.pl *.log |" +# +LogFile="/var/log/httpd/access_log" + + +# Enter the log file type you want to analyze. +# Possible values: +# W - For a web log file +# S - For a streaming log file +# M - For a mail log file +# F - For an ftp log file +# Example: W +# Default: W +# +LogType=W + + +# Enter here your log format (Must match your web server config. See setup +# instructions in documentation to know how to configure your web server to +# have the required log format). +# Possible values: 1,2,3,4 or "your_own_personalized_log_format" +# 1 - Apache or Lotus Notes/Domino native combined log format (NCSA combined/XLF/ELF log format) +# 2 - IIS or ISA format (IIS W3C log format). See FAQ-COM115 For ISA. +# 3 - Webstar native log format. +# 4 - Apache or Squid native common log format (NCSA common/CLF log format) +# With LogFormat=4, some features (browsers, os, keywords...) can't work. +# "your_own_personalized_log_format" = If your log is ftp, mail or other format, +# you must use following keys to define the log format string (See FAQ for +# ftp, mail or exotic web log format examples): +# %host Client hostname or IP address (or Sender host for mail log) +# %host_r Receiver hostname or IP address (for mail log) +# %lognamequot Authenticated login/user with format: "john" +# %logname Authenticated login/user with format: john +# %time1 Date and time with format: [dd/mon/yyyy:hh:mm:ss +0000] or [dd/mon/yyyy:hh:mm:ss] +# %time2 Date and time with format: yyyy-mm-dd hh:mm:ss +# %time3 Date and time with format: Mon dd hh:mm:ss or Mon dd hh:mm:ss yyyy +# %time4 Date and time with unix timestamp format: dddddddddd +# %time5 Date and time with format iso: yyyy-mm-ddThh:mm:ss, with optional timezone specification (ignored) +# %time6 Date and time with format: dd/mm/yyyy, hh:mm:ss +# %methodurl Method and URL with format: "GET /index.html HTTP/x.x" +# %methodurlnoprot Method and URL with format: "GET /index.html" +# %method Method with format: GET +# %url URL only with format: /index.html +# %query Query string (used by URLWithQuery option) +# %code Return code status (with format for web log: 999) +# %bytesd Size of document in bytes +# %refererquot Referer page with format: "http://from.com/from.htm" +# %referer Referer page with format: http://from.com/from.htm +# %uabracket User agent with format: [Mozilla/4.0 (compatible, ...)] +# %uaquot User agent with format: "Mozilla/4.0 (compatible, ...)" +# %ua User agent with format: Mozilla/4.0_(compatible...) +# %gzipin mod_gzip compression input bytes: In:XXX +# %gzipout mod_gzip compression output bytes & ratio: Out:YYY:ZZpct. +# %gzipratio mod_gzip compression ratio: ZZpct. +# %deflateratio mod_deflate compression ratio with format: (ZZ) +# %email EMail sender (for mail log) +# %email_r EMail receiver (for mail log) +# %virtualname Web sever virtual hostname. Use this tag when same log +# contains data of several virtual web servers. AWStats +# will discard records not in SiteDomain nor HostAliases +# %cluster If log file is provided from several computers (merged by +# logresolvemerge.pl), use this to define cluster id field. +# %extraX Another field that you plan to use for building a +# personalized report with ExtraSection feature (See later). +# If your log format has some fields not included in this list, use: +# %other Means another not used field +# %otherquot Means another not used double quoted field +# If your log format has some literal strings, which precede data fields, use +# status=%code Means your log files have HTTP status logged as "status=200" +# Literal strings that follow data field must be separated from said data fields by space. +# +# Examples for Apache combined logs (following two examples are equivalent): +# LogFormat = 1 +# LogFormat = "%host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot" +# +# Example for IIS: +# LogFormat = 2 +# +LogFormat=1 + + +# If your log field's separator is not a space, you can change this parameter. +# This parameter is not used if LogFormat is a predefined value (1,2,3,4) +# Backslash can be used as escape character. +# Example: " " +# Example: "\t" +# Example: "\|" +# Example: "," +# Default: " " +# +LogSeparator=" " + + +# "SiteDomain" must contain the main domain name, or the main intranet web +# server name, used to reach the web site. +# If you share the same log file for several virtual web servers, this +# parameter is used to tell AWStats to filter record that contains records for +# this virtual host name only (So check that this virtual hostname can be +# found in your log file and use a personalized log format that include the +# %virtualname tag). +# But for multi hosting a better solution is to have one log file for each +# virtual web server. In this case, this parameter is only used to generate +# full URL's links when ShowLinksOnUrl option is set to 1. +# If analyzing mail log, enter here the domain name of mail server. +# Example: "myintranetserver" +# Example: "www.domain.com" +# Example: "ftp.domain.com" +# Example: "domain.com" +# +SiteDomain="localhost.localdomain" + + +# Enter here all other possible domain names, addresses or virtual host +# aliases someone can use to access your site. Try to keep only the minimum +# number of possible names/addresses to have the best performances. +# You can repeat the "SiteDomain" value in this list. +# This parameter is used to analyze referer field in log file and to help +# AWStats to know if a referer URL is a local URL of same site or a URL of +# another site. +# Note: Use space between each value. +# Note: You can use regular expression values writing value with REGEX[value]. +# Note: You can also use @/mypath/myfile if list of aliases are in a file. +# Example: "www.myserver.com localhost 127.0.0.1 REGEX[mydomain\.(net|org)$]" +# +HostAliases="localhost 127.0.0.1" + + +# If you want to have hosts reported by name instead of ip address, AWStats +# needs to make reverse DNS lookups (if not already done in your log file). +# With DNSLookup to 0, all hosts will be reported by their IP addresses and +# not by the full hostname of visitors (except if names are already available +# in log file). +# If you want/need to set DNSLookup to 1, don't forget that this will +# dramatically reduce AWStats's update process speed. Do not use on large web +# sites. +# Note: Reverse DNS lookup is done on IPv4 only (Enable ipv6 plugin for IPv6). +# Note: Result of DNS Lookup can be used to build the Country report. However +# it is highly recommanded to enable the plugin 'geoip', 'geoipfree', or 'geoip2' +# to have an accurate Country report with no need for DNS Lookup. +# Possible values: +# 0 - No DNS Lookup +# 1 - DNS Lookup is fully enabled +# 2 - DNS Lookup is made only from static DNS cache file (if it exists) +# Default: 2 +# +DNSLookup=2 + + +# For very large sites, setting DNSLookup to 0 (or 2) might be the only +# reasonable choice. DynamicDNSLookup allows to resolve host names for +# items shown in html tables only, when data is output on reports instead +# of resolving once during log analysis step. +# Possible values: +# 0 - No dynamic DNS lookup +# 1 - Dynamic DNS lookup enabled +# 2 - Dynamic DNS lookup enabled (including static DNS cache file as a second +# source) +# Default: 0 +# +DynamicDNSLookup=0 + + +# When AWStats updates its statistics, it stores results of its analysis in +# files (AWStats database). All those files are written in the directory +# defined by the "DirData" parameter. Set this value to the directory where +# you want AWStats to save its database and working files into. +# Warning: If you want to be able to use the "AllowToUpdateStatsFromBrowser" +# feature (see later), you need "Write" permissions by web server user on this +# directory (and "Modify" for Windows NTFS file systems). +# Example: "/var/lib/awstats" +# Example: "../data" +# Example: "C:/awstats_data_dir" +# Default: "." (means same directory as awstats.pl) +# +DirData="/var/lib/awstats" + + +# Relative or absolute web URL of your awstats cgi-bin directory. +# This parameter is used only when AWStats is run from command line +# with -output option (to generate links in HTML reported page). +# Example: "/awstats" +# Default: "/cgi-bin" (means awstats.pl is in "/yourwwwroot/cgi-bin") +# +DirCgi="/awstats" + + +# Relative or absolute web URL of your awstats icon directory. +# If you build static reports ("... -output > outputpath/output.html"), enter +# path of icon directory relative to the output directory 'outputpath'. +# Example: "/awstatsicons" +# Example: "../icon" +# Default: "/icon" (means you must copy icon directories in "/mywwwroot/icon") +# +DirIcons="/awstatsicons" + + +# When this parameter is set to 1, AWStats adds a button on the report page to +# allow to "update" statistics from a web browser. Warning, when "update" is +# made from a browser, AWStats is run as a CGI by the web server user defined +# in your web server (user "nobody" by default with Apache, "IUSR_XXX" with +# IIS), so the "DirData" directory and all already existing history files +# awstatsMMYYYY[.xxx].txt must be writable by this user. Change permissions if +# necessary to "Read/Write" (and "Modify" for Windows NTFS file systems). +# Warning: Update process can be long so you might experience "time out" +# browser errors if you don't launch AWStats frequently enough. +# When set to 0, update is only made when AWStats is run from the command +# line interface (or a task scheduler). +# Possible values: 0 or 1 +# Default: 0 +# +AllowToUpdateStatsFromBrowser=0 + + +# AWStats saves and sorts its database on a monthly basis (except if using +# databasebreak option from command line). +# However, if you choose the -month=all from command line or +# value '-Year-' from CGI combo form to have a report for all year, AWStats +# needs to reload all data for full year (each month), and sort them, +# requiring a large amount of time, memory and CPU. This might be a problem +# for web hosting providers that offer AWStats for large sites, on shared +# servers, to non CPU cautious customers. +# For this reason, the 'full year' is only enabled on Command Line by default. +# You can change this by setting this parameter to 0, 1, 2 or 3. +# Possible values: +# 0 - Never allowed +# 1 - Allowed on CLI only, -Year- value in combo is not visible +# 2 - Allowed on CLI only, -Year- value in combo is visible but not allowed +# 3 - Possible on CLI and CGI +# Default: 2 +# +AllowFullYearView=2 + + + +#----------------------------------------------------------------------------- +# OPTIONAL SETUP SECTION (Not required but enhances AWStats's functionality) +#----------------------------------------------------------------------------- + +# When the update process runs, AWStats can set a lock file in TEMP or TMP +# directory. This lock is to avoid to have 2 update processes running at the +# same time to prevent unknown conflicts problems and avoid DoS attacks when +# AllowToUpdateStatsFromBrowser is set to 1. +# Because, when you use lock file, you can sometimes experience problems if +# lock file is not correctly removed (killed process for example requires that +# you remove the file manually), this option is not enabled by default (Do +# not enable this option with no console server access). +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +EnableLockForUpdate=1 + + +# AWStats can do reverse DNS lookups through a static DNS cache file that was +# previously created manually. If no path is given in static DNS cache file +# name, AWStats will search DirData directory. This file is never changed. +# This option is not used if DNSLookup=0. +# Note: DNS cache file format is 'minsince1970 ipaddress resolved_hostname' +# or just 'ipaddress resolved_hostname' +# Change : Effective for new updates only +# Example: "/mydnscachedir/dnscache" +# Default: "dnscache.txt" +# +DNSStaticCacheFile="dnscache.txt" + + +# AWStats can do reverse DNS lookups through a DNS cache file that was created +# by a previous run of AWStats. This file is erased and recreated after each +# statistics update process. You don't need to create and/or edit it. +# AWStats will read and save this file in DirData directory. +# This option is used only if DNSLookup=1. +# Note: If a DNSStaticCacheFile is available, AWStats will check for DNS +# lookup in DNSLastUpdateCacheFile after checking into DNSStaticCacheFile. +# Change : Effective for new updates only +# Example: "/mydnscachedir/dnscachelastupdate" +# Default: "dnscachelastupdate.txt" +# +DNSLastUpdateCacheFile="dnscachelastupdate.txt" + + +# You can specify specific IP addresses that should NOT be looked up in DNS. +# This option is used only if DNSLookup=1. +# Note: Use space between each value. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "123.123.123.123 REGEX[^192\.168\.]" +# Default: "" +# +SkipDNSLookupFor="" + + +# The following two parameters allow you to protect a config file from being +# read by AWStats when called from a browser if the web user has not been +# authenticated. Your AWStats program must be in a web protected "realm" (With +# Apache, you can use .htaccess files to do so. With other web servers, see +# your server setup manual). +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +AllowAccessFromWebToAuthenticatedUsersOnly=0 + + +# This parameter gives the list of all authorized authenticated users to view +# statistics for this domain/config file. This parameter is used only if +# AllowAccessFromWebToAuthenticatedUsersOnly is set to 1. +# Change : Effective immediately +# Example: "user1 user2" +# Example: "__REMOTE_USER__" +# Default: "" +# +AllowAccessFromWebToFollowingAuthenticatedUsers="" + + +# When this parameter is defined to something, the IP address of the user that +# reads its statistics from a browser (when AWStats is used as a CGI) is +# checked and must match one of the IP address values or ranges. +# Change : Effective immediately +# Example: "127.0.0.1 123.123.123.1-123.123.123.255" +# Default: "" +# +AllowAccessFromWebToFollowingIPAddresses="" + + +# If the "DirData" directory (see above) does not exist, AWStats returns an +# error. However, you can ask AWStats to create it. +# This option can be used by some Web Hosting Providers that have defined a +# dynamic value for DirData (for example DirData="/home/__REMOTE_USER__") and +# don't want to have to create a new directory each time they add a new user. +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +CreateDirDataIfNotExists=0 + + +# You can choose in which format the AWStats history database is saved. +# Note: Using "xml" format makes AWStats database files three times larger than +# using "text" format. +# Change : Database format is switched after next update +# Possible values: text or xml +# Default: text +# +BuildHistoryFormat=text + + +# If you prefer having the report output pages be built as XML compliant pages +# instead of simple HTML pages, you can set this to 'xhtml' (May not work +# properly with old browsers). +# Change : Effective immediately +# Possible values: html or xhtml +# Default: html +# +BuildReportFormat=html + + +# AWStats databases can be updated from command line or from a browser (when +# used as a cgi program). So AWStats database files need write permission +# for both command line user and default web server user ('nobody' for Unix, +# 'IUSR_xxx' for IIS/Windows,...). +# To avoid permission problems between update process (run by an admin user) +# and CGI process (ran by a low level user), AWStats can save its database +# files with read and write permissions for everyone. +# By default, AWStats keeps default user permissions on updated files. If you +# set AllowToUpdateStatsFromBrowser to 1, you can change this parameter to 1. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +SaveDatabaseFilesWithPermissionsForEveryone=0 + + +# AWStats can purge log file, after analyzing it. Note that AWStats is able +# to detect new lines in a log file, to process only them, so you can launch +# AWStats as often as you want, even with this parameter to 0. +# With 0, no purge is made, so you must use a scheduled task or a web server +# that make this purge frequently. +# With 1, the purge of the log file is made each time AWStats update is run. +# This parameter doesn't work with IIS (This web server doesn't let its log +# file to be purged). +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +PurgeLogFile=0 + + +# When PurgeLogFile is set to 1, AWStats will clean your log file after +# processing it. You can however keep an archive file of all processed log +# records by setting this parameter (For example if you want to use another +# log analyzer). The archived log file is saved in "DirData" with name +# awstats_archive.configname[.suffix].log +# This parameter is not used if PurgeLogFile=0 +# Change : Effective for new updates only +# Possible values: 0, 1, or tags (See LogFile parameter) for suffix +# Example: 1 +# Example: %YYYY%MM%DD +# Default: 0 +# +ArchiveLogRecords=0 + + +# Each time you run the update process, AWStats overwrites the 'historic file' +# for the month (awstatsMMYYYY[.*].txt) with the updated one. +# When write errors occur (IO, disk full,...), this historic file can be +# corrupted and must be deleted. Because this file contains information of all +# past processed log files, you will lose old stats if removed. So you can +# ask AWStats to save last non corrupted file in a .bak file. This file is +# stored in "DirData" directory with other 'historic files'. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +KeepBackupOfHistoricFiles=0 + + +# Default index page name for your web server. +# Change : Effective for new updates only +# Example: "index.php index.html default.html" +# Default: "index.php index.html" +# +DefaultFile="index.php index.html" + + +# Do not include access from clients that match following criteria. +# If your log file contains IP addresses in host field, you must enter here +# matching IP addresses criteria. +# If DNS lookup is already done in your log file, you must enter here hostname +# criteria, else enter ip address criteria. +# The opposite parameter of "SkipHosts" is "OnlyHosts". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "127.0.0.1 REGEX[^192\.168\.] REGEX[^10\.]" +# Example: "localhost REGEX[^.*\.localdomain$]" +# Default: "" +# +SkipHosts="127.0.0.1" + + +# Do not include access from clients with a user agent that match following +# criteria. If you want to exclude a robot, you should update the robots.pm +# file instead of this parameter. +# The opposite parameter of "SkipUserAgents" is "OnlyUserAgents". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "konqueror REGEX[ua_test_v\d\.\d]" +# Default: "" +# +SkipUserAgents="" + + +# Use SkipFiles to ignore access to URLs that match one of following entries. +# You can enter a list of not important URLs (like framed menus, hidden pages, +# etc...) to exclude them from statistics. You must enter here exact relative +# URL as found in log file, or a matching REGEX value. Check apply on URL with +# all its query paramaters. +# For example, to ignore /badpage.php, just add "/badpage.php". To ignore all +# pages in a particular directory, add "REGEX[^\/directorytoexclude]". +# The opposite parameter of "SkipFiles" is "OnlyFiles". +# Note: Use space between each value. This parameter is or not case sensitive +# depending on URLNotCaseSensitive parameter. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "/badpage.php /page.php?param=x REGEX[^\/excludedirectory]" +# Default: "" +# +SkipFiles="" + + +# Use SkipReferrersBlackList if you want to exclude records coming from a SPAM +# referrer. Parameter must receive a local file name containing rules applied +# on referrer field. If parameter is empty, no filter is applied. +# An example of such a file is available in lib/blacklist.txt +# Change : Effective for new updates only +# Example: "/mylibpath/blacklist.txt" +# Default: "" +# +# WARNING!! Using this feature make AWStats running very slower (5 times slower +# with black list file provided with AWStats ! +# +SkipReferrersBlackList="" + + +# Include in stats, only accesses from hosts that match one of following +# entries. For example, if you want AWStats to filter access to keep only +# stats for visits from particular hosts, you can add those host names in +# this parameter. +# If DNS lookup is already done in your log file, you must enter here hostname +# criteria, else enter ip address criteria. +# The opposite parameter of "OnlyHosts" is "SkipHosts". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "127.0.0.1 REGEX[^192\.168\.] REGEX[^10\.]" +# Default: "" +# +OnlyHosts="" + + +# Include in stats, only accesses from user agent that match one of following +# entries. For example, if you want AWStats to filter access to keep only +# stats for visits from particular browsers, you can add their user agents +# string in this parameter. +# The opposite parameter of "OnlyUserAgents" is "SkipUserAgents". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "msie" +# Default: "" +# +OnlyUserAgents="" + + +# Include in stats, only accesses from authenticated users that match one of +# following entries. For example, if you want AWStats to filter access to keep +# only stats for authenticated users, you can add those users names in +# this parameter. Useful for statistics for per user ftp logs. +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "john bob REGEX[^testusers]" +# Default: "" +# +OnlyUsers="" + + +# Include in stats, only accesses to URLs that match one of following entries. +# For example, if you want AWStats to filter access to keep only stats that +# match a particular string, like a particular directory, you can add this +# directory name in this parameter. +# The opposite parameter of "OnlyFiles" is "SkipFiles". +# Note: Use space between each value. This parameter is or not case sensitive +# depending on URLNotCaseSensitive parameter. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "REGEX[marketing_directory] REGEX[office\/.*\.(csv|sxw)$]" +# Default: "" +# +OnlyFiles="" + + +# Add here a list of kind of url (file extension) that must be counted as +# "Hit only" and not as a "Hit" and "Page/Download". You can set here all +# image extensions as they are hit downloaded that must be counted but they +# are not viewed pages. URLs with such extensions are not included in the TOP +# Pages/URL report. +# Note: If you want to exclude particular URLs from stats (No Pages and no +# Hits reported), you must use SkipFiles parameter. +# Change : Effective for new updates only +# Example: "css js class gif jpg jpeg png bmp ico rss xml swf zip arj rar gz z bz2 wav mp3 wma mpg avi" +# Example: "" +# Default: "css js class gif jpg jpeg png bmp ico rss xml swf eot woff woff2" +# +NotPageList="css js class gif jpg jpeg png bmp ico rss xml swf eot woff woff2" + + +# By default, AWStats considers that records found in web log file are +# successful hits if HTTP code returned by server is a valid HTTP code (200 +# and 304). Any other code are reported in HTTP status chart. +# Note that HTTP 'control codes', like redirection (302, 305) are not added by +# default in this list as they are not pages seen by a visitor but are +# protocol exchange codes to tell the browser to ask another page. Because +# this other page will be counted and seen with a 200 or 304 code, if you +# add such codes, you will have 2 pages viewed reported for only one in facts. +# Change : Effective for new updates only +# Example: "200 304 302 305" +# Default: "200 304" +# +ValidHTTPCodes="200 304" + + +# By default, AWStats considers that records found in mail log file are +# successful mail transfers if field that represent return code in analyzed +# log file match values defined by this parameter. +# Change : Effective for new updates only +# Example: "1 250 200" +# Default: "1 250" +# +ValidSMTPCodes="1 250" + + +# By default, AWStats only records info on 404 'Document Not Found' errors. +# At the cost of additional processing time, further info pages can be made +# available by adding codes below. +# Change : Effective for new updates only +# Example: "403 404" +# Default: "404" +# +TrapInfosForHTTPErrorCodes = "400 403 404" + + +# Some web servers on some Operating systems (IIS-Windows) consider that a +# login with same value but different case are the same login. To tell AWStats +# to also consider them as one, set this parameter to 1. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +AuthenticatedUsersNotCaseSensitive=0 + + +# Some web servers on some Operating systems (IIS-Windows) considers that two +# URLs with same value but different case are the same URL. To tell AWStats to +# also considers them as one, set this parameter to 1. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +URLNotCaseSensitive=0 + + +# Keep or remove the anchor string you can find in some URLs. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +URLWithAnchor=0 + + +# In URL links, "?" char is used to add parameter's list in URLs. Syntax is: +# /mypage.html?param1=value1¶m2=value2 +# However, some servers/sites use also other chars to isolate dynamic part of +# their URLs. You can complete this list with all such characters. +# Change : Effective for new updates only +# Example: "?;," +# Default: "?;" +# +URLQuerySeparators="?;" + + +# Keep or remove the query string to the URL in the statistics for individual +# pages. This is primarily used to differentiate between the URLs of dynamic +# pages. If set to 1, mypage.html?id=x and mypage.html?id=y are counted as two +# different pages. +# Warning, when set to 1, memory required to run AWStats is dramatically +# increased if you have a lot of changing URLs (for example URLs with a random +# id inside). Such web sites should not set this option to 1 or use seriously +# the next parameter URLWithQueryWithOnlyFollowingParameters (or eventually +# URLWithQueryWithoutFollowingParameters). +# Change : Effective for new updates only +# Possible values: +# 0 - URLs are cleaned from the query string (ie: "/mypage.html") +# 1 - Full URL with query string is used (ie: "/mypage.html?p=x&q=y") +# Default: 0 +# +URLWithQuery=0 + + +# When URLWithQuery is on, you will get the full URL with all parameters in +# URL reports. But among thoose parameters, sometimes you don't need a +# particular parameter because it does not identify the page or because it's +# a random ID changing for each access even if URL points to same page. In +# such cases, it is higly recommanded to ask AWStats to keep only parameters +# you need (if you know them) before counting, manipulating and storing URL. +# Enter here list of wanted parameters. For example, with "param", one hit on +# /mypage.cgi?param=abc&id=Yo4UomP9d and /mypage.cgi?param=abc&id=Mu8fdxl3r +# will be reported as 2 hits on /mypage.cgi?param=abc +# This parameter is not used when URLWithQuery is 0 and can't be used with +# URLWithQueryWithoutFollowingParameters. +# Change : Effective for new updates only +# Example: "param" +# Default: "" +# +URLWithQueryWithOnlyFollowingParameters="" + + +# When URLWithQuery is on, you will get the full URL with all parameters in +# URL reports. But among thoose parameters, sometimes you don't need a +# particular parameter because it does not identify the page or because it's +# a random ID changing for each access even if URL points to same page. In +# such cases, it is higly recommanded to ask AWStats to remove such parameters +# from the URL before counting, manipulating and storing URL. Enter here list +# of all non wanted parameters. For example if you enter "id", one hit on +# /mypage.cgi?param=abc&id=Yo4UomP9d and /mypage.cgi?param=abc&id=Mu8fdxl3r +# will be reported as 2 hits on /mypage.cgi?param=abc +# This parameter is not used when URLWithQuery is 0 and can't be used with +# URLWithQueryWithOnlyFollowingParameters. +# Change : Effective for new updates only +# Example: "PHPSESSID jsessionid" +# Default: "" +# +URLWithQueryWithoutFollowingParameters="" + + +# Keep or remove the query string to the referrer URL in the statistics for +# external referrer pages. This is used to differentiate between the URLs of +# dynamic referrer pages. If set to 1, mypage.html?id=x and mypage.html?id=y +# are counted as two different referrer pages. +# Change : Effective for new updates only +# Possible values: +# 0 - Referrer URLs are cleaned from the query string (ie: "/mypage.html") +# 1 - Full URL with query string is used (ie: "/mypage.html?p=x&q=y") +# Default: 0 +# +URLReferrerWithQuery=0 + + +# AWStats can detect setup problems or show you important informations to have +# a better use. Keep this to 1, except if AWStats says you can change it. +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 1 +# +WarningMessages=1 + + +# When an error occurs, AWStats outputs a message related to errors. If you +# want (in most cases for security reasons) to have no error messages, you +# can set this parameter to your personalized generic message. +# Change : Effective immediately +# Example: "An error occurred. Contact your Administrator" +# Default: "" +# +ErrorMessages="" + + +# AWStat can be run with debug=x parameter to output various informations +# to help in debugging or solving troubles. If you want to allow this (not +# enabled by default for security reasons), set this parameter to 0. +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +DebugMessages=0 + + +# To help you to detect if your log format is good, AWStats reports an error +# if all the first NbOfLinesForCorruptedLog lines have a format that does not +# match the LogFormat parameter. +# However, some worm virus attack on your web server can result in a very high +# number of corrupted lines in your log. So if you experience awstats stop +# because of bad virus records at the beginning of your log file, you can +# increase this parameter (very rare). +# Change : Effective for new updates only +# Default: 50 +# +NbOfLinesForCorruptedLog=50 + + +# For some particular integration needs, you may want to have CGI links to +# point to another script than awstats.pl. +# Use the name of this script in WrapperScript parameter. +# Change : Effective immediately +# Example: "awstatslauncher.pl" +# Example: "awstatswrapper.cgi?key=123" +# Default: "" +# +WrapperScript="" + + +# DecodeUA must be set to 1 if you use Roxen web server. This server converts +# all spaces in user agent field into %20. This make the AWStats robots, OS +# and browsers detection fail in some cases. Just change it to 1 if and only +# if your web server is Roxen. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +DecodeUA=0 + + +# MiscTrackerUrl can be used to make AWStats able to detect some miscellaneous +# things, that can not be tracked on other way, like: +# - Javascript disabled +# - Java enabled +# - Screen size +# - Color depth +# - Macromedia Director plugin +# - Macromedia Shockwave plugin +# - Realplayer G2 plugin +# - QuickTime plugin +# - Mediaplayer plugin +# - Acrobat PDF plugin +# To enable all these features, you must copy the awstats_misc_tracker.js file +# into a /js/ directory stored in your web document root and add the following +# HTML code at the end of your index page (but before ) : +# +# +# +# +# If code is not added in index page, all those detection capabilities will be +# disabled. You must also check that ShowScreenSizeStats and ShowMiscStats +# parameters are set to 1 to make results appear in AWStats report page. +# If you want to use another directory than /js/, you must also change the +# awstatsmisctrackerurl variable into the awstats_misc_tracker.js file. +# Change : Effective for new updates only. +# Possible value: URL of javascript tracker file added in your HTML code. +# Default: "/js/awstats_misc_tracker.js" +# +MiscTrackerUrl="/js/awstats_misc_tracker.js" + + +# AddLinkToExternalCGIWrapper can be used to add a link to a wrapper script +# into each title of Dolibarr reports. This can be used to add a wrapper +# to download data into a CSV file for example. +# +# AddLinkToExternalCGIWrapper="/awstats/awdownloadcsv.pl" + + + +#----------------------------------------------------------------------------- +# OPTIONAL ACCURACY SETUP SECTION (Not required but increase AWStats features) +#----------------------------------------------------------------------------- + +# The following values allow you to define accuracy of AWStats entities +# (robots, browsers, os, referers, file types) detection. +# It might be a good idea for large web sites or ISP that provides AWStats to +# high number of customers, to set this parameter to 1 (or 0), instead of 2. +# Possible values: +# 0 = No detection, +# 1 = Medium/Standard detection +# 2 = Full detection +# Change : Effective for new updates only +# Note : LevelForBrowsersDetection can also accept value "allphones". This +# enable detailed detection of phone/pda browsers. +# Default: 2 (0 for LevelForWormsDetection) +# +LevelForBrowsersDetection=2 # 0 disables Browsers detection. + # 2 reduces AWStats speed by 2% + # allphones reduces AWStats speed by 5% +LevelForOSDetection=2 # 0 disables OS detection. + # 2 reduces AWStats speed by 3% +LevelForRefererAnalyze=2 # 0 disables Origin detection. + # 2 reduces AWStats speed by 14% +LevelForRobotsDetection=2 # 0 disables Robots detection. + # 2 reduces AWStats speed by 2.5% +LevelForSearchEnginesDetection=2 # 0 disables Search engines detection. + # 2 reduces AWStats speed by 9% +LevelForKeywordsDetection=2 # 0 disables Keyphrases/Keywords detection. + # 2 reduces AWStats speed by 1% +LevelForFileTypesDetection=2 # 0 disables File types detection. + # 2 reduces AWStats speed by 1% +LevelForWormsDetection=0 # 0 disables Worms detection. + # 2 reduces AWStats speed by 15% + + + +#----------------------------------------------------------------------------- +# OPTIONAL APPEARANCE SETUP SECTION (Not required but increase AWStats features) +#----------------------------------------------------------------------------- + +# When you use AWStats as a CGI, you can have the reports shown in HTML frames. +# Frames are only available for report viewed dynamically. When you build +# pages from command line, this option is not used and no frames are built. +# Possible values: 0 or 1 +# Default: 1 +# +UseFramesWhenCGI=1 + + +# This parameter asks your browser to open detailed reports into a different +# window than the main page. +# Possible values: +# 0 - Open all in same browser window +# 1 - Open detailed reports in another window except if using frames +# 2 - Open always in a different window even if reports are framed +# Default: 1 +# +DetailedReportsOnNewWindows=1 + + +# You can add, in the HTML report page, a cache lifetime (in seconds) that +# will be returned to the browser in HTTP header answer by server. +# This parameter is not used when reports are built with -staticlinks option. +# Example: 3600 +# Default: 0 +# +Expires=3600 + + +# To avoid too large web pages, you can ask AWStats to limit number of rows of +# all reported charts to this number when no other limits apply. +# Default: 10000 +# +MaxRowsInHTMLOutput=10000 + + +# Set your primary language (ISO-639-1 language codes). +# Possible values: +# Albanian=al, Bosnian=ba, Bulgarian=bg, Catalan=ca, +# Chinese (Taiwan)=tw, Chinese (Simpliefied)=cn, Croatian=hr, Czech=cz, +# Danish=dk, Dutch=nl, English=en, Estonian=et, Euskara=eu, Finnish=fi, +# French=fr, Galician=gl, German=de, Greek=gr, Hebrew=he, Hungarian=hu, +# Icelandic=is, Indonesian=id, Italian=it, Japanese=jp, Korean=ko, +# Latvian=lv, Norwegian (Nynorsk)=nn, Norwegian (Bokmal)=nb, Polish=pl, +# Portuguese=pt, Portuguese (Brazilian)=br, Romanian=ro, Russian=ru, +# Serbian=sr, Slovak=sk, Slovenian=si, Spanish=es, Swedish=se, Turkish=tr, +# Ukrainian=ua, Welsh=cy. +# First available language accepted by browser=auto +# Default: "auto" +# +Lang="auto" + + +# Set the location of language files. +# Example: "/usr/share/awstats/lang" +# Default: "./lang" (means lang directory is in same location than awstats.pl) +# +DirLang="./lang" + + +# Show menu header with reports' links +# Possible values: 0 or 1 +# Default: 1 +# +ShowMenu=1 + + +# You choose here which reports you want to see in the main page and what you +# want to see in those reports. +# Possible values: +# 0 - Report is not shown at all +# 1 - Report is shown in main page with an entry in menu and default columns +# XYZ - Report shows column informations defined by code X,Y,Z... +# X,Y,Z... are code letters among the following: +# U = Unique visitors +# V = Visits +# P = Number of pages +# H = Number of hits (or mails) +# B = Bandwidth (or total mail size for mail logs) +# L = Last access date +# E = Entry pages +# X = Exit pages +# C = Web compression (mod_gzip,mod_deflate) +# M = Average mail size (mail logs) +# + +# Show monthly summary +# Context: Web, Streaming, Mail, Ftp +# Default: UVPHB, Possible column codes: UVPHB +ShowSummary=UVPHB + +# Show monthly chart +# Context: Web, Streaming, Mail, Ftp +# Default: UVPHB, Possible column codes: UVPHB +ShowMonthStats=UVPHB + +# Show days of month chart +# Context: Web, Streaming, Mail, Ftp +# Default: VPHB, Possible column codes: VPHB +ShowDaysOfMonthStats=VPHB + +# Show days of week chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHB, Possible column codes: PHB +ShowDaysOfWeekStats=PHB + +# Show hourly chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHB, Possible column codes: PHB +ShowHoursStats=PHB + +# Show domains/country chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHB, Possible column codes: UVPHB +ShowDomainsStats=PHB + +# Show hosts chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHBL, Possible column codes: PHBL +ShowHostsStats=PHBL + +# Show authenticated users chart +# Context: Web, Streaming, Ftp +# Default: 0, Possible column codes: PHBL +ShowAuthenticatedUsers=0 + +# Show robots chart +# Context: Web, Streaming +# Default: HBL, Possible column codes: HBL +ShowRobotsStats=HBL + +# Show worms chart +# Context: Web, Streaming +# Default: 0 (If set to other than 0, see also LevelForWormsDetection), Possible column codes: HBL +ShowWormsStats=0 + +# Show email senders chart (For use when analyzing mail log files) +# Context: Mail +# Default: 0, Possible column codes: HBML +ShowEMailSenders=0 + +# Show email receivers chart (For use when analyzing mail log files) +# Context: Mail +# Default: 0, Possible column codes: HBML +ShowEMailReceivers=0 + +# Show session chart +# Context: Web, Streaming, Ftp +# Default: 1, Possible column codes: None +ShowSessionsStats=1 + +# Show pages-url chart. +# Context: Web, Streaming, Ftp +# Default: PBEX, Possible column codes: PBEX +ShowPagesStats=PBEX + +# Show file types chart. +# Context: Web, Streaming, Ftp +# Default: HB, Possible column codes: HBC +ShowFileTypesStats=HB + +# Show file size chart (Not yet available) +# Context: Web, Streaming, Mail, Ftp +# Default: 1, Possible column codes: None +ShowFileSizesStats=0 + +# Show downloads chart. +# Context: Web, Streaming, Ftp +# Default: HB, Possible column codes: HB +ShowDownloadsStats=HB + +# Show operating systems chart +# Context: Web, Streaming, Ftp +# Default: 1, Possible column codes: None +ShowOSStats=1 + +# Show browsers chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowBrowsersStats=1 + +# Show screen size chart +# Context: Web, Streaming +# Default: 0 (If set to 1, see also MiscTrackerUrl), Possible column codes: None +ShowScreenSizeStats=0 + +# Show origin chart +# Context: Web, Streaming +# Default: PH, Possible column codes: PH +ShowOriginStats=PH + +# Show keyphrases chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowKeyphrasesStats=1 + +# Show keywords chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowKeywordsStats=1 + +# Show misc chart +# Context: Web, Streaming +# Default: a (See also MiscTrackerUrl parameter), Possible column codes: anjdfrqwp +ShowMiscStats=a + +# Show http errors chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowHTTPErrorsStats=1 + +# Show http error page details +# Context: Web, Streaming +# Default: R, Possible column codes: RH +ShowHTTPErrorsPageDetail=R + +# Show smtp errors chart (For use when analyzing mail log files) +# Context: Mail +# Default: 0, Possible column codes: None +ShowSMTPErrorsStats=0 + +# Show the cluster report (Your LogFormat must contains the %cluster tag) +# Context: Web, Streaming, Ftp +# Default: 0, Possible column codes: PHB +ShowClusterStats=0 + + +# Some graphical reports are followed by the data array of values. +# If you don't want this array (to reduce the report size for example), you +# can set thoose options to 0. +# Possible values: 0 or 1 +# Default: 1 +# +# Data array values for the ShowMonthStats report +AddDataArrayMonthStats=1 +# Data array values for the ShowDaysOfMonthStats report +AddDataArrayShowDaysOfMonthStats=1 +# Data array values for the ShowDaysOfWeekStats report +AddDataArrayShowDaysOfWeekStats=1 +# Data array values for the ShowHoursStats report +AddDataArrayShowHoursStats=1 + + +# In the Origin chart, you have stats on where your hits came from. You can +# include hits on pages that come from pages of same sites in this chart. +# Possible values: 0 or 1 +# Default: 0 +# +IncludeInternalLinksInOriginSection=0 + + +# The following parameters can be used to choose the maximum number of lines +# shown for the particular following reports. +# +# Stats by countries/domains +MaxNbOfDomain = 10 +MinHitDomain = 1 +# Stats by hosts +MaxNbOfHostsShown = 10 +MinHitHost = 1 +# Stats by authenticated users +MaxNbOfLoginShown = 10 +MinHitLogin = 1 +# Stats by robots +MaxNbOfRobotShown = 10 +MinHitRobot = 1 +# Stats for Downloads +MaxNbOfDownloadsShown = 10 +MinHitDownloads = 1 +# Stats by pages +MaxNbOfPageShown = 10 +MinHitFile = 1 +# Stats by OS +MaxNbOfOsShown = 10 +MinHitOs = 1 +# Stats by browsers +MaxNbOfBrowsersShown = 10 +MinHitBrowser = 1 +# Stats by screen size +MaxNbOfScreenSizesShown = 5 +MinHitScreenSize = 1 +# Stats by window size (following 2 parameters are not yet used) +MaxNbOfWindowSizesShown = 5 +MinHitWindowSize = 1 +# Stats by referers +MaxNbOfRefererShown = 10 +MinHitRefer = 1 +# Stats for keyphrases +MaxNbOfKeyphrasesShown = 10 +MinHitKeyphrase = 1 +# Stats for keywords +MaxNbOfKeywordsShown = 10 +MinHitKeyword = 1 +# Stats for sender or receiver emails +MaxNbOfEMailsShown = 20 +MinHitEMail = 1 + + +# Choose if you want the week report to start on sunday or monday +# Possible values: +# 0 - Week starts on sunday +# 1 - Week starts on monday +# Default: 1 +# +FirstDayOfWeek=1 + + +# List of visible flags that link to other language translations. +# See Lang parameter for list of allowed flag/language codes. +# If you don't want any flag link, set ShowFlagLinks to "". +# This parameter is used only if ShowMenu parameter is set to 1. +# Possible values: "" or "language_codes_separated_by_space" +# Example: "en es fr nl de" +# Default: "" +# +ShowFlagLinks="" + + +# Each URL, shown in stats report views, are links you can click. +# Possible values: 0 or 1 +# Default: 1 +# +ShowLinksOnUrl=1 + + +# When AWStats builds HTML links in its report pages, it starts those links +# with "http://". However some links might be HTTPS links, so you can enter +# here the root of all your HTTPS links. If all your site is a SSL web site, +# just enter "/". +# This parameter is not used if ShowLinksOnUrl is 0. +# Example: "/shopping" +# Example: "/" +# Default: "" +# +UseHTTPSLinkForUrl="" + + +# Maximum length of URL part shown on stats page (number of characters). +# This affects only URL visible text, links still work. +# Default: 64 +# +MaxLengthOfShownURL=64 + + +# You can enter HTML code that will be added at the top of AWStats reports. +# Default: "" +# +HTMLHeadSection="" + + +# You can enter HTML code that will be added at the end of AWStats reports. +# Great to add advert ban. +# Default: "" +# +HTMLEndSection="" + + +# By default AWStats page contains meta tag robots=noindex,nofollow +# If you want to have your statistics to be indexed, set this option to 1. +# Default: 0 +# +MetaRobot=0 + + +# You can set Logo and LogoLink to use your own logo. +# Logo must be the name of image file (must be in $DirIcons/other directory). +# LogoLink is the expected URL when clicking on Logo. +# Default: "awstats_logo6.png" +# +Logo="awstats_logo6.png" +LogoLink="http://www.awstats.org" + + +# Value of maximum bar width/height for horizontal/vertical HTML graphics bars. +# Default: 260/90 +# +BarWidth = 260 +BarHeight = 90 + + +# You can ask AWStats to use a particular CSS (Cascading Style Sheet) to +# change its look. To create a style sheet, you can use samples provided with +# AWStats in wwwroot/css directory. +# Example: "/awstatscss/awstats_bw.css" +# Example: "/css/awstats_bw.css" +# Default: "" +# +StyleSheet="" + + +# Those color parameters can be used (if StyleSheet parameter is not used) +# to change AWStats look. +# Example: color_name="RRGGBB" # RRGGBB is Red Green Blue components in Hex +# +color_Background="FFFFFF" # Background color for main page (Default = "FFFFFF") +color_TableBGTitle="CCCCDD" # Background color for table title (Default = "CCCCDD") +color_TableTitle="000000" # Table title font color (Default = "000000") +color_TableBG="CCCCDD" # Background color for table (Default = "CCCCDD") +color_TableRowTitle="FFFFFF" # Table row title font color (Default = "FFFFFF") +color_TableBGRowTitle="ECECEC" # Background color for row title (Default = "ECECEC") +color_TableBorder="ECECEC" # Table border color (Default = "ECECEC") +color_text="000000" # Color of text (Default = "000000") +color_textpercent="606060" # Color of text for percent values (Default = "606060") +color_titletext="000000" # Color of text title within colored Title Rows (Default = "000000") +color_weekend="EAEAEA" # Color for week-end days (Default = "EAEAEA") +color_link="0011BB" # Color of HTML links (Default = "0011BB") +color_hover="605040" # Color of HTML on-mouseover links (Default = "605040") +color_u="FFAA66" # Background color for number of unique visitors (Default = "FFAA66") +color_v="F4F090" # Background color for number of visites (Default = "F4F090") +color_p="4477DD" # Background color for number of pages (Default = "4477DD") +color_h="66DDEE" # Background color for number of hits (Default = "66DDEE") +color_k="2EA495" # Background color for number of bytes (Default = "2EA495") +color_s="8888DD" # Background color for number of search (Default = "8888DD") +color_e="CEC2E8" # Background color for number of entry pages (Default = "CEC2E8") +color_x="C1B2E2" # Background color for number of exit pages (Default = "C1B2E2") + + + +#----------------------------------------------------------------------------- +# PLUGINS +#----------------------------------------------------------------------------- + +# Add here all plugin files you want to load. +# Plugin files must be .pm files stored in 'plugins' directory. +# Uncomment LoadPlugin lines to enable a plugin after checking that perl +# modules required by the plugin are installed. + +# PLUGIN: Tooltips +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add tooltips pop-up help boxes to HTML report pages. +# NOTE: This will increased HTML report pages size, thus server load and bandwidth. +# +#LoadPlugin="tooltips" + +# PLUGIN: DecodeUTFKeys +# REQUIRED MODULES: Encode and URI::Escape +# PARAMETERS: None +# DESCRIPTION: Allow AWStats to show correctly (in language charset) +# keywords/keyphrases strings even if they were UTF8 coded by the +# referer search engine. +# +#LoadPlugin="decodeutfkeys" + +# PLUGIN: IPv6 +# PARAMETERS: None +# REQUIRED MODULES: Net::IP and Net::DNS +# DESCRIPTION: This plugin gives AWStats capability to make reverse DNS +# lookup on IPv6 addresses. +# +#LoadPlugin="ipv6" + +# PLUGIN: HashFiles +# REQUIRED MODULES: Storable +# PARAMETERS: None +# DESCRIPTION: AWStats DNS cache files are read/saved as native hash files. +# This increases DNS cache files loading speed, above all for very large web sites. +# +#LoadPlugin="hashfiles" + + +# PLUGIN: UserInfo +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add a text (Firtname, Lastname, Office Department, ...) in +# authenticated user reports for each login value. +# A text file called userinfo.myconfig.txt, with two fields (first is login, +# second is text to show, separated by a tab char) must be created in DirData +# directory. +# +#LoadPlugin="userinfo" + +# PLUGIN: HostInfo +# REQUIRED MODULES: Net::XWhois +# PARAMETERS: None +# DESCRIPTION: Add a column into host chart with a link to open a popup window that shows +# info on host (like whois records). +# +#LoadPlugin="hostinfo" + +# PLUGIN: ClusterInfo +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add a text (for example a full hostname) in cluster reports for each cluster +# number. A text file called clusterinfo.myconfig.txt, with two fields (first is +# cluster number, second is text to show) separated by a tab char. must be +# created into DirData directory. +# Note this plugin is useless if ShowClusterStats is set to 0 or if you don't +# use a personalized log format that contains %cluster tag. +# +#LoadPlugin="clusterinfo" + +# PLUGIN: UrlAliases +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add a text (Page title, description...) in URL reports before URL value. +# A text file called urlalias.myconfig.txt, with two fields (first is URL, +# second is text to show, separated by a tab char) must be created into +# DirData directory. +# +#LoadPlugin="urlalias" + +# PLUGIN: TimeHiRes +# REQUIRED MODULES: Time::HiRes (if Perl < 5.8) +# PARAMETERS: None +# DESCRIPTION: Time reported by -showsteps option is in millisecond. For debug purpose. +# +#LoadPlugin="timehires" + +# PLUGIN: TimeZone +# REQUIRED MODULES: Time::Local +# PARAMETERS: [timezone offset] +# DESCRIPTION: Allow AWStats to adjust time stamps for a different timezone +# This plugin reduces AWStats speed of 10% !!!!!!! +# LoadPlugin="timezone" +# LoadPlugin="timezone +2" +# LoadPlugin="timezone CET" +# +#LoadPlugin="timezone +2" + +# PLUGIN: Rawlog +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: This plugin adds a form in AWStats main page to allow users to see raw +# content of current log files. A filter is also available. +# +#LoadPlugin="rawlog" + +# PLUGIN: GraphApplet +# REQUIRED MODULES: None +# PARAMETERS: [CSS classes to override] +# DESCRIPTION: Supported charts are built by a 3D graphic applet. +# +#LoadPlugin="graphapplet /awstatsclasses" # EXPERIMENTAL FEATURE + +# PLUGIN: GraphGoogleChartAPI +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Replaces the standard charts with free Google API generated images +# in HTML reports. If country data is available and more than one country has hits, +# a map will be generated using Google Visualizations. +# Note: The machine where reports are displayed must have Internet access for the +# charts to be generated. The only data sent to Google includes the statistic numbers, +# legend names and country names. +# Warning: This plugin is not compatible with option BuildReportFormat=xhtml. +# +#LoadPlugin="graphgooglechartapi" + +# PLUGIN: GeoIPfree +# REQUIRED MODULES: Geo::IPfree version 0.2+ (from Graciliano M.P.) +# PARAMETERS: None +# DESCRIPTION: Country chart is built from an Internet IP-Country database. +# This plugin is useless for intranet only log files. +# Note: You must choose between using this plugin (need Perl Geo::IPfree +# module, database is free but not up to date) or the GeoIP plugin (need +# Perl Geo::IP module from Maxmind, database is also free and up to date). +# Note: Activestate provide a corrupted version of Geo::IPfree 0.2 Perl +# module, so install it from elsewhere (from www.cpan.org for example). +# This plugin reduces AWStats speed by up to 10% ! +# +#LoadPlugin="geoipfree" + +# MAXMIND GEO IP MODULES: Please see documentation for notes on all Maxmind modules + +# PLUGIN: GeoIP +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/geoip.dat[+/pathto/override.txt]] +# DESCRIPTION: Builds a country chart and adds an entry to the hosts +# table with country name +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip GEOIP_STANDARD /pathto/GeoIP.dat" + +# PLUGIN: GeoIP2 +# REQUIRED MODULES: GeoIP2::Database::Reader (from Maxmind) +# PARAMETERS: [/pathto/GeoLite2-Country.mmdb[+/pathto/override.txt]] +# DESCRIPTION: Builds a country chart and adds an entry to the hosts +# table with country name. This uses the new schema of GeoIP2 replacing +# the now expired Legacy schema. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip2_country /pathto/GeoLite2-Country.mmdb" + +# PLUGIN: GeoIP6 +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind, version >= 1.40) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/geoipv6.dat[+/pathto/override.txt]] +# DESCRIPTION: Builds a country chart and adds an entry to the hosts +# table with country name +# works with IPv4 and also IPv6 addresses +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip6 GEOIP_STANDARD /pathto/GeoIPv6.dat" + +# PLUGIN: GeoIP_City_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPCity.dat[+/pathto/override.txt]] +# DESCRIPTION: This plugin adds a column under the hosts field and tracks the pageviews +# and hits by city including regions. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_city_maxmind GEOIP_STANDARD /pathto/GeoIPCity.dat" + +# PLUGIN: GeoIP2_City +# REQUIRED MODULES: GeoIP2::Database::Reader (from Maxmind) +# PARAMETERS: [/pathto/GeoLite2-City.mmdb[+/pathto/override.txt]] +# DESCRIPTION: This plugin adds a column under the hosts field and tracks the pageviews +# and hits by city including regions. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip2_city /pathto/GeoLite2-City.mmdb" + +# PLUGIN: GeoIP_ASN_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPASN.dat[+/pathto/override.txt][+http://linktoASlookup]] +# DESCRIPTION: This plugin adds a chart of AS numbers where the host IP address is registered. +# This plugin can display some ISP information if included in the database. You can also provide +# a link that will be used to lookup additional registration data. Put the link at the end of +# the parameter string and the report page will include the link with the full AS number at the end. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_asn_maxmind GEOIP_STANDARD /usr/local/geoip.dat+http://enc.com.au/itools/autnum.php?asn=" + +# PLUGIN: GeoIP_Region_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPRegion.dat[+/pathto/override.txt]] +# DESCRIPTION:This plugin adds a chart of hits by regions. Only regions for US and +# Canada can be detected. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_region_maxmind GEOIP_STANDARD /pathto/GeoIPRegion.dat" + +# PLUGIN: GeoIP_ISP_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPISP.dat[+/pathto/override.txt]] +# DESCRIPTION: This plugin adds a chart of hits by ISP. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_isp_maxmind GEOIP_STANDARD /pathto/GeoIPISP.dat" + +# PLUGIN: GeoIP_Org_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPOrg.dat[+/pathto/override.txt]] +# DESCRIPTION: This plugin add a chart of hits by Organization name +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_org_maxmind GEOIP_STANDARD /pathto/GeoIPOrg.dat" + + +#----------------------------------------------------------------------------- +# EXTRA SECTIONS +#----------------------------------------------------------------------------- + +# You can define your own charts, you choose here what are rows and columns +# keys. This feature is particularly useful for marketing purpose, tracking +# products orders for example. +# For this, edit all parameters of Extra section. Each set of parameter is a +# different chart. For several charts, duplicate section changing the number. +# Note: Each Extra section reduces AWStats speed by 8%. +# +# WARNING: A wrong setup of Extra section might result in too large arrays +# that will consume all your memory, making AWStats unusable after several +# updates, so be sure to setup it correctly. +# In most cases, you don't need this feature. +# +# ExtraSectionNameX is title of your personalized chart. +# ExtraSectionCodeFilterX is list of codes the record code field must match. +# Put an empty string for no test on code. +# ExtraSectionConditionX are conditions you can use to count or not the hit, +# Use one of the field condition +# (URL,URLWITHQUERY,QUERY_STRING,REFERER,UA,HOSTINLOG,HOST,VHOST,extraX) +# and a regex to match, after a coma. Use "||" for "OR". +# ExtraSectionFirstColumnTitleX is the first column title of the chart. +# ExtraSectionFirstColumnValuesX is a string to tell AWStats which field to +# extract value from +# (URL,URLWITHQUERY,QUERY_STRING,REFERER,UA,HOSTINLOG,HOST,VHOST,extraX) +# and how to extract the value (using regex syntax). Each different value +# found will appear in first column of report on a different row. Be sure +# that list of different possible values will not grow indefinitely. +# ExtraSectionFirstColumnFormatX is the string used to write value. +# ExtraSectionStatTypesX are things you want to count. You can use standard +# code letters (P for pages,H for hits,B for bandwidth,L for last access). +# ExtraSectionAddAverageRowX add a row at bottom of chart with average values. +# ExtraSectionAddSumRowX add a row at bottom of chart with sum values. +# MaxNbOfExtraX is maximum number of rows shown in chart. +# MinHitExtraX is minimum number of hits required to be shown in chart. +# + +# Example to report the 20 products the most ordered by "order.cgi" script +#ExtraSectionName1="Product orders" +#ExtraSectionCodeFilter1="200 304" +#ExtraSectionCondition1="URL,\/cgi\-bin\/order\.cgi||URL,\/cgi\-bin\/order2\.cgi" +#ExtraSectionFirstColumnTitle1="Product ID" +#ExtraSectionFirstColumnValues1="QUERY_STRING,productid=([^&]+)" +#ExtraSectionFirstColumnFormat1="%s" +#ExtraSectionStatTypes1=PL +#ExtraSectionAddAverageRow1=0 +#ExtraSectionAddSumRow1=1 +#MaxNbOfExtra1=20 +#MinHitExtra1=1 + + +# There is also a global parameter ExtraTrackedRowsLimit that limits the +# number of possible rows an ExtraSection can report. This parameter is +# here to protect too much memory use when you make a bad setup in your +# ExtraSection. It applies to all ExtraSection independently meaning that +# none ExtraSection can report more rows than value defined by ExtraTrackedRowsLimit. +# If you know an ExtraSection will report more rows than its value, you should +# increase this parameter or AWStats will stop with an error. +# Example: 2000 +# Default: 500 +# +ExtraTrackedRowsLimit=500 + + +#----------------------------------------------------------------------------- +# INCLUDES +#----------------------------------------------------------------------------- + +# You can include other config files using the directive with the name of the +# config file. +# This is particularly useful for users who have a lot of virtual servers, so +# a lot of config files and want to maintain common values in only one file. +# Note that when a variable is defined both in a config file and in an +# included file, AWStats will use the last value read for parameters that +# contains one value and AWStats will concat all values from both files for +# parameters that are lists of values. +# + +#Include "" diff --git a/awstats/awstats.model.conf b/awstats/awstats.model.conf new file mode 100644 index 0000000..a3662a8 --- /dev/null +++ b/awstats/awstats.model.conf @@ -0,0 +1,1619 @@ +# AWSTATS CONFIGURE FILE 7.3 +#----------------------------------------------------------------------------- +# Copy this file into awstats.www.mydomain.conf and edit this new config file +# to setup AWStats (See documentation in docs/ directory). +# The config file must be in /etc/awstats, /usr/local/etc/awstats or /etc (for +# Unix/Linux) or same directory as awstats.pl (Windows, Mac, Unix/Linux...) +# To include an environment variable in any parameter (AWStats will replace +# it with its value when reading it), follow the example: +# Parameter="__ENVNAME__" +# Note that environment variable AWSTATS_CURRENT_CONFIG is always defined with +# the config value in an AWStats running session and can be used like others. +#----------------------------------------------------------------------------- + + + +#----------------------------------------------------------------------------- +# MAIN SETUP SECTION (Required to make AWStats work) +#----------------------------------------------------------------------------- + +# "LogFile" contains the web, ftp or mail server log file to analyze. +# Possible values: A full path, or a relative path from awstats.pl directory. +# Example: "/var/log/apache/access.log" +# Example: "../logs/mycombinedlog.log" +# You can also use tags in this filename if you need a dynamic file name +# depending on date or time (Replacement is made by AWStats at the beginning +# of its execution). These are the available tags : +# %YYYY-n is replaced with 4 digits year we were n hours ago +# %YY-n is replaced with 2 digits year we were n hours ago +# %MM-n is replaced with 2 digits month we were n hours ago +# %MO-n is replaced with 3 letters month we were n hours ago +# %DD-n is replaced with day we were n hours ago +# %HH-n is replaced with hour we were n hours ago +# %NS-n is replaced with number of seconds at 00:00 since 1970 +# %WM-n is replaced with the week number in month (1-5) +# %Wm-n is replaced with the week number in month (0-4) +# %WY-n is replaced with the week number in year (01-52) +# %Wy-n is replaced with the week number in year (00-51) +# %DW-n is replaced with the day number in week (1-7, 1=sunday) +# use n=24 if you need (1-7, 1=monday) +# %Dw-n is replaced with the day number in week (0-6, 0=sunday) +# use n=24 if you need (0-6, 0=monday) +# Use 0 for n if you need current year, month, day, hour... +# Example: "/var/log/access_log.%YYYY-0%MM-0%DD-0.log" +# Example: "C:/WINNT/system32/LogFiles/W3SVC1/ex%YY-24%MM-24%DD-24.log" +# You can also use a pipe if log file come from a pipe : +# Example: "gzip -cd /var/log/apache/access.log.gz |" +# If there are several log files from load balancing servers : +# Example: "/pathtotools/logresolvemerge.pl *.log |" +# +LogFile="/var/log/httpd/access_log" + + +# Enter the log file type you want to analyze. +# Possible values: +# W - For a web log file +# S - For a streaming log file +# M - For a mail log file +# F - For an ftp log file +# Example: W +# Default: W +# +LogType=W + + +# Enter here your log format (Must match your web server config. See setup +# instructions in documentation to know how to configure your web server to +# have the required log format). +# Possible values: 1,2,3,4 or "your_own_personalized_log_format" +# 1 - Apache or Lotus Notes/Domino native combined log format (NCSA combined/XLF/ELF log format) +# 2 - IIS or ISA format (IIS W3C log format). See FAQ-COM115 For ISA. +# 3 - Webstar native log format. +# 4 - Apache or Squid native common log format (NCSA common/CLF log format) +# With LogFormat=4, some features (browsers, os, keywords...) can't work. +# "your_own_personalized_log_format" = If your log is ftp, mail or other format, +# you must use following keys to define the log format string (See FAQ for +# ftp, mail or exotic web log format examples): +# %host Client hostname or IP address (or Sender host for mail log) +# %host_r Receiver hostname or IP address (for mail log) +# %lognamequot Authenticated login/user with format: "john" +# %logname Authenticated login/user with format: john +# %time1 Date and time with format: [dd/mon/yyyy:hh:mm:ss +0000] or [dd/mon/yyyy:hh:mm:ss] +# %time2 Date and time with format: yyyy-mm-dd hh:mm:ss +# %time3 Date and time with format: Mon dd hh:mm:ss or Mon dd hh:mm:ss yyyy +# %time4 Date and time with unix timestamp format: dddddddddd +# %time5 Date and time with format iso: yyyy-mm-ddThh:mm:ss, with optional timezone specification (ignored) +# %time6 Date and time with format: dd/mm/yyyy, hh:mm:ss +# %methodurl Method and URL with format: "GET /index.html HTTP/x.x" +# %methodurlnoprot Method and URL with format: "GET /index.html" +# %method Method with format: GET +# %url URL only with format: /index.html +# %query Query string (used by URLWithQuery option) +# %code Return code status (with format for web log: 999) +# %bytesd Size of document in bytes +# %refererquot Referer page with format: "http://from.com/from.htm" +# %referer Referer page with format: http://from.com/from.htm +# %uabracket User agent with format: [Mozilla/4.0 (compatible, ...)] +# %uaquot User agent with format: "Mozilla/4.0 (compatible, ...)" +# %ua User agent with format: Mozilla/4.0_(compatible...) +# %gzipin mod_gzip compression input bytes: In:XXX +# %gzipout mod_gzip compression output bytes & ratio: Out:YYY:ZZpct. +# %gzipratio mod_gzip compression ratio: ZZpct. +# %deflateratio mod_deflate compression ratio with format: (ZZ) +# %email EMail sender (for mail log) +# %email_r EMail receiver (for mail log) +# %virtualname Web sever virtual hostname. Use this tag when same log +# contains data of several virtual web servers. AWStats +# will discard records not in SiteDomain nor HostAliases +# %cluster If log file is provided from several computers (merged by +# logresolvemerge.pl), use this to define cluster id field. +# %extraX Another field that you plan to use for building a +# personalized report with ExtraSection feature (See later). +# If your log format has some fields not included in this list, use: +# %other Means another not used field +# %otherquot Means another not used double quoted field +# If your log format has some literal strings, which precede data fields, use +# status=%code Means your log files have HTTP status logged as "status=200" +# Literal strings that follow data field must be separated from said data fields by space. +# +# Examples for Apache combined logs (following two examples are equivalent): +# LogFormat = 1 +# LogFormat = "%host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot" +# +# Example for IIS: +# LogFormat = 2 +# +LogFormat=1 + + +# If your log field's separator is not a space, you can change this parameter. +# This parameter is not used if LogFormat is a predefined value (1,2,3,4) +# Backslash can be used as escape character. +# Example: " " +# Example: "\t" +# Example: "\|" +# Example: "," +# Default: " " +# +LogSeparator=" " + + +# "SiteDomain" must contain the main domain name, or the main intranet web +# server name, used to reach the web site. +# If you share the same log file for several virtual web servers, this +# parameter is used to tell AWStats to filter record that contains records for +# this virtual host name only (So check that this virtual hostname can be +# found in your log file and use a personalized log format that include the +# %virtualname tag). +# But for multi hosting a better solution is to have one log file for each +# virtual web server. In this case, this parameter is only used to generate +# full URL's links when ShowLinksOnUrl option is set to 1. +# If analyzing mail log, enter here the domain name of mail server. +# Example: "myintranetserver" +# Example: "www.domain.com" +# Example: "ftp.domain.com" +# Example: "domain.com" +# +SiteDomain="localhost.localdomain" + + +# Enter here all other possible domain names, addresses or virtual host +# aliases someone can use to access your site. Try to keep only the minimum +# number of possible names/addresses to have the best performances. +# You can repeat the "SiteDomain" value in this list. +# This parameter is used to analyze referer field in log file and to help +# AWStats to know if a referer URL is a local URL of same site or a URL of +# another site. +# Note: Use space between each value. +# Note: You can use regular expression values writing value with REGEX[value]. +# Note: You can also use @/mypath/myfile if list of aliases are in a file. +# Example: "www.myserver.com localhost 127.0.0.1 REGEX[mydomain\.(net|org)$]" +# +HostAliases="localhost 127.0.0.1" + + +# If you want to have hosts reported by name instead of ip address, AWStats +# needs to make reverse DNS lookups (if not already done in your log file). +# With DNSLookup to 0, all hosts will be reported by their IP addresses and +# not by the full hostname of visitors (except if names are already available +# in log file). +# If you want/need to set DNSLookup to 1, don't forget that this will +# dramatically reduce AWStats's update process speed. Do not use on large web +# sites. +# Note: Reverse DNS lookup is done on IPv4 only (Enable ipv6 plugin for IPv6). +# Note: Result of DNS Lookup can be used to build the Country report. However +# it is highly recommanded to enable the plugin 'geoip', 'geoipfree', or 'geoip2' +# to have an accurate Country report with no need for DNS Lookup. +# Possible values: +# 0 - No DNS Lookup +# 1 - DNS Lookup is fully enabled +# 2 - DNS Lookup is made only from static DNS cache file (if it exists) +# Default: 2 +# +DNSLookup=2 + + +# For very large sites, setting DNSLookup to 0 (or 2) might be the only +# reasonable choice. DynamicDNSLookup allows to resolve host names for +# items shown in html tables only, when data is output on reports instead +# of resolving once during log analysis step. +# Possible values: +# 0 - No dynamic DNS lookup +# 1 - Dynamic DNS lookup enabled +# 2 - Dynamic DNS lookup enabled (including static DNS cache file as a second +# source) +# Default: 0 +# +DynamicDNSLookup=0 + + +# When AWStats updates its statistics, it stores results of its analysis in +# files (AWStats database). All those files are written in the directory +# defined by the "DirData" parameter. Set this value to the directory where +# you want AWStats to save its database and working files into. +# Warning: If you want to be able to use the "AllowToUpdateStatsFromBrowser" +# feature (see later), you need "Write" permissions by web server user on this +# directory (and "Modify" for Windows NTFS file systems). +# Example: "/var/lib/awstats" +# Example: "../data" +# Example: "C:/awstats_data_dir" +# Default: "." (means same directory as awstats.pl) +# +DirData="/var/lib/awstats" + + +# Relative or absolute web URL of your awstats cgi-bin directory. +# This parameter is used only when AWStats is run from command line +# with -output option (to generate links in HTML reported page). +# Example: "/awstats" +# Default: "/cgi-bin" (means awstats.pl is in "/yourwwwroot/cgi-bin") +# +DirCgi="/awstats" + + +# Relative or absolute web URL of your awstats icon directory. +# If you build static reports ("... -output > outputpath/output.html"), enter +# path of icon directory relative to the output directory 'outputpath'. +# Example: "/awstatsicons" +# Example: "../icon" +# Default: "/icon" (means you must copy icon directories in "/mywwwroot/icon") +# +DirIcons="/awstatsicons" + + +# When this parameter is set to 1, AWStats adds a button on the report page to +# allow to "update" statistics from a web browser. Warning, when "update" is +# made from a browser, AWStats is run as a CGI by the web server user defined +# in your web server (user "nobody" by default with Apache, "IUSR_XXX" with +# IIS), so the "DirData" directory and all already existing history files +# awstatsMMYYYY[.xxx].txt must be writable by this user. Change permissions if +# necessary to "Read/Write" (and "Modify" for Windows NTFS file systems). +# Warning: Update process can be long so you might experience "time out" +# browser errors if you don't launch AWStats frequently enough. +# When set to 0, update is only made when AWStats is run from the command +# line interface (or a task scheduler). +# Possible values: 0 or 1 +# Default: 0 +# +AllowToUpdateStatsFromBrowser=0 + + +# AWStats saves and sorts its database on a monthly basis (except if using +# databasebreak option from command line). +# However, if you choose the -month=all from command line or +# value '-Year-' from CGI combo form to have a report for all year, AWStats +# needs to reload all data for full year (each month), and sort them, +# requiring a large amount of time, memory and CPU. This might be a problem +# for web hosting providers that offer AWStats for large sites, on shared +# servers, to non CPU cautious customers. +# For this reason, the 'full year' is only enabled on Command Line by default. +# You can change this by setting this parameter to 0, 1, 2 or 3. +# Possible values: +# 0 - Never allowed +# 1 - Allowed on CLI only, -Year- value in combo is not visible +# 2 - Allowed on CLI only, -Year- value in combo is visible but not allowed +# 3 - Possible on CLI and CGI +# Default: 2 +# +AllowFullYearView=2 + + + +#----------------------------------------------------------------------------- +# OPTIONAL SETUP SECTION (Not required but enhances AWStats's functionality) +#----------------------------------------------------------------------------- + +# When the update process runs, AWStats can set a lock file in TEMP or TMP +# directory. This lock is to avoid to have 2 update processes running at the +# same time to prevent unknown conflicts problems and avoid DoS attacks when +# AllowToUpdateStatsFromBrowser is set to 1. +# Because, when you use lock file, you can sometimes experience problems if +# lock file is not correctly removed (killed process for example requires that +# you remove the file manually), this option is not enabled by default (Do +# not enable this option with no console server access). +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +EnableLockForUpdate=1 + + +# AWStats can do reverse DNS lookups through a static DNS cache file that was +# previously created manually. If no path is given in static DNS cache file +# name, AWStats will search DirData directory. This file is never changed. +# This option is not used if DNSLookup=0. +# Note: DNS cache file format is 'minsince1970 ipaddress resolved_hostname' +# or just 'ipaddress resolved_hostname' +# Change : Effective for new updates only +# Example: "/mydnscachedir/dnscache" +# Default: "dnscache.txt" +# +DNSStaticCacheFile="dnscache.txt" + + +# AWStats can do reverse DNS lookups through a DNS cache file that was created +# by a previous run of AWStats. This file is erased and recreated after each +# statistics update process. You don't need to create and/or edit it. +# AWStats will read and save this file in DirData directory. +# This option is used only if DNSLookup=1. +# Note: If a DNSStaticCacheFile is available, AWStats will check for DNS +# lookup in DNSLastUpdateCacheFile after checking into DNSStaticCacheFile. +# Change : Effective for new updates only +# Example: "/mydnscachedir/dnscachelastupdate" +# Default: "dnscachelastupdate.txt" +# +DNSLastUpdateCacheFile="dnscachelastupdate.txt" + + +# You can specify specific IP addresses that should NOT be looked up in DNS. +# This option is used only if DNSLookup=1. +# Note: Use space between each value. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "123.123.123.123 REGEX[^192\.168\.]" +# Default: "" +# +SkipDNSLookupFor="" + + +# The following two parameters allow you to protect a config file from being +# read by AWStats when called from a browser if the web user has not been +# authenticated. Your AWStats program must be in a web protected "realm" (With +# Apache, you can use .htaccess files to do so. With other web servers, see +# your server setup manual). +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +AllowAccessFromWebToAuthenticatedUsersOnly=0 + + +# This parameter gives the list of all authorized authenticated users to view +# statistics for this domain/config file. This parameter is used only if +# AllowAccessFromWebToAuthenticatedUsersOnly is set to 1. +# Change : Effective immediately +# Example: "user1 user2" +# Example: "__REMOTE_USER__" +# Default: "" +# +AllowAccessFromWebToFollowingAuthenticatedUsers="" + + +# When this parameter is defined to something, the IP address of the user that +# reads its statistics from a browser (when AWStats is used as a CGI) is +# checked and must match one of the IP address values or ranges. +# Change : Effective immediately +# Example: "127.0.0.1 123.123.123.1-123.123.123.255" +# Default: "" +# +AllowAccessFromWebToFollowingIPAddresses="" + + +# If the "DirData" directory (see above) does not exist, AWStats returns an +# error. However, you can ask AWStats to create it. +# This option can be used by some Web Hosting Providers that have defined a +# dynamic value for DirData (for example DirData="/home/__REMOTE_USER__") and +# don't want to have to create a new directory each time they add a new user. +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +CreateDirDataIfNotExists=0 + + +# You can choose in which format the AWStats history database is saved. +# Note: Using "xml" format makes AWStats database files three times larger than +# using "text" format. +# Change : Database format is switched after next update +# Possible values: text or xml +# Default: text +# +BuildHistoryFormat=text + + +# If you prefer having the report output pages be built as XML compliant pages +# instead of simple HTML pages, you can set this to 'xhtml' (May not work +# properly with old browsers). +# Change : Effective immediately +# Possible values: html or xhtml +# Default: html +# +BuildReportFormat=html + + +# AWStats databases can be updated from command line or from a browser (when +# used as a cgi program). So AWStats database files need write permission +# for both command line user and default web server user ('nobody' for Unix, +# 'IUSR_xxx' for IIS/Windows,...). +# To avoid permission problems between update process (run by an admin user) +# and CGI process (ran by a low level user), AWStats can save its database +# files with read and write permissions for everyone. +# By default, AWStats keeps default user permissions on updated files. If you +# set AllowToUpdateStatsFromBrowser to 1, you can change this parameter to 1. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +SaveDatabaseFilesWithPermissionsForEveryone=0 + + +# AWStats can purge log file, after analyzing it. Note that AWStats is able +# to detect new lines in a log file, to process only them, so you can launch +# AWStats as often as you want, even with this parameter to 0. +# With 0, no purge is made, so you must use a scheduled task or a web server +# that make this purge frequently. +# With 1, the purge of the log file is made each time AWStats update is run. +# This parameter doesn't work with IIS (This web server doesn't let its log +# file to be purged). +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +PurgeLogFile=0 + + +# When PurgeLogFile is set to 1, AWStats will clean your log file after +# processing it. You can however keep an archive file of all processed log +# records by setting this parameter (For example if you want to use another +# log analyzer). The archived log file is saved in "DirData" with name +# awstats_archive.configname[.suffix].log +# This parameter is not used if PurgeLogFile=0 +# Change : Effective for new updates only +# Possible values: 0, 1, or tags (See LogFile parameter) for suffix +# Example: 1 +# Example: %YYYY%MM%DD +# Default: 0 +# +ArchiveLogRecords=0 + + +# Each time you run the update process, AWStats overwrites the 'historic file' +# for the month (awstatsMMYYYY[.*].txt) with the updated one. +# When write errors occur (IO, disk full,...), this historic file can be +# corrupted and must be deleted. Because this file contains information of all +# past processed log files, you will lose old stats if removed. So you can +# ask AWStats to save last non corrupted file in a .bak file. This file is +# stored in "DirData" directory with other 'historic files'. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +KeepBackupOfHistoricFiles=0 + + +# Default index page name for your web server. +# Change : Effective for new updates only +# Example: "index.php index.html default.html" +# Default: "index.php index.html" +# +DefaultFile="index.php index.html" + + +# Do not include access from clients that match following criteria. +# If your log file contains IP addresses in host field, you must enter here +# matching IP addresses criteria. +# If DNS lookup is already done in your log file, you must enter here hostname +# criteria, else enter ip address criteria. +# The opposite parameter of "SkipHosts" is "OnlyHosts". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "127.0.0.1 REGEX[^192\.168\.] REGEX[^10\.]" +# Example: "localhost REGEX[^.*\.localdomain$]" +# Default: "" +# +SkipHosts="127.0.0.1" + + +# Do not include access from clients with a user agent that match following +# criteria. If you want to exclude a robot, you should update the robots.pm +# file instead of this parameter. +# The opposite parameter of "SkipUserAgents" is "OnlyUserAgents". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "konqueror REGEX[ua_test_v\d\.\d]" +# Default: "" +# +SkipUserAgents="" + + +# Use SkipFiles to ignore access to URLs that match one of following entries. +# You can enter a list of not important URLs (like framed menus, hidden pages, +# etc...) to exclude them from statistics. You must enter here exact relative +# URL as found in log file, or a matching REGEX value. Check apply on URL with +# all its query paramaters. +# For example, to ignore /badpage.php, just add "/badpage.php". To ignore all +# pages in a particular directory, add "REGEX[^\/directorytoexclude]". +# The opposite parameter of "SkipFiles" is "OnlyFiles". +# Note: Use space between each value. This parameter is or not case sensitive +# depending on URLNotCaseSensitive parameter. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "/badpage.php /page.php?param=x REGEX[^\/excludedirectory]" +# Default: "" +# +SkipFiles="" + + +# Use SkipReferrersBlackList if you want to exclude records coming from a SPAM +# referrer. Parameter must receive a local file name containing rules applied +# on referrer field. If parameter is empty, no filter is applied. +# An example of such a file is available in lib/blacklist.txt +# Change : Effective for new updates only +# Example: "/mylibpath/blacklist.txt" +# Default: "" +# +# WARNING!! Using this feature make AWStats running very slower (5 times slower +# with black list file provided with AWStats ! +# +SkipReferrersBlackList="" + + +# Include in stats, only accesses from hosts that match one of following +# entries. For example, if you want AWStats to filter access to keep only +# stats for visits from particular hosts, you can add those host names in +# this parameter. +# If DNS lookup is already done in your log file, you must enter here hostname +# criteria, else enter ip address criteria. +# The opposite parameter of "OnlyHosts" is "SkipHosts". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "127.0.0.1 REGEX[^192\.168\.] REGEX[^10\.]" +# Default: "" +# +OnlyHosts="" + + +# Include in stats, only accesses from user agent that match one of following +# entries. For example, if you want AWStats to filter access to keep only +# stats for visits from particular browsers, you can add their user agents +# string in this parameter. +# The opposite parameter of "OnlyUserAgents" is "SkipUserAgents". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "msie" +# Default: "" +# +OnlyUserAgents="" + + +# Include in stats, only accesses from authenticated users that match one of +# following entries. For example, if you want AWStats to filter access to keep +# only stats for authenticated users, you can add those users names in +# this parameter. Useful for statistics for per user ftp logs. +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "john bob REGEX[^testusers]" +# Default: "" +# +OnlyUsers="" + + +# Include in stats, only accesses to URLs that match one of following entries. +# For example, if you want AWStats to filter access to keep only stats that +# match a particular string, like a particular directory, you can add this +# directory name in this parameter. +# The opposite parameter of "OnlyFiles" is "SkipFiles". +# Note: Use space between each value. This parameter is or not case sensitive +# depending on URLNotCaseSensitive parameter. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "REGEX[marketing_directory] REGEX[office\/.*\.(csv|sxw)$]" +# Default: "" +# +OnlyFiles="" + + +# Add here a list of kind of url (file extension) that must be counted as +# "Hit only" and not as a "Hit" and "Page/Download". You can set here all +# image extensions as they are hit downloaded that must be counted but they +# are not viewed pages. URLs with such extensions are not included in the TOP +# Pages/URL report. +# Note: If you want to exclude particular URLs from stats (No Pages and no +# Hits reported), you must use SkipFiles parameter. +# Change : Effective for new updates only +# Example: "css js class gif jpg jpeg png bmp ico rss xml swf zip arj rar gz z bz2 wav mp3 wma mpg avi" +# Example: "" +# Default: "css js class gif jpg jpeg png bmp ico rss xml swf eot woff woff2" +# +NotPageList="css js class gif jpg jpeg png bmp ico rss xml swf eot woff woff2" + + +# By default, AWStats considers that records found in web log file are +# successful hits if HTTP code returned by server is a valid HTTP code (200 +# and 304). Any other code are reported in HTTP status chart. +# Note that HTTP 'control codes', like redirection (302, 305) are not added by +# default in this list as they are not pages seen by a visitor but are +# protocol exchange codes to tell the browser to ask another page. Because +# this other page will be counted and seen with a 200 or 304 code, if you +# add such codes, you will have 2 pages viewed reported for only one in facts. +# Change : Effective for new updates only +# Example: "200 304 302 305" +# Default: "200 304" +# +ValidHTTPCodes="200 304" + + +# By default, AWStats considers that records found in mail log file are +# successful mail transfers if field that represent return code in analyzed +# log file match values defined by this parameter. +# Change : Effective for new updates only +# Example: "1 250 200" +# Default: "1 250" +# +ValidSMTPCodes="1 250" + + +# By default, AWStats only records info on 404 'Document Not Found' errors. +# At the cost of additional processing time, further info pages can be made +# available by adding codes below. +# Change : Effective for new updates only +# Example: "403 404" +# Default: "404" +# +TrapInfosForHTTPErrorCodes = "400 403 404" + + +# Some web servers on some Operating systems (IIS-Windows) consider that a +# login with same value but different case are the same login. To tell AWStats +# to also consider them as one, set this parameter to 1. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +AuthenticatedUsersNotCaseSensitive=0 + + +# Some web servers on some Operating systems (IIS-Windows) considers that two +# URLs with same value but different case are the same URL. To tell AWStats to +# also considers them as one, set this parameter to 1. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +URLNotCaseSensitive=0 + + +# Keep or remove the anchor string you can find in some URLs. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +URLWithAnchor=0 + + +# In URL links, "?" char is used to add parameter's list in URLs. Syntax is: +# /mypage.html?param1=value1¶m2=value2 +# However, some servers/sites use also other chars to isolate dynamic part of +# their URLs. You can complete this list with all such characters. +# Change : Effective for new updates only +# Example: "?;," +# Default: "?;" +# +URLQuerySeparators="?;" + + +# Keep or remove the query string to the URL in the statistics for individual +# pages. This is primarily used to differentiate between the URLs of dynamic +# pages. If set to 1, mypage.html?id=x and mypage.html?id=y are counted as two +# different pages. +# Warning, when set to 1, memory required to run AWStats is dramatically +# increased if you have a lot of changing URLs (for example URLs with a random +# id inside). Such web sites should not set this option to 1 or use seriously +# the next parameter URLWithQueryWithOnlyFollowingParameters (or eventually +# URLWithQueryWithoutFollowingParameters). +# Change : Effective for new updates only +# Possible values: +# 0 - URLs are cleaned from the query string (ie: "/mypage.html") +# 1 - Full URL with query string is used (ie: "/mypage.html?p=x&q=y") +# Default: 0 +# +URLWithQuery=0 + + +# When URLWithQuery is on, you will get the full URL with all parameters in +# URL reports. But among thoose parameters, sometimes you don't need a +# particular parameter because it does not identify the page or because it's +# a random ID changing for each access even if URL points to same page. In +# such cases, it is higly recommanded to ask AWStats to keep only parameters +# you need (if you know them) before counting, manipulating and storing URL. +# Enter here list of wanted parameters. For example, with "param", one hit on +# /mypage.cgi?param=abc&id=Yo4UomP9d and /mypage.cgi?param=abc&id=Mu8fdxl3r +# will be reported as 2 hits on /mypage.cgi?param=abc +# This parameter is not used when URLWithQuery is 0 and can't be used with +# URLWithQueryWithoutFollowingParameters. +# Change : Effective for new updates only +# Example: "param" +# Default: "" +# +URLWithQueryWithOnlyFollowingParameters="" + + +# When URLWithQuery is on, you will get the full URL with all parameters in +# URL reports. But among thoose parameters, sometimes you don't need a +# particular parameter because it does not identify the page or because it's +# a random ID changing for each access even if URL points to same page. In +# such cases, it is higly recommanded to ask AWStats to remove such parameters +# from the URL before counting, manipulating and storing URL. Enter here list +# of all non wanted parameters. For example if you enter "id", one hit on +# /mypage.cgi?param=abc&id=Yo4UomP9d and /mypage.cgi?param=abc&id=Mu8fdxl3r +# will be reported as 2 hits on /mypage.cgi?param=abc +# This parameter is not used when URLWithQuery is 0 and can't be used with +# URLWithQueryWithOnlyFollowingParameters. +# Change : Effective for new updates only +# Example: "PHPSESSID jsessionid" +# Default: "" +# +URLWithQueryWithoutFollowingParameters="" + + +# Keep or remove the query string to the referrer URL in the statistics for +# external referrer pages. This is used to differentiate between the URLs of +# dynamic referrer pages. If set to 1, mypage.html?id=x and mypage.html?id=y +# are counted as two different referrer pages. +# Change : Effective for new updates only +# Possible values: +# 0 - Referrer URLs are cleaned from the query string (ie: "/mypage.html") +# 1 - Full URL with query string is used (ie: "/mypage.html?p=x&q=y") +# Default: 0 +# +URLReferrerWithQuery=0 + + +# AWStats can detect setup problems or show you important informations to have +# a better use. Keep this to 1, except if AWStats says you can change it. +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 1 +# +WarningMessages=1 + + +# When an error occurs, AWStats outputs a message related to errors. If you +# want (in most cases for security reasons) to have no error messages, you +# can set this parameter to your personalized generic message. +# Change : Effective immediately +# Example: "An error occurred. Contact your Administrator" +# Default: "" +# +ErrorMessages="" + + +# AWStat can be run with debug=x parameter to output various informations +# to help in debugging or solving troubles. If you want to allow this (not +# enabled by default for security reasons), set this parameter to 0. +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +DebugMessages=0 + + +# To help you to detect if your log format is good, AWStats reports an error +# if all the first NbOfLinesForCorruptedLog lines have a format that does not +# match the LogFormat parameter. +# However, some worm virus attack on your web server can result in a very high +# number of corrupted lines in your log. So if you experience awstats stop +# because of bad virus records at the beginning of your log file, you can +# increase this parameter (very rare). +# Change : Effective for new updates only +# Default: 50 +# +NbOfLinesForCorruptedLog=50 + + +# For some particular integration needs, you may want to have CGI links to +# point to another script than awstats.pl. +# Use the name of this script in WrapperScript parameter. +# Change : Effective immediately +# Example: "awstatslauncher.pl" +# Example: "awstatswrapper.cgi?key=123" +# Default: "" +# +WrapperScript="" + + +# DecodeUA must be set to 1 if you use Roxen web server. This server converts +# all spaces in user agent field into %20. This make the AWStats robots, OS +# and browsers detection fail in some cases. Just change it to 1 if and only +# if your web server is Roxen. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +DecodeUA=0 + + +# MiscTrackerUrl can be used to make AWStats able to detect some miscellaneous +# things, that can not be tracked on other way, like: +# - Javascript disabled +# - Java enabled +# - Screen size +# - Color depth +# - Macromedia Director plugin +# - Macromedia Shockwave plugin +# - Realplayer G2 plugin +# - QuickTime plugin +# - Mediaplayer plugin +# - Acrobat PDF plugin +# To enable all these features, you must copy the awstats_misc_tracker.js file +# into a /js/ directory stored in your web document root and add the following +# HTML code at the end of your index page (but before ) : +# +# +# +# +# If code is not added in index page, all those detection capabilities will be +# disabled. You must also check that ShowScreenSizeStats and ShowMiscStats +# parameters are set to 1 to make results appear in AWStats report page. +# If you want to use another directory than /js/, you must also change the +# awstatsmisctrackerurl variable into the awstats_misc_tracker.js file. +# Change : Effective for new updates only. +# Possible value: URL of javascript tracker file added in your HTML code. +# Default: "/js/awstats_misc_tracker.js" +# +MiscTrackerUrl="/js/awstats_misc_tracker.js" + + +# AddLinkToExternalCGIWrapper can be used to add a link to a wrapper script +# into each title of Dolibarr reports. This can be used to add a wrapper +# to download data into a CSV file for example. +# +# AddLinkToExternalCGIWrapper="/awstats/awdownloadcsv.pl" + + + +#----------------------------------------------------------------------------- +# OPTIONAL ACCURACY SETUP SECTION (Not required but increase AWStats features) +#----------------------------------------------------------------------------- + +# The following values allow you to define accuracy of AWStats entities +# (robots, browsers, os, referers, file types) detection. +# It might be a good idea for large web sites or ISP that provides AWStats to +# high number of customers, to set this parameter to 1 (or 0), instead of 2. +# Possible values: +# 0 = No detection, +# 1 = Medium/Standard detection +# 2 = Full detection +# Change : Effective for new updates only +# Note : LevelForBrowsersDetection can also accept value "allphones". This +# enable detailed detection of phone/pda browsers. +# Default: 2 (0 for LevelForWormsDetection) +# +LevelForBrowsersDetection=2 # 0 disables Browsers detection. + # 2 reduces AWStats speed by 2% + # allphones reduces AWStats speed by 5% +LevelForOSDetection=2 # 0 disables OS detection. + # 2 reduces AWStats speed by 3% +LevelForRefererAnalyze=2 # 0 disables Origin detection. + # 2 reduces AWStats speed by 14% +LevelForRobotsDetection=2 # 0 disables Robots detection. + # 2 reduces AWStats speed by 2.5% +LevelForSearchEnginesDetection=2 # 0 disables Search engines detection. + # 2 reduces AWStats speed by 9% +LevelForKeywordsDetection=2 # 0 disables Keyphrases/Keywords detection. + # 2 reduces AWStats speed by 1% +LevelForFileTypesDetection=2 # 0 disables File types detection. + # 2 reduces AWStats speed by 1% +LevelForWormsDetection=0 # 0 disables Worms detection. + # 2 reduces AWStats speed by 15% + + + +#----------------------------------------------------------------------------- +# OPTIONAL APPEARANCE SETUP SECTION (Not required but increase AWStats features) +#----------------------------------------------------------------------------- + +# When you use AWStats as a CGI, you can have the reports shown in HTML frames. +# Frames are only available for report viewed dynamically. When you build +# pages from command line, this option is not used and no frames are built. +# Possible values: 0 or 1 +# Default: 1 +# +UseFramesWhenCGI=1 + + +# This parameter asks your browser to open detailed reports into a different +# window than the main page. +# Possible values: +# 0 - Open all in same browser window +# 1 - Open detailed reports in another window except if using frames +# 2 - Open always in a different window even if reports are framed +# Default: 1 +# +DetailedReportsOnNewWindows=1 + + +# You can add, in the HTML report page, a cache lifetime (in seconds) that +# will be returned to the browser in HTTP header answer by server. +# This parameter is not used when reports are built with -staticlinks option. +# Example: 3600 +# Default: 0 +# +Expires=3600 + + +# To avoid too large web pages, you can ask AWStats to limit number of rows of +# all reported charts to this number when no other limits apply. +# Default: 10000 +# +MaxRowsInHTMLOutput=10000 + + +# Set your primary language (ISO-639-1 language codes). +# Possible values: +# Albanian=al, Bosnian=ba, Bulgarian=bg, Catalan=ca, +# Chinese (Taiwan)=tw, Chinese (Simpliefied)=cn, Croatian=hr, Czech=cz, +# Danish=dk, Dutch=nl, English=en, Estonian=et, Euskara=eu, Finnish=fi, +# French=fr, Galician=gl, German=de, Greek=gr, Hebrew=he, Hungarian=hu, +# Icelandic=is, Indonesian=id, Italian=it, Japanese=jp, Korean=ko, +# Latvian=lv, Norwegian (Nynorsk)=nn, Norwegian (Bokmal)=nb, Polish=pl, +# Portuguese=pt, Portuguese (Brazilian)=br, Romanian=ro, Russian=ru, +# Serbian=sr, Slovak=sk, Slovenian=si, Spanish=es, Swedish=se, Turkish=tr, +# Ukrainian=ua, Welsh=cy. +# First available language accepted by browser=auto +# Default: "auto" +# +Lang="auto" + + +# Set the location of language files. +# Example: "/usr/share/awstats/lang" +# Default: "./lang" (means lang directory is in same location than awstats.pl) +# +DirLang="./lang" + + +# Show menu header with reports' links +# Possible values: 0 or 1 +# Default: 1 +# +ShowMenu=1 + + +# You choose here which reports you want to see in the main page and what you +# want to see in those reports. +# Possible values: +# 0 - Report is not shown at all +# 1 - Report is shown in main page with an entry in menu and default columns +# XYZ - Report shows column informations defined by code X,Y,Z... +# X,Y,Z... are code letters among the following: +# U = Unique visitors +# V = Visits +# P = Number of pages +# H = Number of hits (or mails) +# B = Bandwidth (or total mail size for mail logs) +# L = Last access date +# E = Entry pages +# X = Exit pages +# C = Web compression (mod_gzip,mod_deflate) +# M = Average mail size (mail logs) +# + +# Show monthly summary +# Context: Web, Streaming, Mail, Ftp +# Default: UVPHB, Possible column codes: UVPHB +ShowSummary=UVPHB + +# Show monthly chart +# Context: Web, Streaming, Mail, Ftp +# Default: UVPHB, Possible column codes: UVPHB +ShowMonthStats=UVPHB + +# Show days of month chart +# Context: Web, Streaming, Mail, Ftp +# Default: VPHB, Possible column codes: VPHB +ShowDaysOfMonthStats=VPHB + +# Show days of week chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHB, Possible column codes: PHB +ShowDaysOfWeekStats=PHB + +# Show hourly chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHB, Possible column codes: PHB +ShowHoursStats=PHB + +# Show domains/country chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHB, Possible column codes: UVPHB +ShowDomainsStats=PHB + +# Show hosts chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHBL, Possible column codes: PHBL +ShowHostsStats=PHBL + +# Show authenticated users chart +# Context: Web, Streaming, Ftp +# Default: 0, Possible column codes: PHBL +ShowAuthenticatedUsers=0 + +# Show robots chart +# Context: Web, Streaming +# Default: HBL, Possible column codes: HBL +ShowRobotsStats=HBL + +# Show worms chart +# Context: Web, Streaming +# Default: 0 (If set to other than 0, see also LevelForWormsDetection), Possible column codes: HBL +ShowWormsStats=0 + +# Show email senders chart (For use when analyzing mail log files) +# Context: Mail +# Default: 0, Possible column codes: HBML +ShowEMailSenders=0 + +# Show email receivers chart (For use when analyzing mail log files) +# Context: Mail +# Default: 0, Possible column codes: HBML +ShowEMailReceivers=0 + +# Show session chart +# Context: Web, Streaming, Ftp +# Default: 1, Possible column codes: None +ShowSessionsStats=1 + +# Show pages-url chart. +# Context: Web, Streaming, Ftp +# Default: PBEX, Possible column codes: PBEX +ShowPagesStats=PBEX + +# Show file types chart. +# Context: Web, Streaming, Ftp +# Default: HB, Possible column codes: HBC +ShowFileTypesStats=HB + +# Show file size chart (Not yet available) +# Context: Web, Streaming, Mail, Ftp +# Default: 1, Possible column codes: None +ShowFileSizesStats=0 + +# Show downloads chart. +# Context: Web, Streaming, Ftp +# Default: HB, Possible column codes: HB +ShowDownloadsStats=HB + +# Show operating systems chart +# Context: Web, Streaming, Ftp +# Default: 1, Possible column codes: None +ShowOSStats=1 + +# Show browsers chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowBrowsersStats=1 + +# Show screen size chart +# Context: Web, Streaming +# Default: 0 (If set to 1, see also MiscTrackerUrl), Possible column codes: None +ShowScreenSizeStats=0 + +# Show origin chart +# Context: Web, Streaming +# Default: PH, Possible column codes: PH +ShowOriginStats=PH + +# Show keyphrases chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowKeyphrasesStats=1 + +# Show keywords chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowKeywordsStats=1 + +# Show misc chart +# Context: Web, Streaming +# Default: a (See also MiscTrackerUrl parameter), Possible column codes: anjdfrqwp +ShowMiscStats=a + +# Show http errors chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowHTTPErrorsStats=1 + +# Show http error page details +# Context: Web, Streaming +# Default: R, Possible column codes: RH +ShowHTTPErrorsPageDetail=R + +# Show smtp errors chart (For use when analyzing mail log files) +# Context: Mail +# Default: 0, Possible column codes: None +ShowSMTPErrorsStats=0 + +# Show the cluster report (Your LogFormat must contains the %cluster tag) +# Context: Web, Streaming, Ftp +# Default: 0, Possible column codes: PHB +ShowClusterStats=0 + + +# Some graphical reports are followed by the data array of values. +# If you don't want this array (to reduce the report size for example), you +# can set thoose options to 0. +# Possible values: 0 or 1 +# Default: 1 +# +# Data array values for the ShowMonthStats report +AddDataArrayMonthStats=1 +# Data array values for the ShowDaysOfMonthStats report +AddDataArrayShowDaysOfMonthStats=1 +# Data array values for the ShowDaysOfWeekStats report +AddDataArrayShowDaysOfWeekStats=1 +# Data array values for the ShowHoursStats report +AddDataArrayShowHoursStats=1 + + +# In the Origin chart, you have stats on where your hits came from. You can +# include hits on pages that come from pages of same sites in this chart. +# Possible values: 0 or 1 +# Default: 0 +# +IncludeInternalLinksInOriginSection=0 + + +# The following parameters can be used to choose the maximum number of lines +# shown for the particular following reports. +# +# Stats by countries/domains +MaxNbOfDomain = 10 +MinHitDomain = 1 +# Stats by hosts +MaxNbOfHostsShown = 10 +MinHitHost = 1 +# Stats by authenticated users +MaxNbOfLoginShown = 10 +MinHitLogin = 1 +# Stats by robots +MaxNbOfRobotShown = 10 +MinHitRobot = 1 +# Stats for Downloads +MaxNbOfDownloadsShown = 10 +MinHitDownloads = 1 +# Stats by pages +MaxNbOfPageShown = 10 +MinHitFile = 1 +# Stats by OS +MaxNbOfOsShown = 10 +MinHitOs = 1 +# Stats by browsers +MaxNbOfBrowsersShown = 10 +MinHitBrowser = 1 +# Stats by screen size +MaxNbOfScreenSizesShown = 5 +MinHitScreenSize = 1 +# Stats by window size (following 2 parameters are not yet used) +MaxNbOfWindowSizesShown = 5 +MinHitWindowSize = 1 +# Stats by referers +MaxNbOfRefererShown = 10 +MinHitRefer = 1 +# Stats for keyphrases +MaxNbOfKeyphrasesShown = 10 +MinHitKeyphrase = 1 +# Stats for keywords +MaxNbOfKeywordsShown = 10 +MinHitKeyword = 1 +# Stats for sender or receiver emails +MaxNbOfEMailsShown = 20 +MinHitEMail = 1 + + +# Choose if you want the week report to start on sunday or monday +# Possible values: +# 0 - Week starts on sunday +# 1 - Week starts on monday +# Default: 1 +# +FirstDayOfWeek=1 + + +# List of visible flags that link to other language translations. +# See Lang parameter for list of allowed flag/language codes. +# If you don't want any flag link, set ShowFlagLinks to "". +# This parameter is used only if ShowMenu parameter is set to 1. +# Possible values: "" or "language_codes_separated_by_space" +# Example: "en es fr nl de" +# Default: "" +# +ShowFlagLinks="" + + +# Each URL, shown in stats report views, are links you can click. +# Possible values: 0 or 1 +# Default: 1 +# +ShowLinksOnUrl=1 + + +# When AWStats builds HTML links in its report pages, it starts those links +# with "http://". However some links might be HTTPS links, so you can enter +# here the root of all your HTTPS links. If all your site is a SSL web site, +# just enter "/". +# This parameter is not used if ShowLinksOnUrl is 0. +# Example: "/shopping" +# Example: "/" +# Default: "" +# +UseHTTPSLinkForUrl="" + + +# Maximum length of URL part shown on stats page (number of characters). +# This affects only URL visible text, links still work. +# Default: 64 +# +MaxLengthOfShownURL=64 + + +# You can enter HTML code that will be added at the top of AWStats reports. +# Default: "" +# +HTMLHeadSection="" + + +# You can enter HTML code that will be added at the end of AWStats reports. +# Great to add advert ban. +# Default: "" +# +HTMLEndSection="" + + +# By default AWStats page contains meta tag robots=noindex,nofollow +# If you want to have your statistics to be indexed, set this option to 1. +# Default: 0 +# +MetaRobot=0 + + +# You can set Logo and LogoLink to use your own logo. +# Logo must be the name of image file (must be in $DirIcons/other directory). +# LogoLink is the expected URL when clicking on Logo. +# Default: "awstats_logo6.png" +# +Logo="awstats_logo6.png" +LogoLink="http://www.awstats.org" + + +# Value of maximum bar width/height for horizontal/vertical HTML graphics bars. +# Default: 260/90 +# +BarWidth = 260 +BarHeight = 90 + + +# You can ask AWStats to use a particular CSS (Cascading Style Sheet) to +# change its look. To create a style sheet, you can use samples provided with +# AWStats in wwwroot/css directory. +# Example: "/awstatscss/awstats_bw.css" +# Example: "/css/awstats_bw.css" +# Default: "" +# +StyleSheet="" + + +# Those color parameters can be used (if StyleSheet parameter is not used) +# to change AWStats look. +# Example: color_name="RRGGBB" # RRGGBB is Red Green Blue components in Hex +# +color_Background="FFFFFF" # Background color for main page (Default = "FFFFFF") +color_TableBGTitle="CCCCDD" # Background color for table title (Default = "CCCCDD") +color_TableTitle="000000" # Table title font color (Default = "000000") +color_TableBG="CCCCDD" # Background color for table (Default = "CCCCDD") +color_TableRowTitle="FFFFFF" # Table row title font color (Default = "FFFFFF") +color_TableBGRowTitle="ECECEC" # Background color for row title (Default = "ECECEC") +color_TableBorder="ECECEC" # Table border color (Default = "ECECEC") +color_text="000000" # Color of text (Default = "000000") +color_textpercent="606060" # Color of text for percent values (Default = "606060") +color_titletext="000000" # Color of text title within colored Title Rows (Default = "000000") +color_weekend="EAEAEA" # Color for week-end days (Default = "EAEAEA") +color_link="0011BB" # Color of HTML links (Default = "0011BB") +color_hover="605040" # Color of HTML on-mouseover links (Default = "605040") +color_u="FFAA66" # Background color for number of unique visitors (Default = "FFAA66") +color_v="F4F090" # Background color for number of visites (Default = "F4F090") +color_p="4477DD" # Background color for number of pages (Default = "4477DD") +color_h="66DDEE" # Background color for number of hits (Default = "66DDEE") +color_k="2EA495" # Background color for number of bytes (Default = "2EA495") +color_s="8888DD" # Background color for number of search (Default = "8888DD") +color_e="CEC2E8" # Background color for number of entry pages (Default = "CEC2E8") +color_x="C1B2E2" # Background color for number of exit pages (Default = "C1B2E2") + + + +#----------------------------------------------------------------------------- +# PLUGINS +#----------------------------------------------------------------------------- + +# Add here all plugin files you want to load. +# Plugin files must be .pm files stored in 'plugins' directory. +# Uncomment LoadPlugin lines to enable a plugin after checking that perl +# modules required by the plugin are installed. + +# PLUGIN: Tooltips +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add tooltips pop-up help boxes to HTML report pages. +# NOTE: This will increased HTML report pages size, thus server load and bandwidth. +# +#LoadPlugin="tooltips" + +# PLUGIN: DecodeUTFKeys +# REQUIRED MODULES: Encode and URI::Escape +# PARAMETERS: None +# DESCRIPTION: Allow AWStats to show correctly (in language charset) +# keywords/keyphrases strings even if they were UTF8 coded by the +# referer search engine. +# +#LoadPlugin="decodeutfkeys" + +# PLUGIN: IPv6 +# PARAMETERS: None +# REQUIRED MODULES: Net::IP and Net::DNS +# DESCRIPTION: This plugin gives AWStats capability to make reverse DNS +# lookup on IPv6 addresses. +# +#LoadPlugin="ipv6" + +# PLUGIN: HashFiles +# REQUIRED MODULES: Storable +# PARAMETERS: None +# DESCRIPTION: AWStats DNS cache files are read/saved as native hash files. +# This increases DNS cache files loading speed, above all for very large web sites. +# +#LoadPlugin="hashfiles" + + +# PLUGIN: UserInfo +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add a text (Firtname, Lastname, Office Department, ...) in +# authenticated user reports for each login value. +# A text file called userinfo.myconfig.txt, with two fields (first is login, +# second is text to show, separated by a tab char) must be created in DirData +# directory. +# +#LoadPlugin="userinfo" + +# PLUGIN: HostInfo +# REQUIRED MODULES: Net::XWhois +# PARAMETERS: None +# DESCRIPTION: Add a column into host chart with a link to open a popup window that shows +# info on host (like whois records). +# +#LoadPlugin="hostinfo" + +# PLUGIN: ClusterInfo +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add a text (for example a full hostname) in cluster reports for each cluster +# number. A text file called clusterinfo.myconfig.txt, with two fields (first is +# cluster number, second is text to show) separated by a tab char. must be +# created into DirData directory. +# Note this plugin is useless if ShowClusterStats is set to 0 or if you don't +# use a personalized log format that contains %cluster tag. +# +#LoadPlugin="clusterinfo" + +# PLUGIN: UrlAliases +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add a text (Page title, description...) in URL reports before URL value. +# A text file called urlalias.myconfig.txt, with two fields (first is URL, +# second is text to show, separated by a tab char) must be created into +# DirData directory. +# +#LoadPlugin="urlalias" + +# PLUGIN: TimeHiRes +# REQUIRED MODULES: Time::HiRes (if Perl < 5.8) +# PARAMETERS: None +# DESCRIPTION: Time reported by -showsteps option is in millisecond. For debug purpose. +# +#LoadPlugin="timehires" + +# PLUGIN: TimeZone +# REQUIRED MODULES: Time::Local +# PARAMETERS: [timezone offset] +# DESCRIPTION: Allow AWStats to adjust time stamps for a different timezone +# This plugin reduces AWStats speed of 10% !!!!!!! +# LoadPlugin="timezone" +# LoadPlugin="timezone +2" +# LoadPlugin="timezone CET" +# +#LoadPlugin="timezone +2" + +# PLUGIN: Rawlog +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: This plugin adds a form in AWStats main page to allow users to see raw +# content of current log files. A filter is also available. +# +#LoadPlugin="rawlog" + +# PLUGIN: GraphApplet +# REQUIRED MODULES: None +# PARAMETERS: [CSS classes to override] +# DESCRIPTION: Supported charts are built by a 3D graphic applet. +# +#LoadPlugin="graphapplet /awstatsclasses" # EXPERIMENTAL FEATURE + +# PLUGIN: GraphGoogleChartAPI +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Replaces the standard charts with free Google API generated images +# in HTML reports. If country data is available and more than one country has hits, +# a map will be generated using Google Visualizations. +# Note: The machine where reports are displayed must have Internet access for the +# charts to be generated. The only data sent to Google includes the statistic numbers, +# legend names and country names. +# Warning: This plugin is not compatible with option BuildReportFormat=xhtml. +# +#LoadPlugin="graphgooglechartapi" + +# PLUGIN: GeoIPfree +# REQUIRED MODULES: Geo::IPfree version 0.2+ (from Graciliano M.P.) +# PARAMETERS: None +# DESCRIPTION: Country chart is built from an Internet IP-Country database. +# This plugin is useless for intranet only log files. +# Note: You must choose between using this plugin (need Perl Geo::IPfree +# module, database is free but not up to date) or the GeoIP plugin (need +# Perl Geo::IP module from Maxmind, database is also free and up to date). +# Note: Activestate provide a corrupted version of Geo::IPfree 0.2 Perl +# module, so install it from elsewhere (from www.cpan.org for example). +# This plugin reduces AWStats speed by up to 10% ! +# +#LoadPlugin="geoipfree" + +# MAXMIND GEO IP MODULES: Please see documentation for notes on all Maxmind modules + +# PLUGIN: GeoIP +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/geoip.dat[+/pathto/override.txt]] +# DESCRIPTION: Builds a country chart and adds an entry to the hosts +# table with country name +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip GEOIP_STANDARD /pathto/GeoIP.dat" + +# PLUGIN: GeoIP2 +# REQUIRED MODULES: GeoIP2::Database::Reader (from Maxmind) +# PARAMETERS: [/pathto/GeoLite2-Country.mmdb[+/pathto/override.txt]] +# DESCRIPTION: Builds a country chart and adds an entry to the hosts +# table with country name. This uses the new schema of GeoIP2 replacing +# the now expired Legacy schema. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip2_country /pathto/GeoLite2-Country.mmdb" + +# PLUGIN: GeoIP6 +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind, version >= 1.40) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/geoipv6.dat[+/pathto/override.txt]] +# DESCRIPTION: Builds a country chart and adds an entry to the hosts +# table with country name +# works with IPv4 and also IPv6 addresses +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip6 GEOIP_STANDARD /pathto/GeoIPv6.dat" + +# PLUGIN: GeoIP_City_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPCity.dat[+/pathto/override.txt]] +# DESCRIPTION: This plugin adds a column under the hosts field and tracks the pageviews +# and hits by city including regions. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_city_maxmind GEOIP_STANDARD /pathto/GeoIPCity.dat" + +# PLUGIN: GeoIP2_City +# REQUIRED MODULES: GeoIP2::Database::Reader (from Maxmind) +# PARAMETERS: [/pathto/GeoLite2-City.mmdb[+/pathto/override.txt]] +# DESCRIPTION: This plugin adds a column under the hosts field and tracks the pageviews +# and hits by city including regions. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip2_city /pathto/GeoLite2-City.mmdb" + +# PLUGIN: GeoIP_ASN_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPASN.dat[+/pathto/override.txt][+http://linktoASlookup]] +# DESCRIPTION: This plugin adds a chart of AS numbers where the host IP address is registered. +# This plugin can display some ISP information if included in the database. You can also provide +# a link that will be used to lookup additional registration data. Put the link at the end of +# the parameter string and the report page will include the link with the full AS number at the end. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_asn_maxmind GEOIP_STANDARD /usr/local/geoip.dat+http://enc.com.au/itools/autnum.php?asn=" + +# PLUGIN: GeoIP_Region_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPRegion.dat[+/pathto/override.txt]] +# DESCRIPTION:This plugin adds a chart of hits by regions. Only regions for US and +# Canada can be detected. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_region_maxmind GEOIP_STANDARD /pathto/GeoIPRegion.dat" + +# PLUGIN: GeoIP_ISP_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPISP.dat[+/pathto/override.txt]] +# DESCRIPTION: This plugin adds a chart of hits by ISP. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_isp_maxmind GEOIP_STANDARD /pathto/GeoIPISP.dat" + +# PLUGIN: GeoIP_Org_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPOrg.dat[+/pathto/override.txt]] +# DESCRIPTION: This plugin add a chart of hits by Organization name +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_org_maxmind GEOIP_STANDARD /pathto/GeoIPOrg.dat" + + +#----------------------------------------------------------------------------- +# EXTRA SECTIONS +#----------------------------------------------------------------------------- + +# You can define your own charts, you choose here what are rows and columns +# keys. This feature is particularly useful for marketing purpose, tracking +# products orders for example. +# For this, edit all parameters of Extra section. Each set of parameter is a +# different chart. For several charts, duplicate section changing the number. +# Note: Each Extra section reduces AWStats speed by 8%. +# +# WARNING: A wrong setup of Extra section might result in too large arrays +# that will consume all your memory, making AWStats unusable after several +# updates, so be sure to setup it correctly. +# In most cases, you don't need this feature. +# +# ExtraSectionNameX is title of your personalized chart. +# ExtraSectionCodeFilterX is list of codes the record code field must match. +# Put an empty string for no test on code. +# ExtraSectionConditionX are conditions you can use to count or not the hit, +# Use one of the field condition +# (URL,URLWITHQUERY,QUERY_STRING,REFERER,UA,HOSTINLOG,HOST,VHOST,extraX) +# and a regex to match, after a coma. Use "||" for "OR". +# ExtraSectionFirstColumnTitleX is the first column title of the chart. +# ExtraSectionFirstColumnValuesX is a string to tell AWStats which field to +# extract value from +# (URL,URLWITHQUERY,QUERY_STRING,REFERER,UA,HOSTINLOG,HOST,VHOST,extraX) +# and how to extract the value (using regex syntax). Each different value +# found will appear in first column of report on a different row. Be sure +# that list of different possible values will not grow indefinitely. +# ExtraSectionFirstColumnFormatX is the string used to write value. +# ExtraSectionStatTypesX are things you want to count. You can use standard +# code letters (P for pages,H for hits,B for bandwidth,L for last access). +# ExtraSectionAddAverageRowX add a row at bottom of chart with average values. +# ExtraSectionAddSumRowX add a row at bottom of chart with sum values. +# MaxNbOfExtraX is maximum number of rows shown in chart. +# MinHitExtraX is minimum number of hits required to be shown in chart. +# + +# Example to report the 20 products the most ordered by "order.cgi" script +#ExtraSectionName1="Product orders" +#ExtraSectionCodeFilter1="200 304" +#ExtraSectionCondition1="URL,\/cgi\-bin\/order\.cgi||URL,\/cgi\-bin\/order2\.cgi" +#ExtraSectionFirstColumnTitle1="Product ID" +#ExtraSectionFirstColumnValues1="QUERY_STRING,productid=([^&]+)" +#ExtraSectionFirstColumnFormat1="%s" +#ExtraSectionStatTypes1=PL +#ExtraSectionAddAverageRow1=0 +#ExtraSectionAddSumRow1=1 +#MaxNbOfExtra1=20 +#MinHitExtra1=1 + + +# There is also a global parameter ExtraTrackedRowsLimit that limits the +# number of possible rows an ExtraSection can report. This parameter is +# here to protect too much memory use when you make a bad setup in your +# ExtraSection. It applies to all ExtraSection independently meaning that +# none ExtraSection can report more rows than value defined by ExtraTrackedRowsLimit. +# If you know an ExtraSection will report more rows than its value, you should +# increase this parameter or AWStats will stop with an error. +# Example: 2000 +# Default: 500 +# +ExtraTrackedRowsLimit=500 + + +#----------------------------------------------------------------------------- +# INCLUDES +#----------------------------------------------------------------------------- + +# You can include other config files using the directive with the name of the +# config file. +# This is particularly useful for users who have a lot of virtual servers, so +# a lot of config files and want to maintain common values in only one file. +# Note that when a variable is defined both in a config file and in an +# included file, AWStats will use the last value read for parameters that +# contains one value and AWStats will concat all values from both files for +# parameters that are lists of values. +# + +#Include "" diff --git a/awstats/awstats.zira.898.ro.conf b/awstats/awstats.zira.898.ro.conf new file mode 100644 index 0000000..697295b --- /dev/null +++ b/awstats/awstats.zira.898.ro.conf @@ -0,0 +1,1619 @@ +# AWSTATS CONFIGURE FILE 7.3 +#----------------------------------------------------------------------------- +# Copy this file into awstats.www.mydomain.conf and edit this new config file +# to setup AWStats (See documentation in docs/ directory). +# The config file must be in /etc/awstats, /usr/local/etc/awstats or /etc (for +# Unix/Linux) or same directory as awstats.pl (Windows, Mac, Unix/Linux...) +# To include an environment variable in any parameter (AWStats will replace +# it with its value when reading it), follow the example: +# Parameter="__ENVNAME__" +# Note that environment variable AWSTATS_CURRENT_CONFIG is always defined with +# the config value in an AWStats running session and can be used like others. +#----------------------------------------------------------------------------- + + + +#----------------------------------------------------------------------------- +# MAIN SETUP SECTION (Required to make AWStats work) +#----------------------------------------------------------------------------- + +# "LogFile" contains the web, ftp or mail server log file to analyze. +# Possible values: A full path, or a relative path from awstats.pl directory. +# Example: "/var/log/apache/access.log" +# Example: "../logs/mycombinedlog.log" +# You can also use tags in this filename if you need a dynamic file name +# depending on date or time (Replacement is made by AWStats at the beginning +# of its execution). These are the available tags : +# %YYYY-n is replaced with 4 digits year we were n hours ago +# %YY-n is replaced with 2 digits year we were n hours ago +# %MM-n is replaced with 2 digits month we were n hours ago +# %MO-n is replaced with 3 letters month we were n hours ago +# %DD-n is replaced with day we were n hours ago +# %HH-n is replaced with hour we were n hours ago +# %NS-n is replaced with number of seconds at 00:00 since 1970 +# %WM-n is replaced with the week number in month (1-5) +# %Wm-n is replaced with the week number in month (0-4) +# %WY-n is replaced with the week number in year (01-52) +# %Wy-n is replaced with the week number in year (00-51) +# %DW-n is replaced with the day number in week (1-7, 1=sunday) +# use n=24 if you need (1-7, 1=monday) +# %Dw-n is replaced with the day number in week (0-6, 0=sunday) +# use n=24 if you need (0-6, 0=monday) +# Use 0 for n if you need current year, month, day, hour... +# Example: "/var/log/access_log.%YYYY-0%MM-0%DD-0.log" +# Example: "C:/WINNT/system32/LogFiles/W3SVC1/ex%YY-24%MM-24%DD-24.log" +# You can also use a pipe if log file come from a pipe : +# Example: "gzip -cd /var/log/apache/access.log.gz |" +# If there are several log files from load balancing servers : +# Example: "/pathtotools/logresolvemerge.pl *.log |" +# +LogFile="/var/log/httpd/access_log" + + +# Enter the log file type you want to analyze. +# Possible values: +# W - For a web log file +# S - For a streaming log file +# M - For a mail log file +# F - For an ftp log file +# Example: W +# Default: W +# +LogType=W + + +# Enter here your log format (Must match your web server config. See setup +# instructions in documentation to know how to configure your web server to +# have the required log format). +# Possible values: 1,2,3,4 or "your_own_personalized_log_format" +# 1 - Apache or Lotus Notes/Domino native combined log format (NCSA combined/XLF/ELF log format) +# 2 - IIS or ISA format (IIS W3C log format). See FAQ-COM115 For ISA. +# 3 - Webstar native log format. +# 4 - Apache or Squid native common log format (NCSA common/CLF log format) +# With LogFormat=4, some features (browsers, os, keywords...) can't work. +# "your_own_personalized_log_format" = If your log is ftp, mail or other format, +# you must use following keys to define the log format string (See FAQ for +# ftp, mail or exotic web log format examples): +# %host Client hostname or IP address (or Sender host for mail log) +# %host_r Receiver hostname or IP address (for mail log) +# %lognamequot Authenticated login/user with format: "john" +# %logname Authenticated login/user with format: john +# %time1 Date and time with format: [dd/mon/yyyy:hh:mm:ss +0000] or [dd/mon/yyyy:hh:mm:ss] +# %time2 Date and time with format: yyyy-mm-dd hh:mm:ss +# %time3 Date and time with format: Mon dd hh:mm:ss or Mon dd hh:mm:ss yyyy +# %time4 Date and time with unix timestamp format: dddddddddd +# %time5 Date and time with format iso: yyyy-mm-ddThh:mm:ss, with optional timezone specification (ignored) +# %time6 Date and time with format: dd/mm/yyyy, hh:mm:ss +# %methodurl Method and URL with format: "GET /index.html HTTP/x.x" +# %methodurlnoprot Method and URL with format: "GET /index.html" +# %method Method with format: GET +# %url URL only with format: /index.html +# %query Query string (used by URLWithQuery option) +# %code Return code status (with format for web log: 999) +# %bytesd Size of document in bytes +# %refererquot Referer page with format: "http://from.com/from.htm" +# %referer Referer page with format: http://from.com/from.htm +# %uabracket User agent with format: [Mozilla/4.0 (compatible, ...)] +# %uaquot User agent with format: "Mozilla/4.0 (compatible, ...)" +# %ua User agent with format: Mozilla/4.0_(compatible...) +# %gzipin mod_gzip compression input bytes: In:XXX +# %gzipout mod_gzip compression output bytes & ratio: Out:YYY:ZZpct. +# %gzipratio mod_gzip compression ratio: ZZpct. +# %deflateratio mod_deflate compression ratio with format: (ZZ) +# %email EMail sender (for mail log) +# %email_r EMail receiver (for mail log) +# %virtualname Web sever virtual hostname. Use this tag when same log +# contains data of several virtual web servers. AWStats +# will discard records not in SiteDomain nor HostAliases +# %cluster If log file is provided from several computers (merged by +# logresolvemerge.pl), use this to define cluster id field. +# %extraX Another field that you plan to use for building a +# personalized report with ExtraSection feature (See later). +# If your log format has some fields not included in this list, use: +# %other Means another not used field +# %otherquot Means another not used double quoted field +# If your log format has some literal strings, which precede data fields, use +# status=%code Means your log files have HTTP status logged as "status=200" +# Literal strings that follow data field must be separated from said data fields by space. +# +# Examples for Apache combined logs (following two examples are equivalent): +# LogFormat = 1 +# LogFormat = "%host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot" +# +# Example for IIS: +# LogFormat = 2 +# +LogFormat=1 + + +# If your log field's separator is not a space, you can change this parameter. +# This parameter is not used if LogFormat is a predefined value (1,2,3,4) +# Backslash can be used as escape character. +# Example: " " +# Example: "\t" +# Example: "\|" +# Example: "," +# Default: " " +# +LogSeparator=" " + + +# "SiteDomain" must contain the main domain name, or the main intranet web +# server name, used to reach the web site. +# If you share the same log file for several virtual web servers, this +# parameter is used to tell AWStats to filter record that contains records for +# this virtual host name only (So check that this virtual hostname can be +# found in your log file and use a personalized log format that include the +# %virtualname tag). +# But for multi hosting a better solution is to have one log file for each +# virtual web server. In this case, this parameter is only used to generate +# full URL's links when ShowLinksOnUrl option is set to 1. +# If analyzing mail log, enter here the domain name of mail server. +# Example: "myintranetserver" +# Example: "www.domain.com" +# Example: "ftp.domain.com" +# Example: "domain.com" +# +SiteDomain="zira.898.ro" + + +# Enter here all other possible domain names, addresses or virtual host +# aliases someone can use to access your site. Try to keep only the minimum +# number of possible names/addresses to have the best performances. +# You can repeat the "SiteDomain" value in this list. +# This parameter is used to analyze referer field in log file and to help +# AWStats to know if a referer URL is a local URL of same site or a URL of +# another site. +# Note: Use space between each value. +# Note: You can use regular expression values writing value with REGEX[value]. +# Note: You can also use @/mypath/myfile if list of aliases are in a file. +# Example: "www.myserver.com localhost 127.0.0.1 REGEX[mydomain\.(net|org)$]" +# +HostAliases="REGEX[^.*zira\.898\.ro$]" + + +# If you want to have hosts reported by name instead of ip address, AWStats +# needs to make reverse DNS lookups (if not already done in your log file). +# With DNSLookup to 0, all hosts will be reported by their IP addresses and +# not by the full hostname of visitors (except if names are already available +# in log file). +# If you want/need to set DNSLookup to 1, don't forget that this will +# dramatically reduce AWStats's update process speed. Do not use on large web +# sites. +# Note: Reverse DNS lookup is done on IPv4 only (Enable ipv6 plugin for IPv6). +# Note: Result of DNS Lookup can be used to build the Country report. However +# it is highly recommanded to enable the plugin 'geoip', 'geoipfree', or 'geoip2' +# to have an accurate Country report with no need for DNS Lookup. +# Possible values: +# 0 - No DNS Lookup +# 1 - DNS Lookup is fully enabled +# 2 - DNS Lookup is made only from static DNS cache file (if it exists) +# Default: 2 +# +DNSLookup=2 + + +# For very large sites, setting DNSLookup to 0 (or 2) might be the only +# reasonable choice. DynamicDNSLookup allows to resolve host names for +# items shown in html tables only, when data is output on reports instead +# of resolving once during log analysis step. +# Possible values: +# 0 - No dynamic DNS lookup +# 1 - Dynamic DNS lookup enabled +# 2 - Dynamic DNS lookup enabled (including static DNS cache file as a second +# source) +# Default: 0 +# +DynamicDNSLookup=0 + + +# When AWStats updates its statistics, it stores results of its analysis in +# files (AWStats database). All those files are written in the directory +# defined by the "DirData" parameter. Set this value to the directory where +# you want AWStats to save its database and working files into. +# Warning: If you want to be able to use the "AllowToUpdateStatsFromBrowser" +# feature (see later), you need "Write" permissions by web server user on this +# directory (and "Modify" for Windows NTFS file systems). +# Example: "/var/lib/awstats" +# Example: "../data" +# Example: "C:/awstats_data_dir" +# Default: "." (means same directory as awstats.pl) +# +DirData="/var/lib/awstats" + + +# Relative or absolute web URL of your awstats cgi-bin directory. +# This parameter is used only when AWStats is run from command line +# with -output option (to generate links in HTML reported page). +# Example: "/awstats" +# Default: "/cgi-bin" (means awstats.pl is in "/yourwwwroot/cgi-bin") +# +DirCgi="/awstats" + + +# Relative or absolute web URL of your awstats icon directory. +# If you build static reports ("... -output > outputpath/output.html"), enter +# path of icon directory relative to the output directory 'outputpath'. +# Example: "/awstatsicons" +# Example: "../icon" +# Default: "/icon" (means you must copy icon directories in "/mywwwroot/icon") +# +DirIcons="/awstatsicons" + + +# When this parameter is set to 1, AWStats adds a button on the report page to +# allow to "update" statistics from a web browser. Warning, when "update" is +# made from a browser, AWStats is run as a CGI by the web server user defined +# in your web server (user "nobody" by default with Apache, "IUSR_XXX" with +# IIS), so the "DirData" directory and all already existing history files +# awstatsMMYYYY[.xxx].txt must be writable by this user. Change permissions if +# necessary to "Read/Write" (and "Modify" for Windows NTFS file systems). +# Warning: Update process can be long so you might experience "time out" +# browser errors if you don't launch AWStats frequently enough. +# When set to 0, update is only made when AWStats is run from the command +# line interface (or a task scheduler). +# Possible values: 0 or 1 +# Default: 0 +# +AllowToUpdateStatsFromBrowser=0 + + +# AWStats saves and sorts its database on a monthly basis (except if using +# databasebreak option from command line). +# However, if you choose the -month=all from command line or +# value '-Year-' from CGI combo form to have a report for all year, AWStats +# needs to reload all data for full year (each month), and sort them, +# requiring a large amount of time, memory and CPU. This might be a problem +# for web hosting providers that offer AWStats for large sites, on shared +# servers, to non CPU cautious customers. +# For this reason, the 'full year' is only enabled on Command Line by default. +# You can change this by setting this parameter to 0, 1, 2 or 3. +# Possible values: +# 0 - Never allowed +# 1 - Allowed on CLI only, -Year- value in combo is not visible +# 2 - Allowed on CLI only, -Year- value in combo is visible but not allowed +# 3 - Possible on CLI and CGI +# Default: 2 +# +AllowFullYearView=2 + + + +#----------------------------------------------------------------------------- +# OPTIONAL SETUP SECTION (Not required but enhances AWStats's functionality) +#----------------------------------------------------------------------------- + +# When the update process runs, AWStats can set a lock file in TEMP or TMP +# directory. This lock is to avoid to have 2 update processes running at the +# same time to prevent unknown conflicts problems and avoid DoS attacks when +# AllowToUpdateStatsFromBrowser is set to 1. +# Because, when you use lock file, you can sometimes experience problems if +# lock file is not correctly removed (killed process for example requires that +# you remove the file manually), this option is not enabled by default (Do +# not enable this option with no console server access). +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +EnableLockForUpdate=1 + + +# AWStats can do reverse DNS lookups through a static DNS cache file that was +# previously created manually. If no path is given in static DNS cache file +# name, AWStats will search DirData directory. This file is never changed. +# This option is not used if DNSLookup=0. +# Note: DNS cache file format is 'minsince1970 ipaddress resolved_hostname' +# or just 'ipaddress resolved_hostname' +# Change : Effective for new updates only +# Example: "/mydnscachedir/dnscache" +# Default: "dnscache.txt" +# +DNSStaticCacheFile="dnscache.txt" + + +# AWStats can do reverse DNS lookups through a DNS cache file that was created +# by a previous run of AWStats. This file is erased and recreated after each +# statistics update process. You don't need to create and/or edit it. +# AWStats will read and save this file in DirData directory. +# This option is used only if DNSLookup=1. +# Note: If a DNSStaticCacheFile is available, AWStats will check for DNS +# lookup in DNSLastUpdateCacheFile after checking into DNSStaticCacheFile. +# Change : Effective for new updates only +# Example: "/mydnscachedir/dnscachelastupdate" +# Default: "dnscachelastupdate.txt" +# +DNSLastUpdateCacheFile="dnscachelastupdate.txt" + + +# You can specify specific IP addresses that should NOT be looked up in DNS. +# This option is used only if DNSLookup=1. +# Note: Use space between each value. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "123.123.123.123 REGEX[^192\.168\.]" +# Default: "" +# +SkipDNSLookupFor="" + + +# The following two parameters allow you to protect a config file from being +# read by AWStats when called from a browser if the web user has not been +# authenticated. Your AWStats program must be in a web protected "realm" (With +# Apache, you can use .htaccess files to do so. With other web servers, see +# your server setup manual). +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +AllowAccessFromWebToAuthenticatedUsersOnly=0 + + +# This parameter gives the list of all authorized authenticated users to view +# statistics for this domain/config file. This parameter is used only if +# AllowAccessFromWebToAuthenticatedUsersOnly is set to 1. +# Change : Effective immediately +# Example: "user1 user2" +# Example: "__REMOTE_USER__" +# Default: "" +# +AllowAccessFromWebToFollowingAuthenticatedUsers="" + + +# When this parameter is defined to something, the IP address of the user that +# reads its statistics from a browser (when AWStats is used as a CGI) is +# checked and must match one of the IP address values or ranges. +# Change : Effective immediately +# Example: "127.0.0.1 123.123.123.1-123.123.123.255" +# Default: "" +# +AllowAccessFromWebToFollowingIPAddresses="" + + +# If the "DirData" directory (see above) does not exist, AWStats returns an +# error. However, you can ask AWStats to create it. +# This option can be used by some Web Hosting Providers that have defined a +# dynamic value for DirData (for example DirData="/home/__REMOTE_USER__") and +# don't want to have to create a new directory each time they add a new user. +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +CreateDirDataIfNotExists=0 + + +# You can choose in which format the AWStats history database is saved. +# Note: Using "xml" format makes AWStats database files three times larger than +# using "text" format. +# Change : Database format is switched after next update +# Possible values: text or xml +# Default: text +# +BuildHistoryFormat=text + + +# If you prefer having the report output pages be built as XML compliant pages +# instead of simple HTML pages, you can set this to 'xhtml' (May not work +# properly with old browsers). +# Change : Effective immediately +# Possible values: html or xhtml +# Default: html +# +BuildReportFormat=html + + +# AWStats databases can be updated from command line or from a browser (when +# used as a cgi program). So AWStats database files need write permission +# for both command line user and default web server user ('nobody' for Unix, +# 'IUSR_xxx' for IIS/Windows,...). +# To avoid permission problems between update process (run by an admin user) +# and CGI process (ran by a low level user), AWStats can save its database +# files with read and write permissions for everyone. +# By default, AWStats keeps default user permissions on updated files. If you +# set AllowToUpdateStatsFromBrowser to 1, you can change this parameter to 1. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +SaveDatabaseFilesWithPermissionsForEveryone=0 + + +# AWStats can purge log file, after analyzing it. Note that AWStats is able +# to detect new lines in a log file, to process only them, so you can launch +# AWStats as often as you want, even with this parameter to 0. +# With 0, no purge is made, so you must use a scheduled task or a web server +# that make this purge frequently. +# With 1, the purge of the log file is made each time AWStats update is run. +# This parameter doesn't work with IIS (This web server doesn't let its log +# file to be purged). +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +PurgeLogFile=0 + + +# When PurgeLogFile is set to 1, AWStats will clean your log file after +# processing it. You can however keep an archive file of all processed log +# records by setting this parameter (For example if you want to use another +# log analyzer). The archived log file is saved in "DirData" with name +# awstats_archive.configname[.suffix].log +# This parameter is not used if PurgeLogFile=0 +# Change : Effective for new updates only +# Possible values: 0, 1, or tags (See LogFile parameter) for suffix +# Example: 1 +# Example: %YYYY%MM%DD +# Default: 0 +# +ArchiveLogRecords=0 + + +# Each time you run the update process, AWStats overwrites the 'historic file' +# for the month (awstatsMMYYYY[.*].txt) with the updated one. +# When write errors occur (IO, disk full,...), this historic file can be +# corrupted and must be deleted. Because this file contains information of all +# past processed log files, you will lose old stats if removed. So you can +# ask AWStats to save last non corrupted file in a .bak file. This file is +# stored in "DirData" directory with other 'historic files'. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +KeepBackupOfHistoricFiles=0 + + +# Default index page name for your web server. +# Change : Effective for new updates only +# Example: "index.php index.html default.html" +# Default: "index.php index.html" +# +DefaultFile="index.php index.html" + + +# Do not include access from clients that match following criteria. +# If your log file contains IP addresses in host field, you must enter here +# matching IP addresses criteria. +# If DNS lookup is already done in your log file, you must enter here hostname +# criteria, else enter ip address criteria. +# The opposite parameter of "SkipHosts" is "OnlyHosts". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "127.0.0.1 REGEX[^192\.168\.] REGEX[^10\.]" +# Example: "localhost REGEX[^.*\.localdomain$]" +# Default: "" +# +SkipHosts="127.0.0.1" + + +# Do not include access from clients with a user agent that match following +# criteria. If you want to exclude a robot, you should update the robots.pm +# file instead of this parameter. +# The opposite parameter of "SkipUserAgents" is "OnlyUserAgents". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "konqueror REGEX[ua_test_v\d\.\d]" +# Default: "" +# +SkipUserAgents="" + + +# Use SkipFiles to ignore access to URLs that match one of following entries. +# You can enter a list of not important URLs (like framed menus, hidden pages, +# etc...) to exclude them from statistics. You must enter here exact relative +# URL as found in log file, or a matching REGEX value. Check apply on URL with +# all its query paramaters. +# For example, to ignore /badpage.php, just add "/badpage.php". To ignore all +# pages in a particular directory, add "REGEX[^\/directorytoexclude]". +# The opposite parameter of "SkipFiles" is "OnlyFiles". +# Note: Use space between each value. This parameter is or not case sensitive +# depending on URLNotCaseSensitive parameter. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "/badpage.php /page.php?param=x REGEX[^\/excludedirectory]" +# Default: "" +# +SkipFiles="" + + +# Use SkipReferrersBlackList if you want to exclude records coming from a SPAM +# referrer. Parameter must receive a local file name containing rules applied +# on referrer field. If parameter is empty, no filter is applied. +# An example of such a file is available in lib/blacklist.txt +# Change : Effective for new updates only +# Example: "/mylibpath/blacklist.txt" +# Default: "" +# +# WARNING!! Using this feature make AWStats running very slower (5 times slower +# with black list file provided with AWStats ! +# +SkipReferrersBlackList="" + + +# Include in stats, only accesses from hosts that match one of following +# entries. For example, if you want AWStats to filter access to keep only +# stats for visits from particular hosts, you can add those host names in +# this parameter. +# If DNS lookup is already done in your log file, you must enter here hostname +# criteria, else enter ip address criteria. +# The opposite parameter of "OnlyHosts" is "SkipHosts". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "127.0.0.1 REGEX[^192\.168\.] REGEX[^10\.]" +# Default: "" +# +OnlyHosts="" + + +# Include in stats, only accesses from user agent that match one of following +# entries. For example, if you want AWStats to filter access to keep only +# stats for visits from particular browsers, you can add their user agents +# string in this parameter. +# The opposite parameter of "OnlyUserAgents" is "SkipUserAgents". +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "msie" +# Default: "" +# +OnlyUserAgents="" + + +# Include in stats, only accesses from authenticated users that match one of +# following entries. For example, if you want AWStats to filter access to keep +# only stats for authenticated users, you can add those users names in +# this parameter. Useful for statistics for per user ftp logs. +# Note: Use space between each value. This parameter is not case sensitive. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "john bob REGEX[^testusers]" +# Default: "" +# +OnlyUsers="" + + +# Include in stats, only accesses to URLs that match one of following entries. +# For example, if you want AWStats to filter access to keep only stats that +# match a particular string, like a particular directory, you can add this +# directory name in this parameter. +# The opposite parameter of "OnlyFiles" is "SkipFiles". +# Note: Use space between each value. This parameter is or not case sensitive +# depending on URLNotCaseSensitive parameter. +# Note: You can use regular expression values writing value with REGEX[value]. +# Change : Effective for new updates only +# Example: "REGEX[marketing_directory] REGEX[office\/.*\.(csv|sxw)$]" +# Default: "" +# +OnlyFiles="" + + +# Add here a list of kind of url (file extension) that must be counted as +# "Hit only" and not as a "Hit" and "Page/Download". You can set here all +# image extensions as they are hit downloaded that must be counted but they +# are not viewed pages. URLs with such extensions are not included in the TOP +# Pages/URL report. +# Note: If you want to exclude particular URLs from stats (No Pages and no +# Hits reported), you must use SkipFiles parameter. +# Change : Effective for new updates only +# Example: "css js class gif jpg jpeg png bmp ico rss xml swf zip arj rar gz z bz2 wav mp3 wma mpg avi" +# Example: "" +# Default: "css js class gif jpg jpeg png bmp ico rss xml swf eot woff woff2" +# +NotPageList="css js class gif jpg jpeg png bmp ico rss xml swf eot woff woff2" + + +# By default, AWStats considers that records found in web log file are +# successful hits if HTTP code returned by server is a valid HTTP code (200 +# and 304). Any other code are reported in HTTP status chart. +# Note that HTTP 'control codes', like redirection (302, 305) are not added by +# default in this list as they are not pages seen by a visitor but are +# protocol exchange codes to tell the browser to ask another page. Because +# this other page will be counted and seen with a 200 or 304 code, if you +# add such codes, you will have 2 pages viewed reported for only one in facts. +# Change : Effective for new updates only +# Example: "200 304 302 305" +# Default: "200 304" +# +ValidHTTPCodes="200 304" + + +# By default, AWStats considers that records found in mail log file are +# successful mail transfers if field that represent return code in analyzed +# log file match values defined by this parameter. +# Change : Effective for new updates only +# Example: "1 250 200" +# Default: "1 250" +# +ValidSMTPCodes="1 250" + + +# By default, AWStats only records info on 404 'Document Not Found' errors. +# At the cost of additional processing time, further info pages can be made +# available by adding codes below. +# Change : Effective for new updates only +# Example: "403 404" +# Default: "404" +# +TrapInfosForHTTPErrorCodes = "400 403 404" + + +# Some web servers on some Operating systems (IIS-Windows) consider that a +# login with same value but different case are the same login. To tell AWStats +# to also consider them as one, set this parameter to 1. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +AuthenticatedUsersNotCaseSensitive=0 + + +# Some web servers on some Operating systems (IIS-Windows) considers that two +# URLs with same value but different case are the same URL. To tell AWStats to +# also considers them as one, set this parameter to 1. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +URLNotCaseSensitive=0 + + +# Keep or remove the anchor string you can find in some URLs. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +URLWithAnchor=0 + + +# In URL links, "?" char is used to add parameter's list in URLs. Syntax is: +# /mypage.html?param1=value1¶m2=value2 +# However, some servers/sites use also other chars to isolate dynamic part of +# their URLs. You can complete this list with all such characters. +# Change : Effective for new updates only +# Example: "?;," +# Default: "?;" +# +URLQuerySeparators="?;" + + +# Keep or remove the query string to the URL in the statistics for individual +# pages. This is primarily used to differentiate between the URLs of dynamic +# pages. If set to 1, mypage.html?id=x and mypage.html?id=y are counted as two +# different pages. +# Warning, when set to 1, memory required to run AWStats is dramatically +# increased if you have a lot of changing URLs (for example URLs with a random +# id inside). Such web sites should not set this option to 1 or use seriously +# the next parameter URLWithQueryWithOnlyFollowingParameters (or eventually +# URLWithQueryWithoutFollowingParameters). +# Change : Effective for new updates only +# Possible values: +# 0 - URLs are cleaned from the query string (ie: "/mypage.html") +# 1 - Full URL with query string is used (ie: "/mypage.html?p=x&q=y") +# Default: 0 +# +URLWithQuery=0 + + +# When URLWithQuery is on, you will get the full URL with all parameters in +# URL reports. But among thoose parameters, sometimes you don't need a +# particular parameter because it does not identify the page or because it's +# a random ID changing for each access even if URL points to same page. In +# such cases, it is higly recommanded to ask AWStats to keep only parameters +# you need (if you know them) before counting, manipulating and storing URL. +# Enter here list of wanted parameters. For example, with "param", one hit on +# /mypage.cgi?param=abc&id=Yo4UomP9d and /mypage.cgi?param=abc&id=Mu8fdxl3r +# will be reported as 2 hits on /mypage.cgi?param=abc +# This parameter is not used when URLWithQuery is 0 and can't be used with +# URLWithQueryWithoutFollowingParameters. +# Change : Effective for new updates only +# Example: "param" +# Default: "" +# +URLWithQueryWithOnlyFollowingParameters="" + + +# When URLWithQuery is on, you will get the full URL with all parameters in +# URL reports. But among thoose parameters, sometimes you don't need a +# particular parameter because it does not identify the page or because it's +# a random ID changing for each access even if URL points to same page. In +# such cases, it is higly recommanded to ask AWStats to remove such parameters +# from the URL before counting, manipulating and storing URL. Enter here list +# of all non wanted parameters. For example if you enter "id", one hit on +# /mypage.cgi?param=abc&id=Yo4UomP9d and /mypage.cgi?param=abc&id=Mu8fdxl3r +# will be reported as 2 hits on /mypage.cgi?param=abc +# This parameter is not used when URLWithQuery is 0 and can't be used with +# URLWithQueryWithOnlyFollowingParameters. +# Change : Effective for new updates only +# Example: "PHPSESSID jsessionid" +# Default: "" +# +URLWithQueryWithoutFollowingParameters="" + + +# Keep or remove the query string to the referrer URL in the statistics for +# external referrer pages. This is used to differentiate between the URLs of +# dynamic referrer pages. If set to 1, mypage.html?id=x and mypage.html?id=y +# are counted as two different referrer pages. +# Change : Effective for new updates only +# Possible values: +# 0 - Referrer URLs are cleaned from the query string (ie: "/mypage.html") +# 1 - Full URL with query string is used (ie: "/mypage.html?p=x&q=y") +# Default: 0 +# +URLReferrerWithQuery=0 + + +# AWStats can detect setup problems or show you important informations to have +# a better use. Keep this to 1, except if AWStats says you can change it. +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 1 +# +WarningMessages=1 + + +# When an error occurs, AWStats outputs a message related to errors. If you +# want (in most cases for security reasons) to have no error messages, you +# can set this parameter to your personalized generic message. +# Change : Effective immediately +# Example: "An error occurred. Contact your Administrator" +# Default: "" +# +ErrorMessages="" + + +# AWStat can be run with debug=x parameter to output various informations +# to help in debugging or solving troubles. If you want to allow this (not +# enabled by default for security reasons), set this parameter to 0. +# Change : Effective immediately +# Possible values: 0 or 1 +# Default: 0 +# +DebugMessages=0 + + +# To help you to detect if your log format is good, AWStats reports an error +# if all the first NbOfLinesForCorruptedLog lines have a format that does not +# match the LogFormat parameter. +# However, some worm virus attack on your web server can result in a very high +# number of corrupted lines in your log. So if you experience awstats stop +# because of bad virus records at the beginning of your log file, you can +# increase this parameter (very rare). +# Change : Effective for new updates only +# Default: 50 +# +NbOfLinesForCorruptedLog=50 + + +# For some particular integration needs, you may want to have CGI links to +# point to another script than awstats.pl. +# Use the name of this script in WrapperScript parameter. +# Change : Effective immediately +# Example: "awstatslauncher.pl" +# Example: "awstatswrapper.cgi?key=123" +# Default: "" +# +WrapperScript="" + + +# DecodeUA must be set to 1 if you use Roxen web server. This server converts +# all spaces in user agent field into %20. This make the AWStats robots, OS +# and browsers detection fail in some cases. Just change it to 1 if and only +# if your web server is Roxen. +# Change : Effective for new updates only +# Possible values: 0 or 1 +# Default: 0 +# +DecodeUA=0 + + +# MiscTrackerUrl can be used to make AWStats able to detect some miscellaneous +# things, that can not be tracked on other way, like: +# - Javascript disabled +# - Java enabled +# - Screen size +# - Color depth +# - Macromedia Director plugin +# - Macromedia Shockwave plugin +# - Realplayer G2 plugin +# - QuickTime plugin +# - Mediaplayer plugin +# - Acrobat PDF plugin +# To enable all these features, you must copy the awstats_misc_tracker.js file +# into a /js/ directory stored in your web document root and add the following +# HTML code at the end of your index page (but before ) : +# +# +# +# +# If code is not added in index page, all those detection capabilities will be +# disabled. You must also check that ShowScreenSizeStats and ShowMiscStats +# parameters are set to 1 to make results appear in AWStats report page. +# If you want to use another directory than /js/, you must also change the +# awstatsmisctrackerurl variable into the awstats_misc_tracker.js file. +# Change : Effective for new updates only. +# Possible value: URL of javascript tracker file added in your HTML code. +# Default: "/js/awstats_misc_tracker.js" +# +MiscTrackerUrl="/js/awstats_misc_tracker.js" + + +# AddLinkToExternalCGIWrapper can be used to add a link to a wrapper script +# into each title of Dolibarr reports. This can be used to add a wrapper +# to download data into a CSV file for example. +# +# AddLinkToExternalCGIWrapper="/awstats/awdownloadcsv.pl" + + + +#----------------------------------------------------------------------------- +# OPTIONAL ACCURACY SETUP SECTION (Not required but increase AWStats features) +#----------------------------------------------------------------------------- + +# The following values allow you to define accuracy of AWStats entities +# (robots, browsers, os, referers, file types) detection. +# It might be a good idea for large web sites or ISP that provides AWStats to +# high number of customers, to set this parameter to 1 (or 0), instead of 2. +# Possible values: +# 0 = No detection, +# 1 = Medium/Standard detection +# 2 = Full detection +# Change : Effective for new updates only +# Note : LevelForBrowsersDetection can also accept value "allphones". This +# enable detailed detection of phone/pda browsers. +# Default: 2 (0 for LevelForWormsDetection) +# +LevelForBrowsersDetection=2 # 0 disables Browsers detection. + # 2 reduces AWStats speed by 2% + # allphones reduces AWStats speed by 5% +LevelForOSDetection=2 # 0 disables OS detection. + # 2 reduces AWStats speed by 3% +LevelForRefererAnalyze=2 # 0 disables Origin detection. + # 2 reduces AWStats speed by 14% +LevelForRobotsDetection=2 # 0 disables Robots detection. + # 2 reduces AWStats speed by 2.5% +LevelForSearchEnginesDetection=2 # 0 disables Search engines detection. + # 2 reduces AWStats speed by 9% +LevelForKeywordsDetection=2 # 0 disables Keyphrases/Keywords detection. + # 2 reduces AWStats speed by 1% +LevelForFileTypesDetection=2 # 0 disables File types detection. + # 2 reduces AWStats speed by 1% +LevelForWormsDetection=0 # 0 disables Worms detection. + # 2 reduces AWStats speed by 15% + + + +#----------------------------------------------------------------------------- +# OPTIONAL APPEARANCE SETUP SECTION (Not required but increase AWStats features) +#----------------------------------------------------------------------------- + +# When you use AWStats as a CGI, you can have the reports shown in HTML frames. +# Frames are only available for report viewed dynamically. When you build +# pages from command line, this option is not used and no frames are built. +# Possible values: 0 or 1 +# Default: 1 +# +UseFramesWhenCGI=1 + + +# This parameter asks your browser to open detailed reports into a different +# window than the main page. +# Possible values: +# 0 - Open all in same browser window +# 1 - Open detailed reports in another window except if using frames +# 2 - Open always in a different window even if reports are framed +# Default: 1 +# +DetailedReportsOnNewWindows=1 + + +# You can add, in the HTML report page, a cache lifetime (in seconds) that +# will be returned to the browser in HTTP header answer by server. +# This parameter is not used when reports are built with -staticlinks option. +# Example: 3600 +# Default: 0 +# +Expires=3600 + + +# To avoid too large web pages, you can ask AWStats to limit number of rows of +# all reported charts to this number when no other limits apply. +# Default: 10000 +# +MaxRowsInHTMLOutput=10000 + + +# Set your primary language (ISO-639-1 language codes). +# Possible values: +# Albanian=al, Bosnian=ba, Bulgarian=bg, Catalan=ca, +# Chinese (Taiwan)=tw, Chinese (Simpliefied)=cn, Croatian=hr, Czech=cz, +# Danish=dk, Dutch=nl, English=en, Estonian=et, Euskara=eu, Finnish=fi, +# French=fr, Galician=gl, German=de, Greek=gr, Hebrew=he, Hungarian=hu, +# Icelandic=is, Indonesian=id, Italian=it, Japanese=jp, Korean=ko, +# Latvian=lv, Norwegian (Nynorsk)=nn, Norwegian (Bokmal)=nb, Polish=pl, +# Portuguese=pt, Portuguese (Brazilian)=br, Romanian=ro, Russian=ru, +# Serbian=sr, Slovak=sk, Slovenian=si, Spanish=es, Swedish=se, Turkish=tr, +# Ukrainian=ua, Welsh=cy. +# First available language accepted by browser=auto +# Default: "auto" +# +Lang="auto" + + +# Set the location of language files. +# Example: "/usr/share/awstats/lang" +# Default: "./lang" (means lang directory is in same location than awstats.pl) +# +DirLang="./lang" + + +# Show menu header with reports' links +# Possible values: 0 or 1 +# Default: 1 +# +ShowMenu=1 + + +# You choose here which reports you want to see in the main page and what you +# want to see in those reports. +# Possible values: +# 0 - Report is not shown at all +# 1 - Report is shown in main page with an entry in menu and default columns +# XYZ - Report shows column informations defined by code X,Y,Z... +# X,Y,Z... are code letters among the following: +# U = Unique visitors +# V = Visits +# P = Number of pages +# H = Number of hits (or mails) +# B = Bandwidth (or total mail size for mail logs) +# L = Last access date +# E = Entry pages +# X = Exit pages +# C = Web compression (mod_gzip,mod_deflate) +# M = Average mail size (mail logs) +# + +# Show monthly summary +# Context: Web, Streaming, Mail, Ftp +# Default: UVPHB, Possible column codes: UVPHB +ShowSummary=UVPHB + +# Show monthly chart +# Context: Web, Streaming, Mail, Ftp +# Default: UVPHB, Possible column codes: UVPHB +ShowMonthStats=UVPHB + +# Show days of month chart +# Context: Web, Streaming, Mail, Ftp +# Default: VPHB, Possible column codes: VPHB +ShowDaysOfMonthStats=VPHB + +# Show days of week chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHB, Possible column codes: PHB +ShowDaysOfWeekStats=PHB + +# Show hourly chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHB, Possible column codes: PHB +ShowHoursStats=PHB + +# Show domains/country chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHB, Possible column codes: UVPHB +ShowDomainsStats=PHB + +# Show hosts chart +# Context: Web, Streaming, Mail, Ftp +# Default: PHBL, Possible column codes: PHBL +ShowHostsStats=PHBL + +# Show authenticated users chart +# Context: Web, Streaming, Ftp +# Default: 0, Possible column codes: PHBL +ShowAuthenticatedUsers=0 + +# Show robots chart +# Context: Web, Streaming +# Default: HBL, Possible column codes: HBL +ShowRobotsStats=HBL + +# Show worms chart +# Context: Web, Streaming +# Default: 0 (If set to other than 0, see also LevelForWormsDetection), Possible column codes: HBL +ShowWormsStats=0 + +# Show email senders chart (For use when analyzing mail log files) +# Context: Mail +# Default: 0, Possible column codes: HBML +ShowEMailSenders=0 + +# Show email receivers chart (For use when analyzing mail log files) +# Context: Mail +# Default: 0, Possible column codes: HBML +ShowEMailReceivers=0 + +# Show session chart +# Context: Web, Streaming, Ftp +# Default: 1, Possible column codes: None +ShowSessionsStats=1 + +# Show pages-url chart. +# Context: Web, Streaming, Ftp +# Default: PBEX, Possible column codes: PBEX +ShowPagesStats=PBEX + +# Show file types chart. +# Context: Web, Streaming, Ftp +# Default: HB, Possible column codes: HBC +ShowFileTypesStats=HB + +# Show file size chart (Not yet available) +# Context: Web, Streaming, Mail, Ftp +# Default: 1, Possible column codes: None +ShowFileSizesStats=0 + +# Show downloads chart. +# Context: Web, Streaming, Ftp +# Default: HB, Possible column codes: HB +ShowDownloadsStats=HB + +# Show operating systems chart +# Context: Web, Streaming, Ftp +# Default: 1, Possible column codes: None +ShowOSStats=1 + +# Show browsers chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowBrowsersStats=1 + +# Show screen size chart +# Context: Web, Streaming +# Default: 0 (If set to 1, see also MiscTrackerUrl), Possible column codes: None +ShowScreenSizeStats=0 + +# Show origin chart +# Context: Web, Streaming +# Default: PH, Possible column codes: PH +ShowOriginStats=PH + +# Show keyphrases chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowKeyphrasesStats=1 + +# Show keywords chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowKeywordsStats=1 + +# Show misc chart +# Context: Web, Streaming +# Default: a (See also MiscTrackerUrl parameter), Possible column codes: anjdfrqwp +ShowMiscStats=a + +# Show http errors chart +# Context: Web, Streaming +# Default: 1, Possible column codes: None +ShowHTTPErrorsStats=1 + +# Show http error page details +# Context: Web, Streaming +# Default: R, Possible column codes: RH +ShowHTTPErrorsPageDetail=R + +# Show smtp errors chart (For use when analyzing mail log files) +# Context: Mail +# Default: 0, Possible column codes: None +ShowSMTPErrorsStats=0 + +# Show the cluster report (Your LogFormat must contains the %cluster tag) +# Context: Web, Streaming, Ftp +# Default: 0, Possible column codes: PHB +ShowClusterStats=0 + + +# Some graphical reports are followed by the data array of values. +# If you don't want this array (to reduce the report size for example), you +# can set thoose options to 0. +# Possible values: 0 or 1 +# Default: 1 +# +# Data array values for the ShowMonthStats report +AddDataArrayMonthStats=1 +# Data array values for the ShowDaysOfMonthStats report +AddDataArrayShowDaysOfMonthStats=1 +# Data array values for the ShowDaysOfWeekStats report +AddDataArrayShowDaysOfWeekStats=1 +# Data array values for the ShowHoursStats report +AddDataArrayShowHoursStats=1 + + +# In the Origin chart, you have stats on where your hits came from. You can +# include hits on pages that come from pages of same sites in this chart. +# Possible values: 0 or 1 +# Default: 0 +# +IncludeInternalLinksInOriginSection=0 + + +# The following parameters can be used to choose the maximum number of lines +# shown for the particular following reports. +# +# Stats by countries/domains +MaxNbOfDomain = 10 +MinHitDomain = 1 +# Stats by hosts +MaxNbOfHostsShown = 10 +MinHitHost = 1 +# Stats by authenticated users +MaxNbOfLoginShown = 10 +MinHitLogin = 1 +# Stats by robots +MaxNbOfRobotShown = 10 +MinHitRobot = 1 +# Stats for Downloads +MaxNbOfDownloadsShown = 10 +MinHitDownloads = 1 +# Stats by pages +MaxNbOfPageShown = 10 +MinHitFile = 1 +# Stats by OS +MaxNbOfOsShown = 10 +MinHitOs = 1 +# Stats by browsers +MaxNbOfBrowsersShown = 10 +MinHitBrowser = 1 +# Stats by screen size +MaxNbOfScreenSizesShown = 5 +MinHitScreenSize = 1 +# Stats by window size (following 2 parameters are not yet used) +MaxNbOfWindowSizesShown = 5 +MinHitWindowSize = 1 +# Stats by referers +MaxNbOfRefererShown = 10 +MinHitRefer = 1 +# Stats for keyphrases +MaxNbOfKeyphrasesShown = 10 +MinHitKeyphrase = 1 +# Stats for keywords +MaxNbOfKeywordsShown = 10 +MinHitKeyword = 1 +# Stats for sender or receiver emails +MaxNbOfEMailsShown = 20 +MinHitEMail = 1 + + +# Choose if you want the week report to start on sunday or monday +# Possible values: +# 0 - Week starts on sunday +# 1 - Week starts on monday +# Default: 1 +# +FirstDayOfWeek=1 + + +# List of visible flags that link to other language translations. +# See Lang parameter for list of allowed flag/language codes. +# If you don't want any flag link, set ShowFlagLinks to "". +# This parameter is used only if ShowMenu parameter is set to 1. +# Possible values: "" or "language_codes_separated_by_space" +# Example: "en es fr nl de" +# Default: "" +# +ShowFlagLinks="" + + +# Each URL, shown in stats report views, are links you can click. +# Possible values: 0 or 1 +# Default: 1 +# +ShowLinksOnUrl=1 + + +# When AWStats builds HTML links in its report pages, it starts those links +# with "http://". However some links might be HTTPS links, so you can enter +# here the root of all your HTTPS links. If all your site is a SSL web site, +# just enter "/". +# This parameter is not used if ShowLinksOnUrl is 0. +# Example: "/shopping" +# Example: "/" +# Default: "" +# +UseHTTPSLinkForUrl="" + + +# Maximum length of URL part shown on stats page (number of characters). +# This affects only URL visible text, links still work. +# Default: 64 +# +MaxLengthOfShownURL=64 + + +# You can enter HTML code that will be added at the top of AWStats reports. +# Default: "" +# +HTMLHeadSection="" + + +# You can enter HTML code that will be added at the end of AWStats reports. +# Great to add advert ban. +# Default: "" +# +HTMLEndSection="" + + +# By default AWStats page contains meta tag robots=noindex,nofollow +# If you want to have your statistics to be indexed, set this option to 1. +# Default: 0 +# +MetaRobot=0 + + +# You can set Logo and LogoLink to use your own logo. +# Logo must be the name of image file (must be in $DirIcons/other directory). +# LogoLink is the expected URL when clicking on Logo. +# Default: "awstats_logo6.png" +# +Logo="awstats_logo6.png" +LogoLink="http://www.awstats.org" + + +# Value of maximum bar width/height for horizontal/vertical HTML graphics bars. +# Default: 260/90 +# +BarWidth = 260 +BarHeight = 90 + + +# You can ask AWStats to use a particular CSS (Cascading Style Sheet) to +# change its look. To create a style sheet, you can use samples provided with +# AWStats in wwwroot/css directory. +# Example: "/awstatscss/awstats_bw.css" +# Example: "/css/awstats_bw.css" +# Default: "" +# +StyleSheet="" + + +# Those color parameters can be used (if StyleSheet parameter is not used) +# to change AWStats look. +# Example: color_name="RRGGBB" # RRGGBB is Red Green Blue components in Hex +# +color_Background="FFFFFF" # Background color for main page (Default = "FFFFFF") +color_TableBGTitle="CCCCDD" # Background color for table title (Default = "CCCCDD") +color_TableTitle="000000" # Table title font color (Default = "000000") +color_TableBG="CCCCDD" # Background color for table (Default = "CCCCDD") +color_TableRowTitle="FFFFFF" # Table row title font color (Default = "FFFFFF") +color_TableBGRowTitle="ECECEC" # Background color for row title (Default = "ECECEC") +color_TableBorder="ECECEC" # Table border color (Default = "ECECEC") +color_text="000000" # Color of text (Default = "000000") +color_textpercent="606060" # Color of text for percent values (Default = "606060") +color_titletext="000000" # Color of text title within colored Title Rows (Default = "000000") +color_weekend="EAEAEA" # Color for week-end days (Default = "EAEAEA") +color_link="0011BB" # Color of HTML links (Default = "0011BB") +color_hover="605040" # Color of HTML on-mouseover links (Default = "605040") +color_u="FFAA66" # Background color for number of unique visitors (Default = "FFAA66") +color_v="F4F090" # Background color for number of visites (Default = "F4F090") +color_p="4477DD" # Background color for number of pages (Default = "4477DD") +color_h="66DDEE" # Background color for number of hits (Default = "66DDEE") +color_k="2EA495" # Background color for number of bytes (Default = "2EA495") +color_s="8888DD" # Background color for number of search (Default = "8888DD") +color_e="CEC2E8" # Background color for number of entry pages (Default = "CEC2E8") +color_x="C1B2E2" # Background color for number of exit pages (Default = "C1B2E2") + + + +#----------------------------------------------------------------------------- +# PLUGINS +#----------------------------------------------------------------------------- + +# Add here all plugin files you want to load. +# Plugin files must be .pm files stored in 'plugins' directory. +# Uncomment LoadPlugin lines to enable a plugin after checking that perl +# modules required by the plugin are installed. + +# PLUGIN: Tooltips +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add tooltips pop-up help boxes to HTML report pages. +# NOTE: This will increased HTML report pages size, thus server load and bandwidth. +# +#LoadPlugin="tooltips" + +# PLUGIN: DecodeUTFKeys +# REQUIRED MODULES: Encode and URI::Escape +# PARAMETERS: None +# DESCRIPTION: Allow AWStats to show correctly (in language charset) +# keywords/keyphrases strings even if they were UTF8 coded by the +# referer search engine. +# +#LoadPlugin="decodeutfkeys" + +# PLUGIN: IPv6 +# PARAMETERS: None +# REQUIRED MODULES: Net::IP and Net::DNS +# DESCRIPTION: This plugin gives AWStats capability to make reverse DNS +# lookup on IPv6 addresses. +# +#LoadPlugin="ipv6" + +# PLUGIN: HashFiles +# REQUIRED MODULES: Storable +# PARAMETERS: None +# DESCRIPTION: AWStats DNS cache files are read/saved as native hash files. +# This increases DNS cache files loading speed, above all for very large web sites. +# +#LoadPlugin="hashfiles" + + +# PLUGIN: UserInfo +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add a text (Firtname, Lastname, Office Department, ...) in +# authenticated user reports for each login value. +# A text file called userinfo.myconfig.txt, with two fields (first is login, +# second is text to show, separated by a tab char) must be created in DirData +# directory. +# +#LoadPlugin="userinfo" + +# PLUGIN: HostInfo +# REQUIRED MODULES: Net::XWhois +# PARAMETERS: None +# DESCRIPTION: Add a column into host chart with a link to open a popup window that shows +# info on host (like whois records). +# +#LoadPlugin="hostinfo" + +# PLUGIN: ClusterInfo +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add a text (for example a full hostname) in cluster reports for each cluster +# number. A text file called clusterinfo.myconfig.txt, with two fields (first is +# cluster number, second is text to show) separated by a tab char. must be +# created into DirData directory. +# Note this plugin is useless if ShowClusterStats is set to 0 or if you don't +# use a personalized log format that contains %cluster tag. +# +#LoadPlugin="clusterinfo" + +# PLUGIN: UrlAliases +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Add a text (Page title, description...) in URL reports before URL value. +# A text file called urlalias.myconfig.txt, with two fields (first is URL, +# second is text to show, separated by a tab char) must be created into +# DirData directory. +# +#LoadPlugin="urlalias" + +# PLUGIN: TimeHiRes +# REQUIRED MODULES: Time::HiRes (if Perl < 5.8) +# PARAMETERS: None +# DESCRIPTION: Time reported by -showsteps option is in millisecond. For debug purpose. +# +#LoadPlugin="timehires" + +# PLUGIN: TimeZone +# REQUIRED MODULES: Time::Local +# PARAMETERS: [timezone offset] +# DESCRIPTION: Allow AWStats to adjust time stamps for a different timezone +# This plugin reduces AWStats speed of 10% !!!!!!! +# LoadPlugin="timezone" +# LoadPlugin="timezone +2" +# LoadPlugin="timezone CET" +# +#LoadPlugin="timezone +2" + +# PLUGIN: Rawlog +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: This plugin adds a form in AWStats main page to allow users to see raw +# content of current log files. A filter is also available. +# +#LoadPlugin="rawlog" + +# PLUGIN: GraphApplet +# REQUIRED MODULES: None +# PARAMETERS: [CSS classes to override] +# DESCRIPTION: Supported charts are built by a 3D graphic applet. +# +#LoadPlugin="graphapplet /awstatsclasses" # EXPERIMENTAL FEATURE + +# PLUGIN: GraphGoogleChartAPI +# REQUIRED MODULES: None +# PARAMETERS: None +# DESCRIPTION: Replaces the standard charts with free Google API generated images +# in HTML reports. If country data is available and more than one country has hits, +# a map will be generated using Google Visualizations. +# Note: The machine where reports are displayed must have Internet access for the +# charts to be generated. The only data sent to Google includes the statistic numbers, +# legend names and country names. +# Warning: This plugin is not compatible with option BuildReportFormat=xhtml. +# +#LoadPlugin="graphgooglechartapi" + +# PLUGIN: GeoIPfree +# REQUIRED MODULES: Geo::IPfree version 0.2+ (from Graciliano M.P.) +# PARAMETERS: None +# DESCRIPTION: Country chart is built from an Internet IP-Country database. +# This plugin is useless for intranet only log files. +# Note: You must choose between using this plugin (need Perl Geo::IPfree +# module, database is free but not up to date) or the GeoIP plugin (need +# Perl Geo::IP module from Maxmind, database is also free and up to date). +# Note: Activestate provide a corrupted version of Geo::IPfree 0.2 Perl +# module, so install it from elsewhere (from www.cpan.org for example). +# This plugin reduces AWStats speed by up to 10% ! +# +#LoadPlugin="geoipfree" + +# MAXMIND GEO IP MODULES: Please see documentation for notes on all Maxmind modules + +# PLUGIN: GeoIP +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/geoip.dat[+/pathto/override.txt]] +# DESCRIPTION: Builds a country chart and adds an entry to the hosts +# table with country name +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip GEOIP_STANDARD /pathto/GeoIP.dat" + +# PLUGIN: GeoIP2 +# REQUIRED MODULES: GeoIP2::Database::Reader (from Maxmind) +# PARAMETERS: [/pathto/GeoLite2-Country.mmdb[+/pathto/override.txt]] +# DESCRIPTION: Builds a country chart and adds an entry to the hosts +# table with country name. This uses the new schema of GeoIP2 replacing +# the now expired Legacy schema. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip2_country /pathto/GeoLite2-Country.mmdb" + +# PLUGIN: GeoIP6 +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind, version >= 1.40) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/geoipv6.dat[+/pathto/override.txt]] +# DESCRIPTION: Builds a country chart and adds an entry to the hosts +# table with country name +# works with IPv4 and also IPv6 addresses +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip6 GEOIP_STANDARD /pathto/GeoIPv6.dat" + +# PLUGIN: GeoIP_City_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPCity.dat[+/pathto/override.txt]] +# DESCRIPTION: This plugin adds a column under the hosts field and tracks the pageviews +# and hits by city including regions. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_city_maxmind GEOIP_STANDARD /pathto/GeoIPCity.dat" + +# PLUGIN: GeoIP2_City +# REQUIRED MODULES: GeoIP2::Database::Reader (from Maxmind) +# PARAMETERS: [/pathto/GeoLite2-City.mmdb[+/pathto/override.txt]] +# DESCRIPTION: This plugin adds a column under the hosts field and tracks the pageviews +# and hits by city including regions. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip2_city /pathto/GeoLite2-City.mmdb" + +# PLUGIN: GeoIP_ASN_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPASN.dat[+/pathto/override.txt][+http://linktoASlookup]] +# DESCRIPTION: This plugin adds a chart of AS numbers where the host IP address is registered. +# This plugin can display some ISP information if included in the database. You can also provide +# a link that will be used to lookup additional registration data. Put the link at the end of +# the parameter string and the report page will include the link with the full AS number at the end. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_asn_maxmind GEOIP_STANDARD /usr/local/geoip.dat+http://enc.com.au/itools/autnum.php?asn=" + +# PLUGIN: GeoIP_Region_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPRegion.dat[+/pathto/override.txt]] +# DESCRIPTION:This plugin adds a chart of hits by regions. Only regions for US and +# Canada can be detected. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_region_maxmind GEOIP_STANDARD /pathto/GeoIPRegion.dat" + +# PLUGIN: GeoIP_ISP_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPISP.dat[+/pathto/override.txt]] +# DESCRIPTION: This plugin adds a chart of hits by ISP. +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_isp_maxmind GEOIP_STANDARD /pathto/GeoIPISP.dat" + +# PLUGIN: GeoIP_Org_Maxmind +# REQUIRED MODULES: Geo::IP or Geo::IP::PurePerl (from Maxmind) +# PARAMETERS: [GEOIP_STANDARD | GEOIP_MEMORY_CACHE] [/pathto/GeoIPOrg.dat[+/pathto/override.txt]] +# DESCRIPTION: This plugin add a chart of hits by Organization name +# Replace spaces in the path of geoip data file with string "%20". +# +#LoadPlugin="geoip_org_maxmind GEOIP_STANDARD /pathto/GeoIPOrg.dat" + + +#----------------------------------------------------------------------------- +# EXTRA SECTIONS +#----------------------------------------------------------------------------- + +# You can define your own charts, you choose here what are rows and columns +# keys. This feature is particularly useful for marketing purpose, tracking +# products orders for example. +# For this, edit all parameters of Extra section. Each set of parameter is a +# different chart. For several charts, duplicate section changing the number. +# Note: Each Extra section reduces AWStats speed by 8%. +# +# WARNING: A wrong setup of Extra section might result in too large arrays +# that will consume all your memory, making AWStats unusable after several +# updates, so be sure to setup it correctly. +# In most cases, you don't need this feature. +# +# ExtraSectionNameX is title of your personalized chart. +# ExtraSectionCodeFilterX is list of codes the record code field must match. +# Put an empty string for no test on code. +# ExtraSectionConditionX are conditions you can use to count or not the hit, +# Use one of the field condition +# (URL,URLWITHQUERY,QUERY_STRING,REFERER,UA,HOSTINLOG,HOST,VHOST,extraX) +# and a regex to match, after a coma. Use "||" for "OR". +# ExtraSectionFirstColumnTitleX is the first column title of the chart. +# ExtraSectionFirstColumnValuesX is a string to tell AWStats which field to +# extract value from +# (URL,URLWITHQUERY,QUERY_STRING,REFERER,UA,HOSTINLOG,HOST,VHOST,extraX) +# and how to extract the value (using regex syntax). Each different value +# found will appear in first column of report on a different row. Be sure +# that list of different possible values will not grow indefinitely. +# ExtraSectionFirstColumnFormatX is the string used to write value. +# ExtraSectionStatTypesX are things you want to count. You can use standard +# code letters (P for pages,H for hits,B for bandwidth,L for last access). +# ExtraSectionAddAverageRowX add a row at bottom of chart with average values. +# ExtraSectionAddSumRowX add a row at bottom of chart with sum values. +# MaxNbOfExtraX is maximum number of rows shown in chart. +# MinHitExtraX is minimum number of hits required to be shown in chart. +# + +# Example to report the 20 products the most ordered by "order.cgi" script +#ExtraSectionName1="Product orders" +#ExtraSectionCodeFilter1="200 304" +#ExtraSectionCondition1="URL,\/cgi\-bin\/order\.cgi||URL,\/cgi\-bin\/order2\.cgi" +#ExtraSectionFirstColumnTitle1="Product ID" +#ExtraSectionFirstColumnValues1="QUERY_STRING,productid=([^&]+)" +#ExtraSectionFirstColumnFormat1="%s" +#ExtraSectionStatTypes1=PL +#ExtraSectionAddAverageRow1=0 +#ExtraSectionAddSumRow1=1 +#MaxNbOfExtra1=20 +#MinHitExtra1=1 + + +# There is also a global parameter ExtraTrackedRowsLimit that limits the +# number of possible rows an ExtraSection can report. This parameter is +# here to protect too much memory use when you make a bad setup in your +# ExtraSection. It applies to all ExtraSection independently meaning that +# none ExtraSection can report more rows than value defined by ExtraTrackedRowsLimit. +# If you know an ExtraSection will report more rows than its value, you should +# increase this parameter or AWStats will stop with an error. +# Example: 2000 +# Default: 500 +# +ExtraTrackedRowsLimit=500 + + +#----------------------------------------------------------------------------- +# INCLUDES +#----------------------------------------------------------------------------- + +# You can include other config files using the directive with the name of the +# config file. +# This is particularly useful for users who have a lot of virtual servers, so +# a lot of config files and want to maintain common values in only one file. +# Note that when a variable is defined both in a config file and in an +# included file, AWStats will use the last value read for parameters that +# contains one value and AWStats will concat all values from both files for +# parameters that are lists of values. +# + +#Include "" diff --git a/bash_completion.d/authselect-completion.sh b/bash_completion.d/authselect-completion.sh new file mode 100644 index 0000000..84a63c9 --- /dev/null +++ b/bash_completion.d/authselect-completion.sh @@ -0,0 +1,214 @@ +# +# Authors: +# Tomas Halman +# +# Copyright (C) 2019 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# +# provides autocompletion for authselect command +# + +_authselect_completions() +{ + local COMMANDS + local command + local possibleopts + + function is_valid_command() { + local cmd + + for cmd in "${COMMANDS[@]}"; do + if [[ "$cmd" = "$1" ]]; then + return 0 + fi + done + return 1 + } + + function get_command() { + local opt + + if [[ $COMP_CWORD -lt 2 ]] ; then + return + fi + for opt in "${COMP_WORDS[@]:0:$COMP_CWORD}"; do + if is_valid_command "$opt"; then + echo "$opt" + return + fi + done + } + + function get_command_param() { + local havecmd=0 + local len=${#COMP_WORDS[@]}-1 + + if [[ "$command" = "" ]]; then + return + fi + havecmd=0 + for (( i=0; i<$len; i++ )); do + if [[ "$havecmd" = "1" ]] ; then + if [[ "${COMP_WORDS[$i]}" =~ ^[-=] || "${COMP_WORDS[$i-1]}" = "=" ]] ; then + continue + fi + echo "${COMP_WORDS[$i]}" + return + fi + if [[ "${COMP_WORDS[$i]}" = "$command" ]] ; then + havecmd=1 + fi + done + } + + function get_profile() { + case "$command" in + select|show|requirements|test|list-features) + get_command_param + ;; + enable-feature|disable-feature) + authselect current 2>/dev/null | head -n1 | cut -d" " -f3 + ;; + esac + } + + function get_command_keywords() { + local profile + + case "$command" in + select|requirements|test) + profile="$(get_profile)" + if [[ "$profile" != "" ]] ; then + authselect list-features "$profile" 2>/dev/null + fi + ;; + esac + } + + function get_command_options() { + if [[ "${COMP_WORDS[$COMP_CWORD]}" =~ ^- ]] ; then + case "$command" in + select) + echo "--force --quiet --nobackup --backup=" + ;; + apply-changes|disable-feature) + echo "--backup=" + ;; + enable-feature) + echo "--backup= --quiet" + ;; + current|backup-list) + echo "--raw" + ;; + create-profile) + echo "--vendor --base-on= --base-on-default" \ + "--symlink-meta --symlink-nsswitch --symlink-pam" \ + "--symlink-dconf --symlink=" + ;; + test) + echo "--all --nsswitch --system-auth --password-auth" \ + "--smartcard-auth --fingerprint-auth --postlogin" \ + "--dconf-db --dconf-lock" + ;; + esac + fi + } + + function get_global_options() { + if [[ "${COMP_WORDS[$COMP_CWORD]}" =~ ^- ]] ; then + echo "--debug --trace --warn --help" + fi + } + + function get_option_params() { + local opt + + if [[ $COMP_CWORD -gt 2 && "${COMP_WORDS[$COMP_CWORD-1]}" = "=" ]] ; then + opt="${COMP_WORDS[$COMP_CWORD-2]}" + else + if [[ $COMP_CWORD -gt 1 ]] ; then + opt="${COMP_WORDS[$COMP_CWORD-1]}" + fi + fi + case "$opt" in + --base-on) + authselect list 2>/dev/null | cut -d" " -f2 + ;; + --symlink) + echo "dconf-db dconf-locks fingerprint-auth nsswitch.conf" \ + "password-auth postlogin smartcard-auth system-auth" \ + "README REQUIREMENTS" + ;; + esac + + } + + function get_command_params() { + local i + local profile + + if [[ "$command" = "" ]]; then + return + fi + for (( i=$COMP_CWORD-1; i>1; i-- )); do + opt="${COMP_WORDS[$i]}" + if [[ "$opt" = "$command" ]] ; then + break + fi + if [[ "$opt" =~ ^[-=] || "${COMP_WORDS[$i-1]}" = "=" ]] ; then + continue + fi + return + done + case "$command" in + select|show|requirements|test|list-features) + authselect list 2>/dev/null | cut -d" " -f2 + ;; + backup-remove|backup-restore) + authselect backup-list 2>/dev/null | cut -d" " -f1 + ;; + enable-feature|disable-feature) + profile="$(get_profile)" + if [[ "$profile" != "" ]] ; then + authselect list-features "$profile" 2>/dev/null + fi + ;; + esac + } + + COMMANDS=(select apply-changes list list-features show requirements current + check test enable-feature disable-feature create-profile + backup-list backup-remove backup-restore) + + possibleopts="$(get_option_params)" + if [[ "$possibleopts" != "" ]]; then + if [[ "${COMP_WORDS[$COMP_CWORD]}" = "=" ]]; then + COMPREPLY=($(compgen -W "$possibleopts")) + else + COMPREPLY=($(compgen -W "$possibleopts" -- "${COMP_WORDS[$COMP_CWORD]}")) + fi + else + command="$(get_command)" + if [[ "$command" = "" ]]; then + possibleopts="$(get_global_options) ${COMMANDS[@]}" + else + possibleopts="$(get_global_options) $(get_command_params) $(get_command_keywords) $(get_command_options)" + fi + COMPREPLY=($(compgen -W "$possibleopts" -- "${COMP_WORDS[$COMP_CWORD]}")) + fi +} + +complete -F _authselect_completions authselect diff --git a/bash_completion.d/pip2 b/bash_completion.d/pip2 new file mode 100644 index 0000000..120252e --- /dev/null +++ b/bash_completion.d/pip2 @@ -0,0 +1,11 @@ + +# pip bash completion start +_pip_completion() +{ + COMPREPLY=( $( COMP_WORDS="${COMP_WORDS[*]}" \ + COMP_CWORD=$COMP_CWORD \ + PIP_AUTO_COMPLETE=1 $1 ) ) +} +complete -o default -F _pip_completion pip2 pip-2 pip-2.7 pip2.7 +# pip bash completion end + diff --git a/bash_completion.d/redefine_filedir b/bash_completion.d/redefine_filedir new file mode 100644 index 0000000..1993be2 --- /dev/null +++ b/bash_completion.d/redefine_filedir @@ -0,0 +1,48 @@ +# This is a copy of the _filedir function in bash_completion, included +# and (re)defined separately here because some versions of Adobe +# Reader, if installed, are known to override this function with an +# incompatible version, causing various problems. +# +# https://bugzilla.redhat.com/677446 +# http://forums.adobe.com/thread/745833 + +_filedir() +{ + local IFS=$'\n' + + _tilde "$cur" || return + + local -a toks + local x tmp + + x=$( compgen -d -- "$cur" ) && + while read -r tmp; do + toks+=( "$tmp" ) + done <<< "$x" + + if [[ "$1" != -d ]]; then + local quoted + _quote_readline_by_ref "$cur" quoted + + # Munge xspec to contain uppercase version too + # http://thread.gmane.org/gmane.comp.shells.bash.bugs/15294/focus=15306 + local xspec=${1:+"!*.@($1|${1^^})"} + x=$( compgen -f -X "$xspec" -- $quoted ) && + while read -r tmp; do + toks+=( "$tmp" ) + done <<< "$x" + + # Try without filter if it failed to produce anything and configured to + [[ -n ${COMP_FILEDIR_FALLBACK:-} && -n "$1" && ${#toks[@]} -lt 1 ]] && \ + x=$( compgen -f -- $quoted ) && + while read -r tmp; do + toks+=( "$tmp" ) + done <<< "$x" + fi + + if [[ ${#toks[@]} -ne 0 ]]; then + # 2>/dev/null for direct invocation, e.g. in the _filedir unit test + compopt -o filenames 2>/dev/null + COMPREPLY+=( "${toks[@]}" ) + fi +} # _filedir() diff --git a/bash_completion.d/scl b/bash_completion.d/scl new file mode 100644 index 0000000..78aa574 --- /dev/null +++ b/bash_completion.d/scl @@ -0,0 +1,88 @@ +# main function bound to scl command +_scl() +{ + local cur actions cur_action collections + COMPREPLY=() + + cur="${COMP_WORDS[COMP_CWORD]}" + actions="enable run load unload list-collections list-packages man register deregister --help" + + collections=`scl list-collections` + + # Complete action names + if ((COMP_CWORD == 1)); then + COMPREPLY=( $(compgen -W "${actions}" -- ${cur}) ) + return 0; + fi + + # If there is command or separator in arguments then stop completition + if ((COMP_CWORD > 3)); then + for word in "${COMP_WORDS[@]}"; do + if [[ ${word} == \'* || ${word} == \"* || ${word} == "--" ]] ; then + return 0 + fi + done + fi + + # Complete one or none action argument + if ((COMP_CWORD >= 2)); then + cur_action="${COMP_WORDS[1]}" + + case "$cur_action" in + # No argument + list-collections|list-enabled|--help) + return 0 + ;; + + # Argument is collection name + list-packages|man) + if ((COMP_CWORD == 2)); then + COMPREPLY=( $(compgen -W "$collections" -- ${cur}) ) + fi + return 0 + ;; + + # Argument is collection name or "-f" or "--force" + deregister) + if ((COMP_CWORD == 2)); then + COMPREPLY=( $(compgen -W "$collections --force -f" -- ${cur})) + fi + if [ "$COMP_CWORD" -eq 3 -a "(" "${COMP_WORDS[2]}" == "--force" -o "${COMP_WORDS[2]}" == "-f" ")" ]; then + COMPREPLY=( $(compgen -W "$collections" -- ${cur})) + fi + return 0 + ;; + + # Argument is directory + register) + compopt -o plusdirs + if ((COMP_CWORD == 2)); then + COMPREPLY=( $(compgen -A directory -- ${cur}) ) + fi + return 0 + ;; + + # Arguments are collections or "-x" or "--exec" + run|enable) + if ((COMP_CWORD == 2)); then + COMPREPLY=( $(compgen -W "$collections -x --exec" -- ${cur}) ) + else + COMPREPLY=( $(compgen -W "$collections" -- ${cur}) ) + fi + return 0 + ;; + + # Arguments are collections + load|unload) + COMPREPLY=( $(compgen -W "$collections" -- ${cur}) ) + return 0 + ;; + *) + ;; + esac + fi + +} + +# bind the scl command to the _scl function for completion +complete -F _scl scl diff --git a/bashrc b/bashrc new file mode 100644 index 0000000..fac0a34 --- /dev/null +++ b/bashrc @@ -0,0 +1,99 @@ +#!/etc/bashrc + +# System wide functions and aliases +# Environment stuff goes in /etc/profile + +# It's NOT a good idea to change this file unless you know what you +# are doing. It's much better to create a custom.sh shell script in +# /etc/profile.d/ to make custom changes to your environment, as this +# will prevent the need for merging in future updates. + +# Prevent doublesourcing +if [ -z "$BASHRCSOURCED" ]; then + BASHRCSOURCED="Y" + + # are we an interactive shell? + if [ "$PS1" ]; then + if [ -z "$PROMPT_COMMAND" ]; then + case $TERM in + xterm*|vte*) + if [ -e /etc/sysconfig/bash-prompt-xterm ]; then + PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm + elif [ "${VTE_VERSION:-0}" -ge 3405 ]; then + PROMPT_COMMAND="__vte_prompt_command" + else + PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"' + fi + ;; + screen*) + if [ -e /etc/sysconfig/bash-prompt-screen ]; then + PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen + else + PROMPT_COMMAND='printf "\033k%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"' + fi + ;; + *) + [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default + ;; + esac + fi + # Turn on parallel history + shopt -s histappend + history -a + # Turn on checkwinsize + shopt -s checkwinsize + [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ " + # You might want to have e.g. tty in prompt (e.g. more virtual machines) + # and console windows + # If you want to do so, just add e.g. + # if [ "$PS1" ]; then + # PS1="[\u@\h:\l \W]\\$ " + # fi + # to your custom modification shell script in /etc/profile.d/ directory + fi + + if ! shopt -q login_shell ; then # We're not a login shell + # Need to redefine pathmunge, it gets undefined at the end of /etc/profile + pathmunge () { + case ":${PATH}:" in + *:"$1":*) + ;; + *) + if [ "$2" = "after" ] ; then + PATH=$PATH:$1 + else + PATH=$1:$PATH + fi + esac + } + + # By default, we want umask to get set. This sets it for non-login shell. + # Current threshold for system reserved uid/gids is 200 + # You could check uidgid reservation validity in + # /usr/share/doc/setup-*/uidgid file + if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then + umask 002 + else + umask 027 + fi + + SHELL=/bin/bash + # Only display echos from profile.d scripts if we are no login shell + # and interactive - otherwise just process them to set envvars + for i in /etc/profile.d/*.sh; do + if [ -r "$i" ]; then + if [ "$PS1" ]; then + . "$i" + else + . "$i" >/dev/null + fi + fi + done + + unset i + unset -f pathmunge + fi + +fi +# vim:ts=4:sw=4 + diff --git a/bindresvport.blacklist b/bindresvport.blacklist new file mode 100644 index 0000000..8904277 --- /dev/null +++ b/bindresvport.blacklist @@ -0,0 +1,13 @@ +# +# This file contains a list of port numbers between 600 and 1024, +# which should not be used by bindresvport. bindresvport is mostly +# called by RPC services. This mostly solves the problem, that a +# RPC service uses a well known port of another service. +# +623 # ASF, used by IPMI on some cards +631 # cups +636 # ldaps +664 # Secure ASF, used by IPMI on some cards +921 # lwresd +993 # imaps +995 # pops diff --git a/centos-release b/centos-release new file mode 100644 index 0000000..a629bbf --- /dev/null +++ b/centos-release @@ -0,0 +1 @@ +CentOS Linux release 8.3.2011 diff --git a/centos-release-upstream b/centos-release-upstream new file mode 100644 index 0000000..1e563b4 --- /dev/null +++ b/centos-release-upstream @@ -0,0 +1 @@ +Derived from Red Hat Enterprise Linux 8.3 diff --git a/chrony.conf b/chrony.conf new file mode 100644 index 0000000..5823b3e --- /dev/null +++ b/chrony.conf @@ -0,0 +1,43 @@ +# Ansible managed: /home/bogdan/ops/ansible/roles/chrony/templates/chrony.conf.j2 modified on 2016-10-13 16:33:00 by bogdan on Lenovo-C50-30 +#peer 192.168.1.254 minpoll 4 maxpoll 10 +server 0.ro.pool.ntp.org iburst minpoll 4 maxpoll 10 +server 1.ro.pool.ntp.org iburst minpoll 4 maxpoll 10 +server 2.ro.pool.ntp.org iburst minpoll 4 maxpoll 10 +server 3.ro.pool.ntp.org iburst minpoll 4 maxpoll 10 + +# Ignore stratum in source selection. +stratumweight 0 + +# Record the rate at which the system clock gains/losses time. +driftfile /var/lib/chrony/drift + +# Enable kernel RTC synchronization. +rtcsync + +# In first three updates step the system clock instead of slew +# if the adjustment is larger than 10 seconds. +makestep 10 3 + +# Allow NTP client access from local network. +#allow 192.168/16 + +# Listen for commands only on localhost. +bindcmdaddress 127.0.0.1 +bindcmdaddress ::1 + +keyfile /etc/chrony.keys + +# Specify the key used as password for chronyc. +#commandkey 1 + +# Generate command key if missing. +#generatecommandkey + +# Disable logging of client accesses. +noclientlog + +# Send a message to syslog if a clock adjustment is larger than 0.5 seconds. +logchange 0.5 + +logdir /var/log/chrony +#log measurements statistics tracking diff --git a/chrony.keys b/chrony.keys new file mode 100644 index 0000000..65b6be2 --- /dev/null +++ b/chrony.keys @@ -0,0 +1,13 @@ +# This is an example chrony keys file. It enables authentication of NTP +# packets with symmetric keys when its location is specified by the keyfile +# directive in chrony.conf(5). It should be readable only by root and the +# user under which chronyd is running. +# +# Don't use the example keys! It's recommended to generate random keys using +# the chronyc keygen command. + +# Examples of valid keys: + +#1 MD5 AVeryLongAndRandomPassword +#2 MD5 HEX:12114855C7931009B4049EF3EFC48A139C3F989F +#3 SHA1 HEX:B2159C05D6A219673A3B7E896B6DE07F6A440995 diff --git a/cifs-utils/idmap-plugin b/cifs-utils/idmap-plugin new file mode 120000 index 0000000..b53a5fc --- /dev/null +++ b/cifs-utils/idmap-plugin @@ -0,0 +1 @@ +/etc/alternatives/cifs-idmap-plugin \ No newline at end of file diff --git a/clamav-unofficial-sigs/master.conf b/clamav-unofficial-sigs/master.conf new file mode 100644 index 0000000..66f1c97 --- /dev/null +++ b/clamav-unofficial-sigs/master.conf @@ -0,0 +1,746 @@ +# This file contains master configuration settings for clamav-unofficial-sigs.sh +################################################################################ +# This is property of eXtremeSHOK.com +# You are free to use, modify and distribute, however you may not remove this notice. +# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com +# License: BSD (Berkeley Software Distribution) +################################################################################ +# +# DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! +# +################################################################################ +# +# SET YOUR CUSTOM OPTIONS AND SETTINGS IN THE user.conf +# +# os.conf (os.***.conf) AND user.conf OVERRIDES THE OPTIONS IN THIS FILE +# +################################################################################ + +# Edit the quoted variables below to meet your own particular needs +# and requirements, but do not remove the "quote" marks. + +# Set the appropriate ClamD user and group accounts for your system. +# If you do not want the script to set user and group permissions on +# files and directories, comment the next two variables. +#clam_user="clamav" +#clam_group="clamav" + +# If you do not want the script to change the file mode of all signature +# database files in the ClamAV working directory to 0644 (-rw-r--r--): +# +# owner: read, write +# group: read +# world: read +# +# as defined in the "clam_dbs" path variable below, then set the following +# "setmode" variable to "no". +setmode="yes" + +# Set path to ClamAV database files location. If unsure, check +# your clamd.conf file for the "DatabaseDirectory" path setting. +clam_dbs="/var/lib/clamav" + +# Set path to clamd.pid file (see clamd.conf for path location). +clamd_pid="/var/run/clamav/clamd.pid" + +# To enable "ham" (non-spam) directory scanning and removal of +# signatures that trigger on ham messages, uncomment the following +# variable and set it to the appropriate ham message directory. +#ham_dir="/var/lib/clamav-unofficial-sigs/ham-test" + +# If you would like to reload the clamd databases after an update, +# change the following variable to "yes". +reload_dbs="yes" + +# Custom Command to do a full clamd reload, this is only used when reload_dbs is enabled +clamd_reload_opt="clamdscan --reload" + +# Top level working directory, script will attempt to create them. +work_dir="/var/lib/clamav-unofficial-sigs" #Top level working directory + +# Log update information to '$log_file_path/$log_file_name'. +logging_enabled="yes" +log_file_path="/var/log/clamav-unofficial-sigs" +log_file_name="clamav-unofficial-sigs.log" +## Use a program to log messages +#log_pipe_cmd="/usr/bin/logger -it 'clamav-unofficial-sigs'" + + +# ========================= +# MalwarePatrol : https://www.malwarepatrol.net +# MalwarePatrol 2016 (free) clamav signatures +# +# 1. Sign up for an account : https://www.malwarepatrol.net/free-guard-upgrade-option/ +# 2. You will recieve an email containing your password/receipt number +# 3. Login to your account at malwarePatrol +# 4. In My Accountpage, choose the ClamAV list you will download. Free subscribers only get ClamAV Basic, commercial subscribers have access to ClamAV Extended. Do not use the agressive lists. +# 5. In the download URL, you will see 3 parameters: receipt, product and list, enter them in the variables below. + +malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER" +malwarepatrol_product_code="8" +malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext +# if the malwarepatrol_product_code is not 8, +# the malwarepatrol_free is set to no (non-free) +# set to no to enable the commercial subscription url, +malwarepatrol_free="yes" +malwarepatrol_db="malwarepatrol.db" + + +# ========================= +# Malware Expert : https://www.Malware Expert +# Malware Expert 2020 (non-free) clamav signatures +malwareexpert_serial_key="YOUR-SERIAL-KEY" + +# ========================= +# SecuriteInfo : https://www.SecuriteInfo.com +# SecuriteInfo 2015 free clamav signatures +# +# Usage of SecuriteInfo 2015 free clamav signatures : https://www.securiteinfo.com +# - 1. Sign up for a free account : https://www.securiteinfo.com/clients/customers/signup +# - 2. You will recieve an email to activate your account and then a followup email with your login name +# - 3. Login and navigate to your customer account : https://www.securiteinfo.com/clients/customers/account +# - 4. Click on the Setup tab +# - 5. You will need to get your unique identifier from one of the download links, they are individual for every user +# - 5.1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/ +# - 5.2. Example https://www.securiteinfo.com/get/signatures/your_unique_and_very_long_random_string_of_characters/securiteinfo.hdb +# Your 128 character authorisation signature would be : your_unique_and_very_long_random_string_of_characters +# - 6. Enter the authorisation signature into the config securiteinfo_authorisation_signature: replacing YOUR-SIGNATURE-NUMBER with your authorisation signature from the link + +securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER" +# Enable if you have a commercial/premium/non-free subscription +securiteinfo_premium="no" + + +# ======================== +# Database provider update time +# ======================== +# Since the database files are dynamically created, non default values can cause banning, change with caution +additional_update_hours="4" # Default is 4 hours (6 downloads daily). +interserver_update_hours="1" # Default is 2 hours (12 downloads daily). +linuxmalwaredetect_update_hours="6" # Default is 6 hours (4 downloads daily). +malwareexpert_update_hours="2" # Default is 2 hours (12 downloads daily). +malwarepatrol_update_hours="24" # Default is 24 hours (1 downloads daily). +sanesecurity_update_hours="2" # Default is 2 hours (12 downloads daily). +securiteinfo_premium_update_hours="1" # Default is 1 hours (24 downloads daily). +securiteinfo_update_hours="4" # Default is 4 hours (6 downloads daily). +urlhaus_update_hours="1" # Default is 1 hours (24 downloads daily). +yararulesproject_update_hours="24" # Default is 24 hours (1 downloads daily). + +# ======================== +# Enabled Databases +# ======================== +# Set to no to disable an entire database, if the database is empty it will also be disabled. +additional_enabled="yes" # Additional Databases +interserver_enabled="yes" # interServer +linuxmalwaredetect_enabled="yes" # Linux Malware Detect +malwareexpert_enabled="yes" # Malware Expert +malwarepatrol_enabled="yes" # Malware Patrol +sanesecurity_enabled="yes" # Sanesecurity +securiteinfo_enabled="yes" # SecuriteInfo +urlhaus_enabled="yes" # urlhaus +yararulesproject_enabled="yes" # Yara-Rule Project, automatically disabled if clamav is older than 0.100 and enable_yararules is disabled + +# Disabled by default +## Enabling this will also cause the yararulesproject to be enabled if they are det to enabled. +enable_yararules="yes" #Enables yararules in the various databases, automatically disabled if clamav is older than 0.100 + +# ======================== +# eXtremeSHOK Database format +# ======================== +# The new and old database formats are supported for backwards compatibility +# +# New Format Usage: +# declare -a new_example_dbs=( +# file.name|RATING #description +# ) +# +# Rating (False Positive Rating) +# valid ratings: +# REQUIRED : always used +# LOW : used when the rating is low, medium and high +# MEDIUM : used when the rating is medium and high +# HIGH : used when the rating is high +# LOWONLY : used only when the rating is low +# MEDIUMONLY : used only when the rating is medium +# LOWMEDIUMONLY : used only when the rating is medium or low +# DISABLED : never used, will automatically remove the present file +# +# Old Format is still supported, requiring you to comment out files to disable them +# old_example_dbs=" +# file.name #LOW description +# " + +# Default dbs rating +# valid rating: LOW, MEDIUM, HIGH, DISABLE +default_dbs_rating="MEDIUM" + +# Per Database +# These ratings will override the global rating for the specific database +# valid ratings: LOW | MEDIUM | HIGH | DISABLE +#linuxmalwaredetect_dbs_rating="" +#sanesecurity_dbs_rating="" +#securiteinfo_dbs_rating="" +#urlhaus_dbs_rating="" +#yararulesproject_dbs_rating="" + +# ======================== +# Sanesecurity Database(s) +# ======================== +# Add or remove database file names between quote marks as needed. To +# disable usage of any of the Sanesecurity distributed database files +# shown, remove the database file name from the quoted section below. +# Only databases defined as "low" risk have been enabled by default +# for additional information about the database ratings, see: +# http://www.sanesecurity.com/clamav/databases.htm +# Only add signature databases here that are "distributed" by Sanesecuirty +# as defined at the URL shown above. Database distributed by others sources +# (e.g., SecuriteInfo & MalewarePatrol, can be added to other sections of +# this config file below). Finally, make sure that the database names are +# spelled correctly or you will experience issues when the script runs +# (hint: all rsync servers will fail to download signature updates). + +declare -a sanesecurity_dbs=( # BEGIN SANESECURITY DATABASE +### SANESECURITY http://sanesecurity.com/usage/signatures/ +## REQUIRED, Do NOT disable +sanesecurity.ftm|REQUIRED # Message file types, for best performance +sigwhitelist.ign2|REQUIRED # Fast update file to whitelist any problem signatures +# LOW +blurl.ndb|LOW # Blacklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be "bad" +junk.ndb|LOW # General high hitting junk, containing spam/phishing/lottery/jobs/419s etc +jurlbl.ndb|LOW # Junk Url based +malwarehash.hsb|LOW # Malware hashes without known Size +phish.ndb|LOW # Phishing and Malware +rogue.hdb|LOW # Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats +scam.ndb|LOW # Spam/scams +spamattach.hdb|LOW # Spam Spammed attachments such as pdf/doc/rtf/zips +spamimg.hdb|LOW # Spam images +# MEDIUM +badmacro.ndb|MEDIUM # Blocks dangerous macros embedded in Word/Excel/Xml/RTF/JS documents +jurlbla.ndb|MEDIUM # Junk Url based autogenerated from various feeds +lott.ndb|MEDIUM # Lottery +shelter.ldb|MEDIUM # Phishing and Malware +spam.ldb|MEDIUM # Spam detected using the new Logical Signature type +spear.ndb|MEDIUM # Spear phishing email addresses (autogenerated from data here) +spearl.ndb|MEDIUM # Spear phishing urls (autogenerated from data here) + +### FOXHOLE http://sanesecurity.com/foxhole-databases/ +# LOW +foxhole_filename.cdb|LOW # See Foxhole page for more details +foxhole_generic.cdb|LOW # See Foxhole page for more details +# MEDIUM +foxhole_js.cdb|MEDIUM # See Foxhole page for more details +foxhole_js.ndb|MEDIUM # See Foxhole page for more details +# HIGH +foxhole_all.cdb|HIGH # See Foxhole page for more details +foxhole_all.ndb|HIGH # See Foxhole page for more details +foxhole_mail.cdb|HIGH # block any mail that contains a possible dangerous attachments such as: js, jse, exe, bat, com, scr, uue, ace, pif, jar, gz, lnk, lzh. + +### OITC http://www.oitc.com/winnow/clamsigs/index.html +### Note: the two databases winnow_phish_complete.ndb and winnow_phish_complete_url.ndb should NOT be used together. +# LOW +winnow_bad_cw.hdb|LOW # md5 hashes of malware attachments acquired directly from a group of botnets +winnow_extended_malware.hdb|LOW # contain hand generated signatures for malware +winnow_malware_links.ndb|LOW # Links to malware +winnow_malware.hdb|LOW # Current virus, trojan and other malware not yet detected by ClamAV. +winnow_phish_complete_url.ndb|LOWMEDIUMONLY # Similar to winnow_phish_complete.ndb except that entire urls are used +winnow.attachments.hdb|LOW # Spammed attachments such as pdf/doc/rtf/zip as well as malware crypted configs +# MEDIUM +winnow_extended_malware_links.ndb|MEDIUM # contain hand generated signatures for malware links +winnow_spam_complete.ndb|MEDIUM # Signatures to detect fraud and other malicious spam +winnow.complex.patterns.ldb|MEDIUM # contain hand generated signatures for malware and some egregious fraud +# HIGH +winnow_phish_complete.ndb|HIGH # Phishing and other malicious urls and compromised hosts **DO NOT USE WITH winnow_phish_complete_url** +### OITC YARA Format rules +### Note: Yara signatures require ClamAV 0.100 or newer to work +winnow_malware.yara|DISABLED # Duplicated in EMAIL_Cryptowall.yar and no longer maintaned + +### MiscreantPunch http://malwarefor.me/about/ +## MEDIUM +MiscreantPunch099-Low.ldb|MEDIUM # ruleset contains comprehensive rules for detecting malicious or abnormal Macros, JS, HTA, HTML, XAP, JAR, SWF, and more. +## HIGH +MiscreantPunch099-INFO-Low.ldb|HIGH # ruleset provides context to various files. Info and Suspicious level signatures may inform analysts of potentially interesting conditions that exist within a document. + +### SCAMNAILER http://www.scamnailer.info/ +# MEDIUM +scamnailer.ndb|DISABLED # Spear phishing and other phishing emails, service has been discontinued https://github.com/extremeshok/clamav-unofficial-sigs/issues/365 + +### BOFHLAND http://clamav.bofhland.org/ +# LOW +bofhland_cracked_URL.ndb|LOW # Spam URLs +bofhland_malware_attach.hdb|LOW # Malware Hashes +bofhland_malware_URL.ndb|LOW # Malware URLs +bofhland_phishing_URL.ndb|LOW # Phishing URLs + +### RockSecurity http://rooksecurity.com/ +# LOW +hackingteam.hsb|LOW # Hacking Team hashes based on work by rooksecurity.com + +### Porcupine +# LOW +phishtank.ndb|LOW # Online and valid phishing urls from phishtank.com data feed +porcupine.hsb|LOW # Sha256 Hashes of VBS and JSE malware, kept for 7 days +porcupine.ndb|LOW # Brazilian e-mail phishing and malware signatures + +### Sanesecurity YARA Format rules +### Note: Yara signatures require ClamAV 0.100 or newer to work +Sanesecurity_sigtest.yara|LOW # Sanesecurity test signatures +Sanesecurity_spam.yara|LOW # Detects Spam emails + +) # END SANESECURITY DATABASES + +# ======================== +# SecuriteInfo Database(s) +# ======================== +# Only active when you set your securiteinfo_authorisation_signature +# Add or remove database file names between quote marks as needed. To +# disable any SecuriteInfo database downloads, remove the appropriate +# lines below. +declare -a securiteinfo_dbs=( #START SECURITEINFO DATABASES +### Securiteinfo https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml +## REQUIRED, Do NOT disable +securiteinfo.ign2|REQUIRED # Signature Whitelist +# LOW +javascript.ndb|LOW # Malwares Javascript +securiteinfo.hdb|LOW # Malwares younger than 3 years. +securiteinfoandroid.hdb|LOW # Malwares Java/Android Dalvik +securiteinfoascii.hdb|LOW # Text file malwares (Perl or shell scripts, bat files, exploits, ...) +securiteinfohtml.hdb|LOW # Malwares HTML +securiteinfoold.hdb|LOW # Malwares older than 3 years. +securiteinfopdf.hdb|LOW # Malwares PDF +# HIGH +spam_marketing.ndb|HIGH # Spam Marketing / spammer blacklist +) #END SECURITEINFO DATABASES + +# SECURITEINFO PREMIUM (NON-FREE) DATABASES +declare -a securiteinfo_premium_dbs=( #START SECURITEINFO DATABASES +securiteinfo.mdb|LOW # 0-day Malwares +securiteinfo0hour.hdb|LOW # 0-Hour Malwares +) #END NON-FREE SECURITEINFO DATABASES + +# ======================== +# LinuxMalwareDetect Database(s) +# ======================== +# Add or remove database file names between quote marks as needed. To +# disable any LinuxMalwareDetect database downloads, remove the appropriate +# lines below. +declare -a linuxmalwaredetect_dbs=( +### Linux Malware Detect https://www.rfxn.com/projects/linux-malware-detect/ +# LOW +rfxn.ndb|LOW # HEX Malware detection signatures +rfxn.hdb|LOW # MD5 Malware detection signatures +rfxn.yara|LOW # Yara Malware detection signatures +) #END LINUXMALWAREDETECT DATABASES + +# ======================== +# interServer Database(s) +# ======================== +# Add or remove database file names between quote marks as needed. To +# disable any Malware Expert database downloads, remove the appropriate +# lines below. +declare -a interserver_dbs=( +## REQUIRED, Do NOT disable +whitelist.fp|REQUIRED # found to be false positive malware +# LOW +interserver256.hdb|LOW # 100% known malware sha256 format +# MEDIUM +interservertopline.db|MEDIUM # inserts into files, manual cleaning HEX +# HIGH +shell.ldb|HIGH # 99.9% known malware using logical signatures +) #END Malware Expert DATABASES + +# ======================== +# Malware Expert Database(s) +# ======================== +# Add or remove database file names between quote marks as needed. To +# disable any Malware Expert database downloads, remove the appropriate +# lines below. +declare -a malwareexpert_dbs=( +## REQUIRED, Do NOT disable +malware.expert.fp|REQUIRED # found to be false positive malware +# LOW +malware.expert.hdb|LOW # statics MD5 pattern for files +# MEDIUM +malware.expert.ldb|MEDIUM # which use multi-words search for malware in files +malware.expert.ndb|MEDIUM # Generic Hex pattern PHP malware, which can cause false positive alarms +) #END Malware Expert DATABASES + +# ======================== +# urlhaus Database(s) +# ======================== +# Add or remove database file names between quote marks as needed. To +# disable any urlhaus database downloads, remove the appropriate +# lines below. +declare -a urlhaus_dbs=( +### urlhaus https://urlhaus.abuse.ch/browse/ +# LOW +urlhaus.ndb|LOW # malicious URLs that are being used for malware distribution +) #END URLHAUS DATABASES + +# ======================== +# Yara Rules Project Database(s) +# ======================== +# Add or remove database file names between quote marks as needed. To +# disable any Yara Rule database downloads, remove the appropriate +# lines below. +declare -a yararulesproject_dbs=( +### Yara Rules https://github.com/Yara-Rules/rules +# +# Some rules are now in sub-directories. To reference a file in a sub-directory +# use subdir/file +# LOW +# Anti debug and anti virtualization techniques used by malware +antidebug_antivm/antidebug_antivm.yar|DISABLED # (core dumped) +# Aimed toward the detection and existence of Exploit Kits. +exploit_kits/EK_Angler.yar|DISABLED # duplicated in rxfn.yara +exploit_kits/EK_Blackhole.yar|DISABLED # duplicated in rxfn.yara +exploit_kits/EK_BleedingLife.yar|LOW # duplicated in rxfn.yara +exploit_kits/EK_Crimepack.yar|DISABLED # duplicated in rxfn.yara +exploit_kits/EK_Eleonore.yar|DISABLED # duplicated in rxfn.yara +exploit_kits/EK_Fragus.yar|DISABLED # duplicated in rxfn.yara +exploit_kits/EK_Phoenix.yar|DISABLED # duplicated in rxfn.yara +exploit_kits/EK_Sakura.yar|DISABLED # duplicated in rxfn.yara +exploit_kits/EK_ZeroAcces.yar|DISABLED # duplicated in rxfn.yara +exploit_kits/EK_Zerox88.yar|DISABLED # duplicated in rxfn.yara +exploit_kits/EK_Zeus.yar|DISABLED # duplicated in rxfn.yara +#Identification of well-known webshells +webshells/WShell_APT_Laudanum.yar|DISABLED # duplicated in rxfn.yara +webshells/WShell_ASPXSpy.yar|LOW +webshells/WShell_Drupalgeddon2_icos.yar|LOW +webshells/WShell_PHP_Anuna.yar|DISABLED # duplicated in rxfn.yara +webshells/WShell_PHP_in_images.yar|DISABLED # duplicated in rxfn.yara +webshells/WShell_THOR_Webshells.yar|DISABLED # duplicated in rxfn.yara +webshells/Wshell_ChineseSpam.yar|DISABLED # duplicated in rxfn.yara +webshells/Wshell_fire2013.yar|DISABLED # duplicated in rxfn.yara +# MEDIUM +# Identification of specific Common Vulnerabilities and Exposures (CVEs) +cve_rules/CVE-2010-0805.yar|MEDIUM +cve_rules/CVE-2010-0887.yar|MEDIUM +cve_rules/CVE-2010-1297.yar|MEDIUM +cve_rules/CVE-2012-0158.yar|MEDIUM +cve_rules/CVE-2013-0074.yar|MEDIUM +cve_rules/CVE-2013-0422.yar|MEDIUM +cve_rules/CVE-2015-1701.yar|MEDIUM +cve_rules/CVE-2015-2426.yar|MEDIUM +cve_rules/CVE-2015-2545.yar|MEDIUM +cve_rules/CVE-2015-5119.yar|MEDIUM +cve_rules/CVE-2016-5195.yar|MEDIUM +cve_rules/CVE-2017-11882.yar|MEDIUM +cve_rules/CVE-2018-20250.yar|MEDIUM +cve_rules/CVE-2018-4878.yar|MEDIUM +# Identification of malicious e-mails. +email/bank_rule.yar|MEDIUM +email/EMAIL_Cryptowall.yar|MEDIUM +email/Email_fake_it_maintenance_bulletin.yar|MEDIUM +email/Email_quota_limit_warning.yar|MEDIUM +email/email_Ukraine_BE_powerattack.yar|MEDIUM +email/scam.yar|MEDIUM +# Detect well-known software packers, that can be used by malware to hide itself. +packers/JJencode.yar|DISABLED # Causes high CPU load with email attachments (images) https://github.com/extremeshok/clamav-unofficial-sigs/issues/362 +# HIGH +# Used with documents to find if they have been crafted to leverage malicious code. +email/Email_generic_phishing.yar|HIGH +maldocs/Maldoc_APT_OLE_JSRat.yar|HIGH +maldocs/Maldoc_APT10_MenuPass.yar|HIGH +maldocs/Maldoc_APT19_CVE-2017-0199.yar|HIGH +maldocs/Maldoc_Contains_VBE_File.yar|HIGH +maldocs/Maldoc_CVE_2017_11882.yar|HIGH +maldocs/Maldoc_CVE_2017_8759.yar|HIGH +maldocs/Maldoc_CVE-2017-0199.yar|HIGH +maldocs/Maldoc_DDE.yar|HIGH +maldocs/Maldoc_Dridex.yar|HIGH +maldocs/Maldoc_hancitor_dropper.yar|HIGH +maldocs/Maldoc_Hidden_PE_file.yar|HIGH +maldocs/Maldoc_malrtf_ole2link.yar|HIGH +maldocs/Maldoc_MIME_ActiveMime_b64.yar|HIGH +maldocs/Maldoc_PDF.yar|HIGH +maldocs/Maldoc_PowerPointMouse.yar|HIGH +maldocs/maldoc_somerules.yar|HIGH +maldocs/Maldoc_Suspicious_OLE_target.yar|HIGH +maldocs/Maldoc_UserForm.yar|HIGH +maldocs/Maldoc_VBA_macro_code.yar|HIGH +maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar|HIGH +# Yara Rules aimed to detect well-known software packers, that can be used by malware to hide itself. +packers/Javascript_exploit_and_obfuscation.yar|HIGH +# DISABLED +# NOT SUPPORTED OR CRASHING CLAMAV +email/attachment.yar|DISABLED # detects all emails with attachments +email/image.yar|DISABLED # detects all emails with images +email/urls.yar|DISABLED # detects all emails with urls +crypto/crypto_signatures.yar|DISABLED # detects all files which are encrypted +# These files use module includes not supported by ClamAV +packers/packer_compiler_signatures.yar|DISABLED +packers/packer.yar|DISABLED +packers/peid.yar|DISABLED +antidebug_antivm|DISABLED +) #END yararulesproject DATABASES + +declare -a yararulesproject_dbs_catagories=( +#LOW +cve_rules|LOW +exploit_kits|LOW +malware|LOW +webshells|LOW +#MEDIUM +email|MEDIUM +maldocs|MEDIUM +# HIGH +capabilities|HIGH +crypto|HIGH +packers|HIGH +) + + +# ========================= +# Additional signature databases +# ========================= +# Additional signature databases can be specified here in the following +# format: PROTOCOL://URL-or-IP/PATH/TO/FILE-NAME (use a trailing "/" in +# place of the "FILE-NAME" to download all files from specified location, +# but this *ONLY* works for files downloaded via rsync). For non-rsync +# downloads, wget and curl is used. For download protocols supported by +# wget and curl, see "man wget" and "man curl". +# This also works well for locations that have many ClamAV +# servers that use 3rd party signature databases, as only one server need +# download the remote databases, and all others can update from the local +# mirrors copy. See format examples below. To use, remove the comments +# and examples shown and add your own sites between the quote marks. +#declare -a additional_dbs=( +# rsync://192.168.1.50/new-db/sigs.hdb +# rsync://rsync.example.com/all-dbs/ +# ftp://ftp.example.net/pub/sigs.ndb +# http://www.example.org/sigs.ldb +#) #END ADDITIONAL DATABASES + +# ================================================== +# ================================================== +# D E B U G O P T I O N S +# ================================================== +# ================================================== + +# Enable debugging, will cause all options below to enable +debug="no" + +# Causes the xshok_file_download function to be verbose, used for debugging +downloader_debug="no" + +# Causes clamscan signature test errors to be vebose +clamscan_debug="no" + +# Causes curl errors to be vebose +curl_debug="no" + +# Causes wget errors to be vebose +wget_debug="no" + +# Causes rsync errors to be vebose +rsync_debug="no" + +# ================================================== +# ================================================== +# A D V A N C E D O P T I O N S +# ================================================== +# ================================================== + +# Branch for update checking, default: master +git_branch="master" + +# Enable support for script and master.conf upgrades +# enbles the --upgrade command line option +# packagers, if required please disable or set this option to no in the os.conf +allow_upgrades="yes" + +# Enable support for script and master.conf update checks +# packagers, if required please disable or set this option to no in the os.conf +allow_update_checks="yes" + +# How often the script should check for updates +update_check_hours="12"# Default is 12 hours (2 checks daily). + +# Enable or disable download time randomization. This allows the script to +# be executed via cron, but the actual database file checking will pause +# for a random number of seconds between the "min" and "max" time settings +# specified below. This helps to more evenly distribute load on the host +# download sites. To disable, set the following variable to "no". +enable_random="yes" + +# Enable to prevent issues with multiple instances running +# To disable, set the following variable to "no". +enable_locking="yes" + +# If download time randomization is enabled above (enable_random="yes"), +# then set the min and max radomization time intervals (in seconds). +max_sleep_time="600" # Default maximum is 600 seconds (10 minutes). +min_sleep_time="60" # Default minimum is 60 seconds (1 minute). + +# Command to do a full clamd service stop/start +#clamd_restart_opt="service clamd restart" + +# Custom Command Paths, these are detected with the which command when not set +#clamscan_bin="/usr/bin/clamscan" +#curl_bin="/usr/bin/curl" +#gpg_bin="/usr/bin/gpg" +#rsync_bin="/usr/bin/rsync" +#tar_bin="/usr/bin/tar" +#uname_bin="/usr/bin/uname" +#wget_bin="/usr/bin/wget" +#dig_bin="usr/bin/dig" +#host_bin="/usr/bin/host" + +# force wget, by default curl is used when curl and wget is present. +force_wget="no" + +# force host, by default dig is used when dig and host is present. +force_host="no" + +# GnuPG / Signature verification +# To disable usage of gpg, set the following variable to "no". +# If gpg_bin cannot be found, enable_gpg will automatically disable +enable_gpg="yes" + +# If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and +# either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module +# are installed on the system, and you want to report whether clamd +# is running or not, uncomment the "clamd_socket" variable below (you +# will be warned if neither socat nor IO::Socket::UNIX are found, but +# the script will still run). You will also need to set the correct +# path to your clamd socket file (if unsure of the path, check the +# "LocalSocket" setting in your clamd.conf file for socket location). +#clamd_socket="/tmp/clamd.socket" + +# Set rsync connection and data transfer timeout limits in seconds. +# The defaults settings here are reasonable, only change if you are +# experiencing timeout issues. +rsync_connect_timeout="60" +rsync_max_time="180" + +# HTTPS validation +# Uncomment to allow and ignore SSL errors leading to insecure transfers +# downloader_ignore_ssl_errors="yes" # Default is "no" + +# Set downloader connection, data transfer timeout limits in seconds. +# The defaults settings here are reasonable, only change if you are +# experiencing timeout issues. +downloader_connect_timeout="60" +downloader_max_time="1800" + +# Set downloader retry count for failed transfers +downloader_tries="5" + +# Set working directory paths (edit to meet your own needs). If these +# directories do not exist, the script will attempt to create them. +# Always located inside the work_dir, do not add / +# Sub-directory names: +add_dir="dbs-add" # User defined databases sub-directory +gpg_dir="gpg-key" # Sanesecurity GPG Key sub-directory +interserver_dir="dbs-is" # interServer sub-directory +linuxmalwaredetect_dir="dbs-lmd" # Linux Malware Detect sub-directory +malwareexpert_dir="dbs-me" # Malware Expert sub-directory +malwarepatrol_dir="dbs-mbl" # MalwarePatrol sub-directory +pid_dir="pid" # User defined pid sub-directory +sanesecurity_dir="dbs-ss" # Sanesecurity sub-directory +securiteinfo_dir="dbs-si" # SecuriteInfo sub-directory +urlhaus_dir="dbs-uh" # urlhaus sub-directory +work_dir_configs="configs" # Script configs sub-directory +yararulesproject_dir="dbs-yara" # Yara-Rules sub-directory + +# If you would like to make a backup copy of the current running database +# file before updating, leave the following variable set to "yes" and a +# backup copy of the file will be created in the production directory +# with -bak appended to the file name. +keep_db_backup="no" + +# When a database integrity has tested BAD, the failed database will be removed. +remove_bad_database="yes" + +# When a database is disabled we will remove the associated database files. +remove_disabled_databases="yes" # Default is "yes" + +# Enable SELinux fixes, ie. running restorecon on the database files. +# **Run the following command as root to enable clamav selinux support** +# setsebool -P antivirus_can_scan_system true +# +selinux_fixes="no" # Default is "no" ignore ssl errors and warnings + +# Proxy Support +# If necessary to proxy database downloads, define the rsync, curl, wget, dig, hosr proxy settings here. +#rsync_proxy="username:password@proxy_host:proxy_port" +# Define rsync to use netcat for socks tunnel +#rsync_connect_prog="nc -X 5 -x socksproxy_host:socksproxy_port %H 873" +#curl_proxy="--proxy http://username:password@proxy_host:proxy_port" +#wget_proxy="-e http_proxy=http://username:password@proxy_host:proxy_port -e https_proxy=https://username:password@proxy_host:proxy_port" +#dig_proxy="@proxy_host -p proxy_host:proxy_port" +#host_proxy="@proxy_host" #does not support port + +# Custom Cron install settings, these are detected and only used if you want to override +# the automatic detection and generation of the values when not set, this is mainly to aid package maintainers +#cron_bash="" #default: detected with the which command +#cron_dir="" #default: /etc/cron.d +#cron_filename="" #default: clamav-unofficial-sigs +#cron_minute="" #default: random value between 0-59 +#cron_script_full_path="" #default: detected to the fullpath of the script +#cron_sudo="no" #default no, yes will append sudo -u before the username +#cron_user="" #default: uses the clam_user + +# Custom logrotate install settings, these are detected and only used if you want to override +# the automatic detection and generation of the values when not set, this is mainly to aid package maintainers +#logrotate_dir="" #default: /etc/logrotate.d +#logrotate_filename="" #default: clamav-unofficial-sigs +#logrotate_group="" #default: uses the clam_group +#logrotate_log_file_full_path="" #default: detected to the $log_file_path/$log_file_name +#logrotate_user="" #default: uses the clam_user + +# Custom man install settings, these are detected and only used if you want to override +# the automatic detection and generation of the values when not set, this is mainly to aid package maintainers +#man_dir="" #default: /usr/share/man/man8 +#man_filename="" #default: clamav-unofficial-sigs.8 + +# Provided two variables that package and port maintainers can use in order to +# prevent the script from removing itself with the '-r' flag +# If the script was installed via a package manager like yum, apt, pkg, etc. +# The script will instead provide feedback to the user about how to uninstall the package. +#pkg_mgr="" #the package manager name +#pkg_rm="" #the package manager command to remove the script + +# Custom full working directory paths, these are detected and only used if you want to override +# the automatic detection and generation of the values when not set, this is mainly to aid package maintainers +#work_dir_add="" #default: uses work_dir/add_dir +#work_dir_gpg="" #default: uses work_dir/gpg_dir +#work_dir_interserver="" #default: uses work_dir/interserver_dir +#work_dir_linuxmalwaredetect="" #default: uses work_dir/linuxmalwaredetect_dir +#work_dir_malwareexpert="" #default: uses work_dir/malwareexpert_dir +#work_dir_malwarepatrol="" #default: uses work_dir/malwarepatrol_dir +#work_dir_pid="" #default: uses work_dir/pid_dir +#work_dir_sanesecurity="" #default: uses work_dir/sanesecurity_dir +#work_dir_securiteinfo="" #default: uses work_dir/securiteinfo_dir +#work_dir_urlhaus="" #default: uses work_dir/urlhaus_dir +#work_dir_work_configs="" #default: uses work_dir/work_dir_configs +#work_dir_yararulesproject="" #default: uses work_dir/yararulesproject_dir + +# ======================== +# After you have completed the configuration of this file, set the value to "yes" +user_configuration_complete="no" + +# ======================== +# DO NOT EDIT ! +# Database provider URLs +interserver_url="https://sigs.interserver.net" +linuxmalwaredetect_sigpack_url="https://cdn.rfxn.com/downloads/maldet-sigpack.tgz" +linuxmalwaredetect_version_url="https://cdn.rfxn.com/downloads/maldet.sigs.ver" +malwareexpert_url="https://signatures.malware.expert" +malwarepatrol_url="https://lists.malwarepatrol.net/cgi/getfile" +sanesecurity_gpg_url="https://www.sanesecurity.com/publickey.gpg" +sanesecurity_url="rsync.sanesecurity.net" +securiteinfo_url="https://www.securiteinfo.com/get/signatures" +urlhaus_url="https://urlhaus.abuse.ch/downloads" +yararulesproject_url="https://raw.githubusercontent.com/Yara-Rules/rules/master" + +# ======================== +# DO NOT EDIT ! +config_version="97" + +################################################################################ +# +# DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! DO NOT EDIT THIS FILE !! +# +################################################################################ +# https://eXtremeSHOK.com ###################################################### diff --git a/clamav-unofficial-sigs/os.conf b/clamav-unofficial-sigs/os.conf new file mode 100644 index 0000000..17c142b --- /dev/null +++ b/clamav-unofficial-sigs/os.conf @@ -0,0 +1,39 @@ +# This file contains os configuration settings for clamav-unofficial-sigs.sh +################### +# This is property of eXtremeSHOK.com +# You are free to use, modify and distribute, however you may not remove this notice. +# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com +# License: BSD (Berkeley Software Distribution) +################## +# +# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs +# +################## +# +# NOT COMPATIBLE WITH VERSION 3.XX / 4.XX CONFIG +# +################################################################################ +# SEE MASTER.CONF FOR CONFIG EXPLANATIONS +################################################################################ +# Rename to os.conf to enable this file +################################################################################ + +# RHEL/CentOS 7+, using ClamAV packages from EPEL + +clam_user="amavis" +clam_group="amavis" + +clam_dbs="/var/lib/clamav" + +clamd_pid="/var/run/clamd.scan/clamd.pid" + +clamd_restart_opt="systemctl restart clamd" + +clamd_socket="/var/run/clamav/clamd.sock" + +clamd_reload_opt="clamdscan --config-file=/etc/clamd.d/scan.conf --reload" + +# By default clamupdate has no permissions to run service restarts +reload_dbs="no" + +# https://eXtremeSHOK.com ###################################################### diff --git a/clamav-unofficial-sigs/user.conf b/clamav-unofficial-sigs/user.conf new file mode 100644 index 0000000..04bcb69 --- /dev/null +++ b/clamav-unofficial-sigs/user.conf @@ -0,0 +1,67 @@ +# This file contains user configuration settings for clamav-unofficial-sigs.sh +################### +# This is property of eXtremeSHOK.com +# You are free to use, modify and distribute, however you may not remove this notice. +# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com +# License: BSD (Berkeley Software Distribution) +################## +# +# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs +# +################## +# +# NOT COMPATIBLE WITH VERSION 3.XX / 4.XX CONFIG +# +################################################################################ +# SEE MASTER.CONF FOR CONFIG EXPLANATIONS +################################################################################ + +# Values in this file will always override those in the master.conf and os.conf files. +# This is useful to specify your authorisation/receipt codes and to always force certain options. +# Please note, it is your responsibility to manage the contents of this file. +# Values provided here are just examples, feel free to use any values from the main config file. + +# set to no to enable the commercial subscription url +#malwarepatrol_free="yes" +#malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext +# if the malwarepatrol_product_code is not 8 the malwarepatrol_free is set to no (non-free) +#malwarepatrol_product_code="8" +#malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER" + +#securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER" +# Enable if you have a commercial/premium/non-free subscription +#securiteinfo_premium="yes" + +# Default dbs rating (Default: MEDIUM) +# valid rating: LOW, MEDIUM, HIGH +#default_dbs_rating="HIGH" + +# Per Database +# These ratings will override the global rating for the specific database +# valid rating: LOW, MEDIUM, HIGH, DISABLE +#linuxmalwaredetect_dbs_rating="HIGH" +#sanesecurity_dbs_rating="HIGH" +#securiteinfo_dbs_rating="HIGH" +#urlhaus_dbs_rating="HIGH" +#yararulesproject_dbs_rating="HIGH" + +# ========================= +# Additional signature databases +# ========================= +#declare -a additional_dbs=( +# ftp://ftp.example.net/pub/sigs.ndb +# http://www.example.org/sigs.ldb +#) #END ADDITIONAL DATABASES + +# Uncomment the following line to enable the script +user_configuration_complete="yes" + +# Proxy Support +# If necessary to proxy database downloads, define the rsync, curl, wget, dig, hosr proxy settings here. +#curl_proxy="--proxy http://username:password@proxy_host:proxy_port" +#dig_proxy="@proxy_host -p proxy_host:proxy_port" +#host_proxy="@proxy_host" #does not support port +#rsync_proxy="username:password@proxy_host:proxy_port" +#wget_proxy="-e http_proxy=http://username:password@proxy_host:proxy_port -e https_proxy=https://username:password@proxy_host:proxy_port" + +# https://eXtremeSHOK.com ###################################################### diff --git a/clamd.conf b/clamd.conf new file mode 100644 index 0000000..d3d6e17 --- /dev/null +++ b/clamd.conf @@ -0,0 +1,452 @@ +## +## Example config file for the Clam AV daemon +## Please read the clamd.conf(5) manual before editing this file. +## + + +# Comment or remove the line below. +#Example + +# Uncomment this option to enable logging. +# LogFile must be writable for the user running daemon. +# A full path is required. +# Default: disabled +LogFile /var/log/clamav/clamd.log + +# By default the log file is locked for writing - the lock protects against +# running clamd multiple times (if want to run another clamd, please +# copy the configuration file, change the LogFile variable, and run +# the daemon with --config-file option). +# This option disables log file locking. +# Default: no +#LogFileUnlock yes + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size +# in bytes just don't use modifiers. +# Default: 1M +LogFileMaxSize 0 + +# Log time with each message. +# Default: no +LogTime yes + +# Also log clean files. Useful in debugging but drastically increases the +# log size. +# Default: no +LogClean no + +# Use system logger (can work together with LogFile). +# Default: no +LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# Default: LOG_LOCAL6 +LogFacility LOG_MAIL + +# Enable verbose logging. +# Default: no +LogVerbose yes + +# Log additional information about the infected file, such as its +# size and hash, together with the virus name. +ExtendedDetectionInfo yes + +# This option allows you to save a process identifier of the listening +# daemon (main thread). +# Default: disabled +PidFile /var/run/clamav/clamd.pid + +# Optional path to the global temporary directory. +# Default: system specific (usually /tmp or /var/tmp). +TemporaryDirectory /var/tmp + +# Path to the database directory. +# Default: hardcoded (depends on installation options) +DatabaseDirectory /var/lib/clamav + +# Only load the official signatures published by the ClamAV project. +# Default: no +#OfficialDatabaseOnly no + +# The daemon can work in local mode, network mode or both. +# Due to security reasons we recommend the local mode. + +# Path to a local socket file the daemon will listen on. +# Default: disabled (must be specified by a user) +LocalSocket /var/run/clamav/clamd.sock + +# Sets the group ownership on the unix socket. +# Default: disabled (the primary group of the user running clamd) +#LocalSocketGroup virusgroup + +# Sets the permissions on the unix socket to the specified mode. +# Default: disabled (socket is world accessible) +#LocalSocketMode 660 + +# Remove stale socket after unclean shutdown. +# Default: yes +FixStaleSocket yes + +# TCP port address. +# Default: no +TCPSocket 3310 + +# TCP address. +# By default we bind to INADDR_ANY, probably not wise. +# Enable the following to provide some degree of protection +# from the outside world. +# Default: no +TCPAddr 127.0.0.1 + +# Maximum length the queue of pending connections may grow to. +# Default: 200 +MaxConnectionQueueLength 30 + +# Clamd uses FTP-like protocol to receive data from remote clients. +# If you are using clamav-milter to balance load between remote clamd daemons +# on firewall servers you may need to tune the options below. + +# Close the connection when the data size limit is exceeded. +# The value should match your MTA's limit for a maximum attachment size. +# Default: 25M +StreamMaxLength 10M + +# Limit port range. +# Default: 1024 +#StreamMinPort 30000 +# Default: 2048 +#StreamMaxPort 32000 + +# Maximum number of threads running at the same time. +# Default: 10 +MaxThreads 5 + +# Waiting for data from a client socket will timeout after this time (seconds). +# Default: 120 +ReadTimeout 120 + +# This option specifies the time (in seconds) after which clamd should +# timeout if a client doesn't provide any initial command after connecting. +# Default: 5 +CommandReadTimeout 5 + +# This option specifies how long to wait (in miliseconds) if the send buffer is full. +# Keep this value low to prevent clamd hanging +# +# Default: 500 +SendBufTimeout 200 + +# Maximum number of queued items (including those being processed by MaxThreads threads) +# It is recommended to have this value at least twice MaxThreads if possible. +# WARNING: you shouldn't increase this too much to avoid running out of file descriptors, +# the following condition should hold: +# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024) +# +# Default: 100 +MaxQueue 50 + +# Waiting for a new job will timeout after this time (seconds). +# Default: 30 +IdleTimeout 10 + +# Don't scan files and directories matching regex +# This directive can be used multiple times +# Default: scan all +#ExcludePath ^/proc/ +#ExcludePath ^/sys/ + +# Maximum depth directories are scanned at. +# Default: 15 +#MaxDirectoryRecursion 20 + +# Follow directory symlinks. +# Default: no +#FollowDirectorySymlinks yes + +# Follow regular file symlinks. +# Default: no +#FollowFileSymlinks yes + +# Scan files and directories on other filesystems. +# Default: yes +CrossFilesystems yes + +# Perform a database check. +# Default: 600 (10 min) +SelfCheck 43200 + +# Execute a command when virus is found. In the command string %v will +# be replaced with the virus name. +# Default: no +#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" + +# Run as another user (clamd must be started by root for this option to work) +# Default: don't drop privileges +User amavis + +# Initialize supplementary group access (clamd must be started by root). +# Default: no +#AllowSupplementaryGroups yes + +# Stop daemon when libclamav reports out of memory condition. +ExitOnOOM yes + +# Don't fork into background. +# Default: no +#Foreground yes + +# Enable debug messages in libclamav. +# Default: no +#Debug yes + +# Do not remove temporary files (for debug purposes). +# Default: no +LeaveTemporaryFiles no + +# Detect Possibly Unwanted Applications. +# Default: no +DetectPUA yes + +# Exclude a specific PUA category. This directive can be used multiple times. +# See http://www.clamav.net/support/pua for the complete list of PUA +# categories. +# Default: Load all categories (if DetectPUA is activated) +#ExcludePUA NetTool +#ExcludePUA PWTool + +# Only include a specific PUA category. This directive can be used multiple +# times. +# Default: Load all categories (if DetectPUA is activated) +IncludePUA Spy +IncludePUA Scanner +IncludePUA RAT +IncludePUA Packed +IncludePUA PwTool +IncludePUA NetTool +IncludePUA P2P +IncludePUA IRC +IncludePUA Tool +IncludePUA Server +IncludePUA Script + +# In some cases (eg. complex malware, exploits in graphic files, and others), +# ClamAV uses special algorithms to provide accurate detection. This option +# controls the algorithmic detection. +# Default: yes +AlgorithmicDetection yes + + +## +## Executable files +## + +# PE stands for Portable Executable - it's an executable file format used +# in all 32 and 64-bit versions of Windows operating systems. This option allows +# ClamAV to perform a deeper analysis of executable files and it's also +# required for decompression of popular executable packers such as UPX, FSG, +# and Petite. +# Default: yes +ScanPE yes + +# Executable and Linking Format is a standard format for UN*X executables. +# This option allows you to control the scanning of ELF files. +# Default: yes +ScanELF yes + +# With this option clamav will try to detect broken executables (both PE and +# ELF) and mark them as Broken.Executable. +# Default: no +#DetectBrokenExecutables yes + + +## +## Documents +## + +# This option enables scanning of OLE2 files, such as Microsoft Office +# documents and .msi files. +# Default: yes +ScanOLE2 yes + + +# With this option enabled OLE2 files with VBA macros, which were not +# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". +# Default: no +OLE2BlockMacros yes + +# This option enables scanning within PDF files. +# Default: yes +ScanPDF yes + + +## +## Mail files +## + +# Enable internal e-mail scanner. +# Default: yes +ScanMail yes + +# Scan RFC1341 messages split over many emails. +# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. +# WARNING: This option may open your system to a DoS attack. +# Never use it on loaded servers. +# Default: no +ScanPartialMessages no + + +# With this option enabled ClamAV will try to detect phishing attempts by using +# signatures. +# Default: yes +PhishingSignatures yes + +# Scan URLs found in mails for phishing attempts using heuristics. +# Default: yes +PhishingScanURLs yes + +# Always block SSL mismatches in URLs, even if the URL isn't in the database. +# This can lead to false positives. +# +# Default: no +PhishingAlwaysBlockSSLMismatch no + +# Always block cloaked URLs, even if URL isn't in database. +# This can lead to false positives. +# +# Default: no +PhishingAlwaysBlockCloak no + +# Allow heuristic match to take precedence. +# When enabled, if a heuristic scan (such as phishingScan) detects +# a possible virus/phish it will stop scan immediately. Recommended, saves CPU +# scan-time. +# When disabled, virus/phish detected by heuristic scans will be reported only at +# the end of a scan. If an archive contains both a heuristically detected +# virus/phish, and a real malware, the real malware will be reported +# +# Keep this disabled if you intend to handle "*.Heuristics.*" viruses +# differently from "real" malware. +# If a non-heuristically-detected virus (signature-based) is found first, +# the scan is interrupted immediately, regardless of this config option. +# +# Default: no +HeuristicScanPrecedence no + +## +## Data Loss Prevention (DLP) +## + +# Enable the DLP module +# Default: No +StructuredDataDetection no + +# This option sets the lowest number of Credit Card numbers found in a file +# to generate a detect. +# Default: 3 +#StructuredMinCreditCardCount 5 + +# This option sets the lowest number of Social Security Numbers found +# in a file to generate a detect. +# Default: 3 +#StructuredMinSSNCount 5 + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxx-yy-zzzz +# Default: yes +StructuredSSNFormatNormal no + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxxyyzzzz +# Default: no +StructuredSSNFormatStripped no + + +## +## HTML +## + +# Perform HTML normalisation and decryption of MS Script Encoder code. +# Default: yes +ScanHTML yes + + +## +## Archives +## + +# ClamAV can scan within archives and compressed files. +# Default: yes +ScanArchive yes + +# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). +# Default: no +ArchiveBlockEncrypted no + + +## +## Limits +## + +# The options below protect your system against Denial of Service attacks +# using archive bombs. + +# This option sets the maximum amount of data to be scanned for each input file. +# Archives and other containers are recursively extracted and scanned up to this +# value. +# Value of 0 disables the limit +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 100M +MaxScanSize 50M + +# Files larger than this limit won't be scanned. Affects the input file itself +# as well as files contained inside it (when the input file is an archive, a +# document or some other kind of container). +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 25M +MaxFileSize 30M + +# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR +# file, all files within it will also be scanned. This options specifies how +# deeply the process should be continued. +# Note: setting this limit too high may result in severe damage to the system. +# Default: 16 +MaxRecursion 10 + +# Number of files to be scanned within an archive, a document, or any other +# container file. +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10000 +#MaxFiles 15000 + +# With this option enabled ClamAV will load bytecode from the database. +# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses. +# Default: yes +Bytecode yes + +# Set bytecode security level. +# Possible values: +# None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS +# This value is only available if clamav was built with --enable-debug! +# TrustSigned - trust bytecode loaded from signed .c[lv]d files, +# insert runtime safety checks for bytecode loaded from other sources +# Paranoid - don't trust any bytecode, insert runtime checks for all +# Recommended: TrustSigned, because bytecode in .cvd files already has these checks +# Note that by default only signed bytecode is loaded, currently you can only +# load unsigned bytecode in --enable-debug mode. +# +# Default: TrustSigned +BytecodeSecurity TrustSigned + +# Set bytecode timeout in miliseconds. +# +# Default: 5000 +BytecodeTimeout 3000 diff --git a/clamd.conf.rpmnew b/clamd.conf.rpmnew new file mode 100644 index 0000000..a1ca9ec --- /dev/null +++ b/clamd.conf.rpmnew @@ -0,0 +1,791 @@ +## +## Example config file for the Clam AV daemon +## Please read the clamd.conf(5) manual before editing this file. +## + + +# Comment or remove the line below. +Example + +# Uncomment this option to enable logging. +# LogFile must be writable for the user running daemon. +# A full path is required. +# Default: disabled +#LogFile /tmp/clamd.log + +# By default the log file is locked for writing - the lock protects against +# running clamd multiple times (if want to run another clamd, please +# copy the configuration file, change the LogFile variable, and run +# the daemon with --config-file option). +# This option disables log file locking. +# Default: no +#LogFileUnlock yes + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size +# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log +# rotation (the LogRotate option) will always be enabled. +# Default: 1M +#LogFileMaxSize 2M + +# Log time with each message. +# Default: no +#LogTime yes + +# Also log clean files. Useful in debugging but drastically increases the +# log size. +# Default: no +#LogClean yes + +# Use system logger (can work together with LogFile). +# Default: no +#LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# Default: LOG_LOCAL6 +#LogFacility LOG_MAIL + +# Enable verbose logging. +# Default: no +#LogVerbose yes + +# Enable log rotation. Always enabled when LogFileMaxSize is enabled. +# Default: no +#LogRotate yes + +# Enable Prelude output. +# Default: no +#PreludeEnable yes +# +# Set the name of the analyzer used by prelude-admin. +# Default: ClamAV +#PreludeAnalyzerName ClamAV + +# Log additional information about the infected file, such as its +# size and hash, together with the virus name. +#ExtendedDetectionInfo yes + +# This option allows you to save a process identifier of the listening +# daemon (main thread). +# This file will be owned by root, as long as clamd was started by root. +# It is recommended that the directory where this file is stored is +# also owned by root to keep other users from tampering with it. +# Default: disabled +#PidFile /var/run/clamd.pid + +# Optional path to the global temporary directory. +# Default: system specific (usually /tmp or /var/tmp). +#TemporaryDirectory /var/tmp + +# Path to the database directory. +# Default: hardcoded (depends on installation options) +#DatabaseDirectory /var/lib/clamav + +# Only load the official signatures published by the ClamAV project. +# Default: no +#OfficialDatabaseOnly no + +# The daemon can work in local mode, network mode or both. +# Due to security reasons we recommend the local mode. + +# Path to a local socket file the daemon will listen on. +# Default: disabled (must be specified by a user) +#LocalSocket /tmp/clamd.socket + +# Sets the group ownership on the unix socket. +# Default: disabled (the primary group of the user running clamd) +#LocalSocketGroup virusgroup + +# Sets the permissions on the unix socket to the specified mode. +# Default: disabled (socket is world accessible) +#LocalSocketMode 660 + +# Remove stale socket after unclean shutdown. +# Default: yes +#FixStaleSocket yes + +# TCP port address. +# Default: no +#TCPSocket 3310 + +# TCP address. +# By default we bind to INADDR_ANY, probably not wise. +# Enable the following to provide some degree of protection +# from the outside world. This option can be specified multiple +# times if you want to listen on multiple IPs. IPv6 is now supported. +# Default: no +#TCPAddr 127.0.0.1 + +# Maximum length the queue of pending connections may grow to. +# Default: 200 +#MaxConnectionQueueLength 30 + +# Clamd uses FTP-like protocol to receive data from remote clients. +# If you are using clamav-milter to balance load between remote clamd daemons +# on firewall servers you may need to tune the options below. + +# Close the connection when the data size limit is exceeded. +# The value should match your MTA's limit for a maximum attachment size. +# Default: 25M +#StreamMaxLength 10M + +# Limit port range. +# Default: 1024 +#StreamMinPort 30000 +# Default: 2048 +#StreamMaxPort 32000 + +# Maximum number of threads running at the same time. +# Default: 10 +#MaxThreads 20 + +# Waiting for data from a client socket will timeout after this time (seconds). +# Default: 120 +#ReadTimeout 300 + +# This option specifies the time (in seconds) after which clamd should +# timeout if a client doesn't provide any initial command after connecting. +# Default: 30 +#CommandReadTimeout 30 + +# This option specifies how long to wait (in milliseconds) if the send buffer +# is full. +# Keep this value low to prevent clamd hanging. +# +# Default: 500 +#SendBufTimeout 200 + +# Maximum number of queued items (including those being processed by +# MaxThreads threads). +# It is recommended to have this value at least twice MaxThreads if possible. +# WARNING: you shouldn't increase this too much to avoid running out of file +# descriptors, the following condition should hold: +# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual +# max is 1024). +# +# Default: 100 +#MaxQueue 200 + +# Waiting for a new job will timeout after this time (seconds). +# Default: 30 +#IdleTimeout 60 + +# Don't scan files and directories matching regex +# This directive can be used multiple times +# Default: scan all +#ExcludePath ^/proc/ +#ExcludePath ^/sys/ + +# Maximum depth directories are scanned at. +# Default: 15 +#MaxDirectoryRecursion 20 + +# Follow directory symlinks. +# Default: no +#FollowDirectorySymlinks yes + +# Follow regular file symlinks. +# Default: no +#FollowFileSymlinks yes + +# Scan files and directories on other filesystems. +# Default: yes +#CrossFilesystems yes + +# Perform a database check. +# Default: 600 (10 min) +#SelfCheck 600 + +# Enable non-blocking (multi-threaded/concurrent) database reloads. +# This feature will temporarily load a second scanning engine while scanning +# continues using the first engine. Once loaded, the new engine takes over. +# The old engine is removed as soon as all scans using the old engine have +# completed. +# This feature requires more RAM, so this option is provided in case users are +# willing to block scans during reload in exchange for lower RAM requirements. +# Default: yes +#ConcurrentDatabaseReload no + +# Execute a command when virus is found. In the command string %v will +# be replaced with the virus name. +# Default: no +#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" + +# Run as another user (clamd must be started by root for this option to work) +# Default: don't drop privileges +#User clamav + +# Stop daemon when libclamav reports out of memory condition. +#ExitOnOOM yes + +# Don't fork into background. +# Default: no +#Foreground yes + +# Enable debug messages in libclamav. +# Default: no +#Debug yes + +# Do not remove temporary files (for debug purposes). +# Default: no +#LeaveTemporaryFiles yes + +# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject +# any ALLMATCHSCAN command as invalid. +# Default: yes +#AllowAllMatchScan no + +# Detect Possibly Unwanted Applications. +# Default: no +#DetectPUA yes + +# Exclude a specific PUA category. This directive can be used multiple times. +# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for +# the complete list of PUA categories. +# Default: Load all categories (if DetectPUA is activated) +#ExcludePUA NetTool +#ExcludePUA PWTool + +# Only include a specific PUA category. This directive can be used multiple +# times. +# Default: Load all categories (if DetectPUA is activated) +#IncludePUA Spy +#IncludePUA Scanner +#IncludePUA RAT + +# This option causes memory or nested map scans to dump the content to disk. +# If you turn on this option, more data is written to disk and is available +# when the LeaveTemporaryFiles option is enabled. +#ForceToDisk yes + +# This option allows you to disable the caching feature of the engine. By +# default, the engine will store an MD5 in a cache of any files that are +# not flagged as virus or that hit limits checks. Disabling the cache will +# have a negative performance impact on large scans. +# Default: no +#DisableCache yes + +# In some cases (eg. complex malware, exploits in graphic files, and others), +# ClamAV uses special algorithms to detect abnormal patterns and behaviors that +# may be malicious. This option enables alerting on such heuristically +# detected potential threats. +# Default: yes +#HeuristicAlerts yes + +# Allow heuristic alerts to take precedence. +# When enabled, if a heuristic scan (such as phishingScan) detects +# a possible virus/phish it will stop scan immediately. Recommended, saves CPU +# scan-time. +# When disabled, virus/phish detected by heuristic scans will be reported only +# at the end of a scan. If an archive contains both a heuristically detected +# virus/phish, and a real malware, the real malware will be reported +# +# Keep this disabled if you intend to handle "*.Heuristics.*" viruses +# differently from "real" malware. +# If a non-heuristically-detected virus (signature-based) is found first, +# the scan is interrupted immediately, regardless of this config option. +# +# Default: no +#HeuristicScanPrecedence yes + + +## +## Heuristic Alerts +## + +# With this option clamav will try to detect broken executables (both PE and +# ELF) and alert on them with the Broken.Executable heuristic signature. +# Default: no +#AlertBrokenExecutables yes + +# With this option clamav will try to detect broken media file (JPEG, +# TIFF, PNG, GIF) and alert on them with a Broken.Media heuristic signature. +# Default: no +#AlertBrokenMedia yes + +# Alert on encrypted archives _and_ documents with heuristic signature +# (encrypted .zip, .7zip, .rar, .pdf). +# Default: no +#AlertEncrypted yes + +# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip, +# .rar). +# Default: no +#AlertEncryptedArchive yes + +# Alert on encrypted archives with heuristic signature (encrypted .pdf). +# Default: no +#AlertEncryptedDoc yes + +# With this option enabled OLE2 files containing VBA macros, which were not +# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". +# Default: no +#AlertOLE2Macros yes + +# Alert on SSL mismatches in URLs, even if the URL isn't in the database. +# This can lead to false positives. +# Default: no +#AlertPhishingSSLMismatch yes + +# Alert on cloaked URLs, even if URL isn't in database. +# This can lead to false positives. +# Default: no +#AlertPhishingCloak yes + +# Alert on raw DMG image files containing partition intersections +# Default: no +#AlertPartitionIntersection yes + + +## +## Executable files +## + +# PE stands for Portable Executable - it's an executable file format used +# in all 32 and 64-bit versions of Windows operating systems. This option +# allows ClamAV to perform a deeper analysis of executable files and it's also +# required for decompression of popular executable packers such as UPX, FSG, +# and Petite. If you turn off this option, the original files will still be +# scanned, but without additional processing. +# Default: yes +#ScanPE yes + +# Certain PE files contain an authenticode signature. By default, we check +# the signature chain in the PE file against a database of trusted and +# revoked certificates if the file being scanned is marked as a virus. +# If any certificate in the chain validates against any trusted root, but +# does not match any revoked certificate, the file is marked as whitelisted. +# If the file does match a revoked certificate, the file is marked as virus. +# The following setting completely turns off authenticode verification. +# Default: no +#DisableCertCheck yes + +# Executable and Linking Format is a standard format for UN*X executables. +# This option allows you to control the scanning of ELF files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanELF yes + + +## +## Documents +## + +# This option enables scanning of OLE2 files, such as Microsoft Office +# documents and .msi files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanOLE2 yes + +# This option enables scanning within PDF files. +# If you turn off this option, the original files will still be scanned, but +# without decoding and additional processing. +# Default: yes +#ScanPDF yes + +# This option enables scanning within SWF files. +# If you turn off this option, the original files will still be scanned, but +# without decoding and additional processing. +# Default: yes +#ScanSWF yes + +# This option enables scanning xml-based document files supported by libclamav. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanXMLDOCS yes + +# This option enables scanning of HWP3 files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanHWP3 yes + + +## +## Mail files +## + +# Enable internal e-mail scanner. +# If you turn off this option, the original files will still be scanned, but +# without parsing individual messages/attachments. +# Default: yes +#ScanMail yes + +# Scan RFC1341 messages split over many emails. +# You will need to periodically clean up $TemporaryDirectory/clamav-partial +# directory. +# WARNING: This option may open your system to a DoS attack. +# Never use it on loaded servers. +# Default: no +#ScanPartialMessages yes + +# With this option enabled ClamAV will try to detect phishing attempts by using +# HTML.Phishing and Email.Phishing NDB signatures. +# Default: yes +#PhishingSignatures no + +# With this option enabled ClamAV will try to detect phishing attempts by +# analyzing URLs found in emails using WDB and PDB signature databases. +# Default: yes +#PhishingScanURLs no + + +## +## Data Loss Prevention (DLP) +## + +# Enable the DLP module +# Default: No +#StructuredDataDetection yes + +# This option sets the lowest number of Credit Card numbers found in a file +# to generate a detect. +# Default: 3 +#StructuredMinCreditCardCount 5 + +# With this option enabled the DLP module will search for valid Credit Card +# numbers only. Debit and Private Label cards will not be searched. +# Default: no +#StructuredCCOnly yes + +# This option sets the lowest number of Social Security Numbers found +# in a file to generate a detect. +# Default: 3 +#StructuredMinSSNCount 5 + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxx-yy-zzzz +# Default: yes +#StructuredSSNFormatNormal yes + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxxyyzzzz +# Default: no +#StructuredSSNFormatStripped yes + + +## +## HTML +## + +# Perform HTML normalisation and decryption of MS Script Encoder code. +# Default: yes +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +#ScanHTML yes + + +## +## Archives +## + +# ClamAV can scan within archives and compressed files. +# If you turn off this option, the original files will still be scanned, but +# without unpacking and additional processing. +# Default: yes +#ScanArchive yes + + +## +## Limits +## + +# The options below protect your system against Denial of Service attacks +# using archive bombs. + +# This option sets the maximum amount of time to a scan may take. +# In this version, this field only affects the scan time of ZIP archives. +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result allow scanning +# of certain files to lock up the scanning process/threads resulting in a +# Denial of Service. +# Time is in milliseconds. +# Default: 120000 +#MaxScanTime 300000 + +# This option sets the maximum amount of data to be scanned for each input +# file. Archives and other containers are recursively extracted and scanned +# up to this value. +# Value of 0 disables the limit +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 100M +#MaxScanSize 150M + +# Files larger than this limit won't be scanned. Affects the input file itself +# as well as files contained inside it (when the input file is an archive, a +# document or some other kind of container). +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 25M +#MaxFileSize 30M + +# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR +# file, all files within it will also be scanned. This options specifies how +# deeply the process should be continued. +# Note: setting this limit too high may result in severe damage to the system. +# Default: 16 +#MaxRecursion 10 + +# Number of files to be scanned within an archive, a document, or any other +# container file. +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10000 +#MaxFiles 15000 + +# Maximum size of a file to check for embedded PE. Files larger than this value +# will skip the additional analysis step. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10M +#MaxEmbeddedPE 10M + +# Maximum size of a HTML file to normalize. HTML files larger than this value +# will not be normalized or scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10M +#MaxHTMLNormalize 10M + +# Maximum size of a normalized HTML file to scan. HTML files larger than this +# value after normalization will not be scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 2M +#MaxHTMLNoTags 2M + +# Maximum size of a script file to normalize. Script content larger than this +# value will not be normalized or scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 5M +#MaxScriptNormalize 5M + +# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger +# than this value will skip the step to potentially reanalyze as PE. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 1M +#MaxZipTypeRcg 1M + +# This option sets the maximum number of partitions of a raw disk image to be +# scanned. +# Raw disk images with more partitions than this value will have up to +# the value number partitions scanned. Negative values are not allowed. +# Note: setting this limit too high may result in severe damage or impact +# performance. +# Default: 50 +#MaxPartitions 128 + +# This option sets the maximum number of icons within a PE to be scanned. +# PE files with more icons than this value will have up to the value number +# icons scanned. +# Negative values are not allowed. +# WARNING: setting this limit too high may result in severe damage or impact +# performance. +# Default: 100 +#MaxIconsPE 200 + +# This option sets the maximum recursive calls for HWP3 parsing during +# scanning. HWP3 files using more than this limit will be terminated and +# alert the user. +# Scans will be unable to scan any HWP3 attachments if the recursive limit +# is reached. +# Negative values are not allowed. +# WARNING: setting this limit too high may result in severe damage or impact +# performance. +# Default: 16 +#MaxRecHWP3 16 + +# This option sets the maximum calls to the PCRE match function during +# an instance of regex matching. +# Instances using more than this limit will be terminated and alert the user +# but the scan will continue. +# For more information on match_limit, see the PCRE documentation. +# Negative values are not allowed. +# WARNING: setting this limit too high may severely impact performance. +# Default: 100000 +#PCREMatchLimit 20000 + +# This option sets the maximum recursive calls to the PCRE match function +# during an instance of regex matching. +# Instances using more than this limit will be terminated and alert the user +# but the scan will continue. +# For more information on match_limit_recursion, see the PCRE documentation. +# Negative values are not allowed and values > PCREMatchLimit are superfluous. +# WARNING: setting this limit too high may severely impact performance. +# Default: 2000 +#PCRERecMatchLimit 10000 + +# This option sets the maximum filesize for which PCRE subsigs will be +# executed. Files exceeding this limit will not have PCRE subsigs executed +# unless a subsig is encompassed to a smaller buffer. +# Negative values are not allowed. +# Setting this value to zero disables the limit. +# WARNING: setting this limit too high or disabling it may severely impact +# performance. +# Default: 25M +#PCREMaxFileSize 100M + +# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or +# MaxRecursion limit will be flagged with the virus +# "Heuristics.Limits.Exceeded". +# Default: no +#AlertExceedsMax yes + +## +## On-access Scan Settings +## + +# Don't scan files larger than OnAccessMaxFileSize +# Value of 0 disables the limit. +# Default: 5M +#OnAccessMaxFileSize 10M + +# Max number of scanning threads to allocate to the OnAccess thread pool at +# startup. These threads are the ones responsible for creating a connection +# with the daemon and kicking off scanning after an event has been processed. +# To prevent clamonacc from consuming all clamd's resources keep this lower +# than clamd's max threads. +# Default: 5 +#OnAccessMaxThreads 10 + +# Max amount of time (in milliseconds) that the OnAccess client should spend +# for every connect, send, and recieve attempt when communicating with clamd +# via curl. +# Default: 5000 (5 seconds) +# OnAccessCurlTimeout 10000 + +# Toggles dynamic directory determination. Allows for recursively watching +# include paths. +# Default: no +#OnAccessDisableDDD yes + +# Set the include paths (all files inside them will be scanned). You can have +# multiple OnAccessIncludePath directives but each directory must be added +# in a separate line. +# Default: disabled +#OnAccessIncludePath /home +#OnAccessIncludePath /students + +# Set the exclude paths. All subdirectories are also excluded. +# Default: disabled +#OnAccessExcludePath /home/user + +# Modifies fanotify blocking behaviour when handling permission events. +# If off, fanotify will only notify if the file scanned is a virus, +# and not perform any blocking. +# Default: no +#OnAccessPrevention yes + +# When using prevention, if this option is turned on, any errors that occur +# during scanning will result in the event attempt being denied. This could +# potentially lead to unwanted system behaviour with certain configurations, +# so the client defaults this to off and prefers allowing access events in +# case of scan or connection error. +# Default: no +#OnAccessDenyOnError yes + +# Toggles extra scanning and notifications when a file or directory is +# created or moved. +# Requires the DDD system to kick-off extra scans. +# Default: no +#OnAccessExtraScanning yes + +# Set the mount point to be scanned. The mount point specified, or the mount +# point containing the specified directory will be watched. If any directories +# are specified, this option will preempt (disable and ignore all options +# related to) the DDD system. This option will result in verdicts only. +# Note that prevention is explicitly disallowed to prevent common, fatal +# misconfigurations. (e.g. watching "/" with prevention on and no exclusions +# made on vital system directories) +# It can be used multiple times. +# Default: disabled +#OnAccessMountPath / +#OnAccessMountPath /home/user + +# With this option you can whitelist the root UID (0). Processes run under +# root with be able to access all files without triggering scans or +# permission denied events. +# Note that if clamd cannot check the uid of the process that generated an +# on-access scan event (e.g., because OnAccessPrevention was not enabled, and +# the process already exited), clamd will perform a scan. Thus, setting +# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the +# root user from triggering a scan (unless OnAccessPrevention is enabled). +# Default: no +#OnAccessExcludeRootUID no + +# With this option you can whitelist specific UIDs. Processes with these UIDs +# will be able to access all files without triggering scans or permission +# denied events. +# This option can be used multiple times (one per line). +# Using a value of 0 on any line will disable this option entirely. +# To whitelist the root UID (0) please enable the OnAccessExcludeRootUID +# option. +# Also note that if clamd cannot check the uid of the process that generated an +# on-access scan event (e.g., because OnAccessPrevention was not enabled, and +# the process already exited), clamd will perform a scan. Thus, setting +# OnAccessExcludeUID is not *guaranteed* to prevent every access by the +# specified uid from triggering a scan (unless OnAccessPrevention is enabled). +# Default: disabled +#OnAccessExcludeUID -1 + +# This option allows exclusions via user names when using the on-access +# scanning client. It can be used multiple times. +# It has the same potential race condition limitations of the +# OnAccessExcludeUID option. +# Default: disabled +#OnAccessExcludeUname clamav + +# Number of times the OnAccess client will retry a failed scan due to +# connection problems (or other issues). +# Default: 0 +#OnAccessRetryAttempts 3 + +## +## Bytecode +## + +# With this option enabled ClamAV will load bytecode from the database. +# It is highly recommended you keep this option on, otherwise you'll miss +# detections for many new viruses. +# Default: yes +#Bytecode yes + +# Set bytecode security level. +# Possible values: +# None - No security at all, meant for debugging. +# DO NOT USE THIS ON PRODUCTION SYSTEMS. +# This value is only available if clamav was built +# with --enable-debug! +# TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert +# runtime safety checks for bytecode loaded from other sources. +# Paranoid - Don't trust any bytecode, insert runtime checks for all. +# Recommended: TrustSigned, because bytecode in .cvd files already has these +# checks. +# Note that by default only signed bytecode is loaded, currently you can only +# load unsigned bytecode in --enable-debug mode. +# +# Default: TrustSigned +#BytecodeSecurity TrustSigned + +# Allow loading bytecode from outside digitally signed .c[lv]d files. +# **Caution**: You should NEVER run bytecode signatures from untrusted sources. +# Doing so may result in arbitrary code execution. +# Default: no +#BytecodeUnsigned yes + +# Set bytecode timeout in milliseconds. +# +# Default: 5000 +# BytecodeTimeout 1000 + diff --git a/clamd.conf.rpmsave b/clamd.conf.rpmsave new file mode 100644 index 0000000..d3d6e17 --- /dev/null +++ b/clamd.conf.rpmsave @@ -0,0 +1,452 @@ +## +## Example config file for the Clam AV daemon +## Please read the clamd.conf(5) manual before editing this file. +## + + +# Comment or remove the line below. +#Example + +# Uncomment this option to enable logging. +# LogFile must be writable for the user running daemon. +# A full path is required. +# Default: disabled +LogFile /var/log/clamav/clamd.log + +# By default the log file is locked for writing - the lock protects against +# running clamd multiple times (if want to run another clamd, please +# copy the configuration file, change the LogFile variable, and run +# the daemon with --config-file option). +# This option disables log file locking. +# Default: no +#LogFileUnlock yes + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size +# in bytes just don't use modifiers. +# Default: 1M +LogFileMaxSize 0 + +# Log time with each message. +# Default: no +LogTime yes + +# Also log clean files. Useful in debugging but drastically increases the +# log size. +# Default: no +LogClean no + +# Use system logger (can work together with LogFile). +# Default: no +LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# Default: LOG_LOCAL6 +LogFacility LOG_MAIL + +# Enable verbose logging. +# Default: no +LogVerbose yes + +# Log additional information about the infected file, such as its +# size and hash, together with the virus name. +ExtendedDetectionInfo yes + +# This option allows you to save a process identifier of the listening +# daemon (main thread). +# Default: disabled +PidFile /var/run/clamav/clamd.pid + +# Optional path to the global temporary directory. +# Default: system specific (usually /tmp or /var/tmp). +TemporaryDirectory /var/tmp + +# Path to the database directory. +# Default: hardcoded (depends on installation options) +DatabaseDirectory /var/lib/clamav + +# Only load the official signatures published by the ClamAV project. +# Default: no +#OfficialDatabaseOnly no + +# The daemon can work in local mode, network mode or both. +# Due to security reasons we recommend the local mode. + +# Path to a local socket file the daemon will listen on. +# Default: disabled (must be specified by a user) +LocalSocket /var/run/clamav/clamd.sock + +# Sets the group ownership on the unix socket. +# Default: disabled (the primary group of the user running clamd) +#LocalSocketGroup virusgroup + +# Sets the permissions on the unix socket to the specified mode. +# Default: disabled (socket is world accessible) +#LocalSocketMode 660 + +# Remove stale socket after unclean shutdown. +# Default: yes +FixStaleSocket yes + +# TCP port address. +# Default: no +TCPSocket 3310 + +# TCP address. +# By default we bind to INADDR_ANY, probably not wise. +# Enable the following to provide some degree of protection +# from the outside world. +# Default: no +TCPAddr 127.0.0.1 + +# Maximum length the queue of pending connections may grow to. +# Default: 200 +MaxConnectionQueueLength 30 + +# Clamd uses FTP-like protocol to receive data from remote clients. +# If you are using clamav-milter to balance load between remote clamd daemons +# on firewall servers you may need to tune the options below. + +# Close the connection when the data size limit is exceeded. +# The value should match your MTA's limit for a maximum attachment size. +# Default: 25M +StreamMaxLength 10M + +# Limit port range. +# Default: 1024 +#StreamMinPort 30000 +# Default: 2048 +#StreamMaxPort 32000 + +# Maximum number of threads running at the same time. +# Default: 10 +MaxThreads 5 + +# Waiting for data from a client socket will timeout after this time (seconds). +# Default: 120 +ReadTimeout 120 + +# This option specifies the time (in seconds) after which clamd should +# timeout if a client doesn't provide any initial command after connecting. +# Default: 5 +CommandReadTimeout 5 + +# This option specifies how long to wait (in miliseconds) if the send buffer is full. +# Keep this value low to prevent clamd hanging +# +# Default: 500 +SendBufTimeout 200 + +# Maximum number of queued items (including those being processed by MaxThreads threads) +# It is recommended to have this value at least twice MaxThreads if possible. +# WARNING: you shouldn't increase this too much to avoid running out of file descriptors, +# the following condition should hold: +# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024) +# +# Default: 100 +MaxQueue 50 + +# Waiting for a new job will timeout after this time (seconds). +# Default: 30 +IdleTimeout 10 + +# Don't scan files and directories matching regex +# This directive can be used multiple times +# Default: scan all +#ExcludePath ^/proc/ +#ExcludePath ^/sys/ + +# Maximum depth directories are scanned at. +# Default: 15 +#MaxDirectoryRecursion 20 + +# Follow directory symlinks. +# Default: no +#FollowDirectorySymlinks yes + +# Follow regular file symlinks. +# Default: no +#FollowFileSymlinks yes + +# Scan files and directories on other filesystems. +# Default: yes +CrossFilesystems yes + +# Perform a database check. +# Default: 600 (10 min) +SelfCheck 43200 + +# Execute a command when virus is found. In the command string %v will +# be replaced with the virus name. +# Default: no +#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" + +# Run as another user (clamd must be started by root for this option to work) +# Default: don't drop privileges +User amavis + +# Initialize supplementary group access (clamd must be started by root). +# Default: no +#AllowSupplementaryGroups yes + +# Stop daemon when libclamav reports out of memory condition. +ExitOnOOM yes + +# Don't fork into background. +# Default: no +#Foreground yes + +# Enable debug messages in libclamav. +# Default: no +#Debug yes + +# Do not remove temporary files (for debug purposes). +# Default: no +LeaveTemporaryFiles no + +# Detect Possibly Unwanted Applications. +# Default: no +DetectPUA yes + +# Exclude a specific PUA category. This directive can be used multiple times. +# See http://www.clamav.net/support/pua for the complete list of PUA +# categories. +# Default: Load all categories (if DetectPUA is activated) +#ExcludePUA NetTool +#ExcludePUA PWTool + +# Only include a specific PUA category. This directive can be used multiple +# times. +# Default: Load all categories (if DetectPUA is activated) +IncludePUA Spy +IncludePUA Scanner +IncludePUA RAT +IncludePUA Packed +IncludePUA PwTool +IncludePUA NetTool +IncludePUA P2P +IncludePUA IRC +IncludePUA Tool +IncludePUA Server +IncludePUA Script + +# In some cases (eg. complex malware, exploits in graphic files, and others), +# ClamAV uses special algorithms to provide accurate detection. This option +# controls the algorithmic detection. +# Default: yes +AlgorithmicDetection yes + + +## +## Executable files +## + +# PE stands for Portable Executable - it's an executable file format used +# in all 32 and 64-bit versions of Windows operating systems. This option allows +# ClamAV to perform a deeper analysis of executable files and it's also +# required for decompression of popular executable packers such as UPX, FSG, +# and Petite. +# Default: yes +ScanPE yes + +# Executable and Linking Format is a standard format for UN*X executables. +# This option allows you to control the scanning of ELF files. +# Default: yes +ScanELF yes + +# With this option clamav will try to detect broken executables (both PE and +# ELF) and mark them as Broken.Executable. +# Default: no +#DetectBrokenExecutables yes + + +## +## Documents +## + +# This option enables scanning of OLE2 files, such as Microsoft Office +# documents and .msi files. +# Default: yes +ScanOLE2 yes + + +# With this option enabled OLE2 files with VBA macros, which were not +# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". +# Default: no +OLE2BlockMacros yes + +# This option enables scanning within PDF files. +# Default: yes +ScanPDF yes + + +## +## Mail files +## + +# Enable internal e-mail scanner. +# Default: yes +ScanMail yes + +# Scan RFC1341 messages split over many emails. +# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. +# WARNING: This option may open your system to a DoS attack. +# Never use it on loaded servers. +# Default: no +ScanPartialMessages no + + +# With this option enabled ClamAV will try to detect phishing attempts by using +# signatures. +# Default: yes +PhishingSignatures yes + +# Scan URLs found in mails for phishing attempts using heuristics. +# Default: yes +PhishingScanURLs yes + +# Always block SSL mismatches in URLs, even if the URL isn't in the database. +# This can lead to false positives. +# +# Default: no +PhishingAlwaysBlockSSLMismatch no + +# Always block cloaked URLs, even if URL isn't in database. +# This can lead to false positives. +# +# Default: no +PhishingAlwaysBlockCloak no + +# Allow heuristic match to take precedence. +# When enabled, if a heuristic scan (such as phishingScan) detects +# a possible virus/phish it will stop scan immediately. Recommended, saves CPU +# scan-time. +# When disabled, virus/phish detected by heuristic scans will be reported only at +# the end of a scan. If an archive contains both a heuristically detected +# virus/phish, and a real malware, the real malware will be reported +# +# Keep this disabled if you intend to handle "*.Heuristics.*" viruses +# differently from "real" malware. +# If a non-heuristically-detected virus (signature-based) is found first, +# the scan is interrupted immediately, regardless of this config option. +# +# Default: no +HeuristicScanPrecedence no + +## +## Data Loss Prevention (DLP) +## + +# Enable the DLP module +# Default: No +StructuredDataDetection no + +# This option sets the lowest number of Credit Card numbers found in a file +# to generate a detect. +# Default: 3 +#StructuredMinCreditCardCount 5 + +# This option sets the lowest number of Social Security Numbers found +# in a file to generate a detect. +# Default: 3 +#StructuredMinSSNCount 5 + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxx-yy-zzzz +# Default: yes +StructuredSSNFormatNormal no + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxxyyzzzz +# Default: no +StructuredSSNFormatStripped no + + +## +## HTML +## + +# Perform HTML normalisation and decryption of MS Script Encoder code. +# Default: yes +ScanHTML yes + + +## +## Archives +## + +# ClamAV can scan within archives and compressed files. +# Default: yes +ScanArchive yes + +# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). +# Default: no +ArchiveBlockEncrypted no + + +## +## Limits +## + +# The options below protect your system against Denial of Service attacks +# using archive bombs. + +# This option sets the maximum amount of data to be scanned for each input file. +# Archives and other containers are recursively extracted and scanned up to this +# value. +# Value of 0 disables the limit +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 100M +MaxScanSize 50M + +# Files larger than this limit won't be scanned. Affects the input file itself +# as well as files contained inside it (when the input file is an archive, a +# document or some other kind of container). +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 25M +MaxFileSize 30M + +# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR +# file, all files within it will also be scanned. This options specifies how +# deeply the process should be continued. +# Note: setting this limit too high may result in severe damage to the system. +# Default: 16 +MaxRecursion 10 + +# Number of files to be scanned within an archive, a document, or any other +# container file. +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10000 +#MaxFiles 15000 + +# With this option enabled ClamAV will load bytecode from the database. +# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses. +# Default: yes +Bytecode yes + +# Set bytecode security level. +# Possible values: +# None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS +# This value is only available if clamav was built with --enable-debug! +# TrustSigned - trust bytecode loaded from signed .c[lv]d files, +# insert runtime safety checks for bytecode loaded from other sources +# Paranoid - don't trust any bytecode, insert runtime checks for all +# Recommended: TrustSigned, because bytecode in .cvd files already has these checks +# Note that by default only signed bytecode is loaded, currently you can only +# load unsigned bytecode in --enable-debug mode. +# +# Default: TrustSigned +BytecodeSecurity TrustSigned + +# Set bytecode timeout in miliseconds. +# +# Default: 5000 +BytecodeTimeout 3000 diff --git a/clamd.d/amavisd.conf b/clamd.d/amavisd.conf new file mode 100644 index 0000000..33421ae --- /dev/null +++ b/clamd.d/amavisd.conf @@ -0,0 +1,20 @@ +# Use system logger. +LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +LogFacility LOG_MAIL + +# This option allows you to save a process identifier of the listening +# daemon (main thread). +PidFile /run/clamd.amavisd/clamd.pid + +# Remove stale socket after unclean shutdown. +# Default: disabled +FixStaleSocket yes + +# Run as a selected user (clamd must be started by root). +User amavis + +# Path to a local socket file the daemon will listen on. +LocalSocket /run/clamd.amavisd/clamd.sock diff --git a/clamd.d/scan.conf b/clamd.d/scan.conf new file mode 100644 index 0000000..66dc46f --- /dev/null +++ b/clamd.d/scan.conf @@ -0,0 +1,792 @@ +## +## Example config file for the Clam AV daemon +## Please read the clamd.conf(5) manual before editing this file. +## + + +# Comment or remove the line below. +#Example + +# Uncomment this option to enable logging. +# LogFile must be writable for the user running daemon. +# A full path is required. +# Default: disabled +#LogFile /var/log/clamd.scan + +# By default the log file is locked for writing - the lock protects against +# running clamd multiple times (if want to run another clamd, please +# copy the configuration file, change the LogFile variable, and run +# the daemon with --config-file option). +# This option disables log file locking. +# Default: no +#LogFileUnlock yes + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size +# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log +# rotation (the LogRotate option) will always be enabled. +# Default: 1M +#LogFileMaxSize 2M + +# Log time with each message. +# Default: no +#LogTime yes + +# Also log clean files. Useful in debugging but drastically increases the +# log size. +# Default: no +#LogClean yes + +# Use system logger (can work together with LogFile). +# Default: no +LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# Default: LOG_LOCAL6 +#LogFacility LOG_MAIL + +# Enable verbose logging. +# Default: no +#LogVerbose yes + +# Enable log rotation. Always enabled when LogFileMaxSize is enabled. +# Default: no +#LogRotate yes + +# Enable Prelude output. +# Default: no +#PreludeEnable yes +# +# Set the name of the analyzer used by prelude-admin. +# Default: ClamAV +#PreludeAnalyzerName ClamAV + +# Log additional information about the infected file, such as its +# size and hash, together with the virus name. +#ExtendedDetectionInfo yes + +# This option allows you to save a process identifier of the listening +# daemon (main thread). +# This file will be owned by root, as long as clamd was started by root. +# It is recommended that the directory where this file is stored is +# also owned by root to keep other users from tampering with it. +# Default: disabled +#PidFile /run/clamd.scan/clamd.pid + +# Optional path to the global temporary directory. +# Default: system specific (usually /tmp or /var/tmp). +#TemporaryDirectory /var/tmp + +# Path to the database directory. +# Default: hardcoded (depends on installation options) +#DatabaseDirectory /var/lib/clamav + +# Only load the official signatures published by the ClamAV project. +# Default: no +#OfficialDatabaseOnly no + +# The daemon can work in local mode, network mode or both. +# Due to security reasons we recommend the local mode. + +# Path to a local socket file the daemon will listen on. +# Default: disabled (must be specified by a user) +#LocalSocket /run/clamd.scan/clamd.sock + +# Sets the group ownership on the unix socket. +# Default: disabled (the primary group of the user running clamd) +#LocalSocketGroup virusgroup + +# Sets the permissions on the unix socket to the specified mode. +# Default: disabled (socket is world accessible) +#LocalSocketMode 660 + +# Remove stale socket after unclean shutdown. +# Default: yes +#FixStaleSocket yes + +# TCP port address. +# Default: no +#TCPSocket 3310 + +# TCP address. +# By default we bind to INADDR_ANY, probably not wise. +# Enable the following to provide some degree of protection +# from the outside world. This option can be specified multiple +# times if you want to listen on multiple IPs. IPv6 is now supported. +# Default: no +#TCPAddr 127.0.0.1 + +# Maximum length the queue of pending connections may grow to. +# Default: 200 +#MaxConnectionQueueLength 30 + +# Clamd uses FTP-like protocol to receive data from remote clients. +# If you are using clamav-milter to balance load between remote clamd daemons +# on firewall servers you may need to tune the options below. + +# Close the connection when the data size limit is exceeded. +# The value should match your MTA's limit for a maximum attachment size. +# Default: 25M +#StreamMaxLength 10M + +# Limit port range. +# Default: 1024 +#StreamMinPort 30000 +# Default: 2048 +#StreamMaxPort 32000 + +# Maximum number of threads running at the same time. +# Default: 10 +#MaxThreads 20 + +# Waiting for data from a client socket will timeout after this time (seconds). +# Default: 120 +#ReadTimeout 300 + +# This option specifies the time (in seconds) after which clamd should +# timeout if a client doesn't provide any initial command after connecting. +# Default: 30 +#CommandReadTimeout 30 + +# This option specifies how long to wait (in milliseconds) if the send buffer +# is full. +# Keep this value low to prevent clamd hanging. +# +# Default: 500 +#SendBufTimeout 200 + +# Maximum number of queued items (including those being processed by +# MaxThreads threads). +# It is recommended to have this value at least twice MaxThreads if possible. +# WARNING: you shouldn't increase this too much to avoid running out of file +# descriptors, the following condition should hold: +# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual +# max is 1024). +# +# Default: 100 +#MaxQueue 200 + +# Waiting for a new job will timeout after this time (seconds). +# Default: 30 +#IdleTimeout 60 + +# Don't scan files and directories matching regex +# This directive can be used multiple times +# Default: scan all +#ExcludePath ^/proc/ +#ExcludePath ^/sys/ + +# Maximum depth directories are scanned at. +# Default: 15 +#MaxDirectoryRecursion 20 + +# Follow directory symlinks. +# Default: no +#FollowDirectorySymlinks yes + +# Follow regular file symlinks. +# Default: no +#FollowFileSymlinks yes + +# Scan files and directories on other filesystems. +# Default: yes +#CrossFilesystems yes + +# Perform a database check. +# Default: 600 (10 min) +#SelfCheck 600 + +# Enable non-blocking (multi-threaded/concurrent) database reloads. +# This feature will temporarily load a second scanning engine while scanning +# continues using the first engine. Once loaded, the new engine takes over. +# The old engine is removed as soon as all scans using the old engine have +# completed. +# This feature requires more RAM, so this option is provided in case users are +# willing to block scans during reload in exchange for lower RAM requirements. +# Default: yes +#ConcurrentDatabaseReload no + +# Execute a command when virus is found. In the command string %v will +# be replaced with the virus name. +# Default: no +#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" + +# Run as another user (clamd must be started by root for this option to work) +# Default: don't drop privileges +User clamscan + +# Stop daemon when libclamav reports out of memory condition. +#ExitOnOOM yes + +# Don't fork into background. +# Default: no +#Foreground yes + +# Enable debug messages in libclamav. +# Default: no +#Debug yes + +# Do not remove temporary files (for debug purposes). +# Default: no +#LeaveTemporaryFiles yes + +# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject +# any ALLMATCHSCAN command as invalid. +# Default: yes +#AllowAllMatchScan no + +# Detect Possibly Unwanted Applications. +# Default: no +#DetectPUA yes + +# Exclude a specific PUA category. This directive can be used multiple times. +# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for +# the complete list of PUA categories. +# Default: Load all categories (if DetectPUA is activated) +#ExcludePUA NetTool +#ExcludePUA PWTool + +# Only include a specific PUA category. This directive can be used multiple +# times. +# Default: Load all categories (if DetectPUA is activated) +#IncludePUA Spy +#IncludePUA Scanner +#IncludePUA RAT + +# This option causes memory or nested map scans to dump the content to disk. +# If you turn on this option, more data is written to disk and is available +# when the LeaveTemporaryFiles option is enabled. +#ForceToDisk yes + +# This option allows you to disable the caching feature of the engine. By +# default, the engine will store an MD5 in a cache of any files that are +# not flagged as virus or that hit limits checks. Disabling the cache will +# have a negative performance impact on large scans. +# Default: no +#DisableCache yes + +# In some cases (eg. complex malware, exploits in graphic files, and others), +# ClamAV uses special algorithms to detect abnormal patterns and behaviors that +# may be malicious. This option enables alerting on such heuristically +# detected potential threats. +# Default: yes +#HeuristicAlerts yes + +# Allow heuristic alerts to take precedence. +# When enabled, if a heuristic scan (such as phishingScan) detects +# a possible virus/phish it will stop scan immediately. Recommended, saves CPU +# scan-time. +# When disabled, virus/phish detected by heuristic scans will be reported only +# at the end of a scan. If an archive contains both a heuristically detected +# virus/phish, and a real malware, the real malware will be reported +# +# Keep this disabled if you intend to handle "*.Heuristics.*" viruses +# differently from "real" malware. +# If a non-heuristically-detected virus (signature-based) is found first, +# the scan is interrupted immediately, regardless of this config option. +# +# Default: no +#HeuristicScanPrecedence yes + + +## +## Heuristic Alerts +## + +# With this option clamav will try to detect broken executables (both PE and +# ELF) and alert on them with the Broken.Executable heuristic signature. +# Default: no +#AlertBrokenExecutables yes + +# With this option clamav will try to detect broken media file (JPEG, +# TIFF, PNG, GIF) and alert on them with a Broken.Media heuristic signature. +# Default: no +#AlertBrokenMedia yes + +# Alert on encrypted archives _and_ documents with heuristic signature +# (encrypted .zip, .7zip, .rar, .pdf). +# Default: no +#AlertEncrypted yes + +# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip, +# .rar). +# Default: no +#AlertEncryptedArchive yes + +# Alert on encrypted archives with heuristic signature (encrypted .pdf). +# Default: no +#AlertEncryptedDoc yes + +# With this option enabled OLE2 files containing VBA macros, which were not +# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". +# Default: no +#AlertOLE2Macros yes + +# Alert on SSL mismatches in URLs, even if the URL isn't in the database. +# This can lead to false positives. +# Default: no +#AlertPhishingSSLMismatch yes + +# Alert on cloaked URLs, even if URL isn't in database. +# This can lead to false positives. +# Default: no +#AlertPhishingCloak yes + +# Alert on raw DMG image files containing partition intersections +# Default: no +#AlertPartitionIntersection yes + + +## +## Executable files +## + +# PE stands for Portable Executable - it's an executable file format used +# in all 32 and 64-bit versions of Windows operating systems. This option +# allows ClamAV to perform a deeper analysis of executable files and it's also +# required for decompression of popular executable packers such as UPX, FSG, +# and Petite. If you turn off this option, the original files will still be +# scanned, but without additional processing. +# Default: yes +#ScanPE yes + +# Certain PE files contain an authenticode signature. By default, we check +# the signature chain in the PE file against a database of trusted and +# revoked certificates if the file being scanned is marked as a virus. +# If any certificate in the chain validates against any trusted root, but +# does not match any revoked certificate, the file is marked as whitelisted. +# If the file does match a revoked certificate, the file is marked as virus. +# The following setting completely turns off authenticode verification. +# Default: no +#DisableCertCheck yes + +# Executable and Linking Format is a standard format for UN*X executables. +# This option allows you to control the scanning of ELF files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanELF yes + + +## +## Documents +## + +# This option enables scanning of OLE2 files, such as Microsoft Office +# documents and .msi files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanOLE2 yes + +# This option enables scanning within PDF files. +# If you turn off this option, the original files will still be scanned, but +# without decoding and additional processing. +# Default: yes +#ScanPDF yes + +# This option enables scanning within SWF files. +# If you turn off this option, the original files will still be scanned, but +# without decoding and additional processing. +# Default: yes +#ScanSWF yes + +# This option enables scanning xml-based document files supported by libclamav. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanXMLDOCS yes + +# This option enables scanning of HWP3 files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanHWP3 yes + + +## +## Mail files +## + +# Enable internal e-mail scanner. +# If you turn off this option, the original files will still be scanned, but +# without parsing individual messages/attachments. +# Default: yes +#ScanMail yes + +# Scan RFC1341 messages split over many emails. +# You will need to periodically clean up $TemporaryDirectory/clamav-partial +# directory. +# WARNING: This option may open your system to a DoS attack. +# Never use it on loaded servers. +# Default: no +#ScanPartialMessages yes + +# With this option enabled ClamAV will try to detect phishing attempts by using +# HTML.Phishing and Email.Phishing NDB signatures. +# Default: yes +#PhishingSignatures no + +# With this option enabled ClamAV will try to detect phishing attempts by +# analyzing URLs found in emails using WDB and PDB signature databases. +# Default: yes +#PhishingScanURLs no + + +## +## Data Loss Prevention (DLP) +## + +# Enable the DLP module +# Default: No +#StructuredDataDetection yes + +# This option sets the lowest number of Credit Card numbers found in a file +# to generate a detect. +# Default: 3 +#StructuredMinCreditCardCount 5 + +# With this option enabled the DLP module will search for valid Credit Card +# numbers only. Debit and Private Label cards will not be searched. +# Default: no +#StructuredCCOnly yes + +# This option sets the lowest number of Social Security Numbers found +# in a file to generate a detect. +# Default: 3 +#StructuredMinSSNCount 5 + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxx-yy-zzzz +# Default: yes +#StructuredSSNFormatNormal yes + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxxyyzzzz +# Default: no +#StructuredSSNFormatStripped yes + + +## +## HTML +## + +# Perform HTML normalisation and decryption of MS Script Encoder code. +# Default: yes +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +#ScanHTML yes + + +## +## Archives +## + +# ClamAV can scan within archives and compressed files. +# If you turn off this option, the original files will still be scanned, but +# without unpacking and additional processing. +# Default: yes +#ScanArchive yes + + +## +## Limits +## + +# The options below protect your system against Denial of Service attacks +# using archive bombs. + +# This option sets the maximum amount of time to a scan may take. +# In this version, this field only affects the scan time of ZIP archives. +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result allow scanning +# of certain files to lock up the scanning process/threads resulting in a +# Denial of Service. +# Time is in milliseconds. +# Default: 120000 +#MaxScanTime 300000 + +# This option sets the maximum amount of data to be scanned for each input +# file. Archives and other containers are recursively extracted and scanned +# up to this value. +# Value of 0 disables the limit +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 100M +#MaxScanSize 150M + +# Files larger than this limit won't be scanned. Affects the input file itself +# as well as files contained inside it (when the input file is an archive, a +# document or some other kind of container). +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Technical design limitations prevent ClamAV from scanning files greater than +# 2 GB at this time. +# Default: 25M +#MaxFileSize 30M + +# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR +# file, all files within it will also be scanned. This options specifies how +# deeply the process should be continued. +# Note: setting this limit too high may result in severe damage to the system. +# Default: 16 +#MaxRecursion 10 + +# Number of files to be scanned within an archive, a document, or any other +# container file. +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10000 +#MaxFiles 15000 + +# Maximum size of a file to check for embedded PE. Files larger than this value +# will skip the additional analysis step. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10M +#MaxEmbeddedPE 10M + +# Maximum size of a HTML file to normalize. HTML files larger than this value +# will not be normalized or scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10M +#MaxHTMLNormalize 10M + +# Maximum size of a normalized HTML file to scan. HTML files larger than this +# value after normalization will not be scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 2M +#MaxHTMLNoTags 2M + +# Maximum size of a script file to normalize. Script content larger than this +# value will not be normalized or scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 5M +#MaxScriptNormalize 5M + +# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger +# than this value will skip the step to potentially reanalyze as PE. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 1M +#MaxZipTypeRcg 1M + +# This option sets the maximum number of partitions of a raw disk image to be +# scanned. +# Raw disk images with more partitions than this value will have up to +# the value number partitions scanned. Negative values are not allowed. +# Note: setting this limit too high may result in severe damage or impact +# performance. +# Default: 50 +#MaxPartitions 128 + +# This option sets the maximum number of icons within a PE to be scanned. +# PE files with more icons than this value will have up to the value number +# icons scanned. +# Negative values are not allowed. +# WARNING: setting this limit too high may result in severe damage or impact +# performance. +# Default: 100 +#MaxIconsPE 200 + +# This option sets the maximum recursive calls for HWP3 parsing during +# scanning. HWP3 files using more than this limit will be terminated and +# alert the user. +# Scans will be unable to scan any HWP3 attachments if the recursive limit +# is reached. +# Negative values are not allowed. +# WARNING: setting this limit too high may result in severe damage or impact +# performance. +# Default: 16 +#MaxRecHWP3 16 + +# This option sets the maximum calls to the PCRE match function during +# an instance of regex matching. +# Instances using more than this limit will be terminated and alert the user +# but the scan will continue. +# For more information on match_limit, see the PCRE documentation. +# Negative values are not allowed. +# WARNING: setting this limit too high may severely impact performance. +# Default: 100000 +#PCREMatchLimit 20000 + +# This option sets the maximum recursive calls to the PCRE match function +# during an instance of regex matching. +# Instances using more than this limit will be terminated and alert the user +# but the scan will continue. +# For more information on match_limit_recursion, see the PCRE documentation. +# Negative values are not allowed and values > PCREMatchLimit are superfluous. +# WARNING: setting this limit too high may severely impact performance. +# Default: 2000 +#PCRERecMatchLimit 10000 + +# This option sets the maximum filesize for which PCRE subsigs will be +# executed. Files exceeding this limit will not have PCRE subsigs executed +# unless a subsig is encompassed to a smaller buffer. +# Negative values are not allowed. +# Setting this value to zero disables the limit. +# WARNING: setting this limit too high or disabling it may severely impact +# performance. +# Default: 25M +#PCREMaxFileSize 100M + +# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or +# MaxRecursion limit will be flagged with the virus +# "Heuristics.Limits.Exceeded". +# Default: no +#AlertExceedsMax yes + +## +## On-access Scan Settings +## + +# Don't scan files larger than OnAccessMaxFileSize +# Value of 0 disables the limit. +# Default: 5M +#OnAccessMaxFileSize 10M + +# Max number of scanning threads to allocate to the OnAccess thread pool at +# startup. These threads are the ones responsible for creating a connection +# with the daemon and kicking off scanning after an event has been processed. +# To prevent clamonacc from consuming all clamd's resources keep this lower +# than clamd's max threads. +# Default: 5 +#OnAccessMaxThreads 10 + +# Max amount of time (in milliseconds) that the OnAccess client should spend +# for every connect, send, and recieve attempt when communicating with clamd +# via curl. +# Default: 5000 (5 seconds) +# OnAccessCurlTimeout 10000 + +# Toggles dynamic directory determination. Allows for recursively watching +# include paths. +# Default: no +#OnAccessDisableDDD yes + +# Set the include paths (all files inside them will be scanned). You can have +# multiple OnAccessIncludePath directives but each directory must be added +# in a separate line. +# Default: disabled +#OnAccessIncludePath /home +#OnAccessIncludePath /students + +# Set the exclude paths. All subdirectories are also excluded. +# Default: disabled +#OnAccessExcludePath /home/user + +# Modifies fanotify blocking behaviour when handling permission events. +# If off, fanotify will only notify if the file scanned is a virus, +# and not perform any blocking. +# Default: no +#OnAccessPrevention yes + +# When using prevention, if this option is turned on, any errors that occur +# during scanning will result in the event attempt being denied. This could +# potentially lead to unwanted system behaviour with certain configurations, +# so the client defaults this to off and prefers allowing access events in +# case of scan or connection error. +# Default: no +#OnAccessDenyOnError yes + +# Toggles extra scanning and notifications when a file or directory is +# created or moved. +# Requires the DDD system to kick-off extra scans. +# Default: no +#OnAccessExtraScanning yes + +# Set the mount point to be scanned. The mount point specified, or the mount +# point containing the specified directory will be watched. If any directories +# are specified, this option will preempt (disable and ignore all options +# related to) the DDD system. This option will result in verdicts only. +# Note that prevention is explicitly disallowed to prevent common, fatal +# misconfigurations. (e.g. watching "/" with prevention on and no exclusions +# made on vital system directories) +# It can be used multiple times. +# Default: disabled +#OnAccessMountPath / +#OnAccessMountPath /home/user + +# With this option you can whitelist the root UID (0). Processes run under +# root with be able to access all files without triggering scans or +# permission denied events. +# Note that if clamd cannot check the uid of the process that generated an +# on-access scan event (e.g., because OnAccessPrevention was not enabled, and +# the process already exited), clamd will perform a scan. Thus, setting +# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the +# root user from triggering a scan (unless OnAccessPrevention is enabled). +# Default: no +#OnAccessExcludeRootUID no + +# With this option you can whitelist specific UIDs. Processes with these UIDs +# will be able to access all files without triggering scans or permission +# denied events. +# This option can be used multiple times (one per line). +# Using a value of 0 on any line will disable this option entirely. +# To whitelist the root UID (0) please enable the OnAccessExcludeRootUID +# option. +# Also note that if clamd cannot check the uid of the process that generated an +# on-access scan event (e.g., because OnAccessPrevention was not enabled, and +# the process already exited), clamd will perform a scan. Thus, setting +# OnAccessExcludeUID is not *guaranteed* to prevent every access by the +# specified uid from triggering a scan (unless OnAccessPrevention is enabled). +# Default: disabled +#OnAccessExcludeUID -1 + +# This option allows exclusions via user names when using the on-access +# scanning client. It can be used multiple times. +# It has the same potential race condition limitations of the +# OnAccessExcludeUID option. +# Default: disabled +#OnAccessExcludeUname clamav + +# Number of times the OnAccess client will retry a failed scan due to +# connection problems (or other issues). +# Default: 0 +#OnAccessRetryAttempts 3 + +## +## Bytecode +## + +# With this option enabled ClamAV will load bytecode from the database. +# It is highly recommended you keep this option on, otherwise you'll miss +# detections for many new viruses. +# Default: yes +#Bytecode yes + +# Set bytecode security level. +# Possible values: +# None - No security at all, meant for debugging. +# DO NOT USE THIS ON PRODUCTION SYSTEMS. +# This value is only available if clamav was built +# with --enable-debug! +# TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert +# runtime safety checks for bytecode loaded from other sources. +# Paranoid - Don't trust any bytecode, insert runtime checks for all. +# Recommended: TrustSigned, because bytecode in .cvd files already has these +# checks. +# Note that by default only signed bytecode is loaded, currently you can only +# load unsigned bytecode in --enable-debug mode. +# +# Default: TrustSigned +#BytecodeSecurity TrustSigned + +# Allow loading bytecode from outside digitally signed .c[lv]d files. +# **Caution**: You should NEVER run bytecode signatures from untrusted sources. +# Doing so may result in arbitrary code execution. +# Default: no +#BytecodeUnsigned yes + +# Set bytecode timeout in milliseconds. +# +# Default: 5000 +# BytecodeTimeout 1000 diff --git a/clamd.d/scan.conf.rpmnew b/clamd.d/scan.conf.rpmnew new file mode 100644 index 0000000..468788c --- /dev/null +++ b/clamd.d/scan.conf.rpmnew @@ -0,0 +1,762 @@ +## +## Example config file for the Clam AV daemon +## Please read the clamd.conf(5) manual before editing this file. +## + + +# Comment or remove the line below. +#Example + +# Uncomment this option to enable logging. +# LogFile must be writable for the user running daemon. +# A full path is required. +# Default: disabled +#LogFile /var/log/clamd.scan + +# By default the log file is locked for writing - the lock protects against +# running clamd multiple times (if want to run another clamd, please +# copy the configuration file, change the LogFile variable, and run +# the daemon with --config-file option). +# This option disables log file locking. +# Default: no +#LogFileUnlock yes + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size +# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log +# rotation (the LogRotate option) will always be enabled. +# Default: 1M +#LogFileMaxSize 2M + +# Log time with each message. +# Default: no +#LogTime yes + +# Also log clean files. Useful in debugging but drastically increases the +# log size. +# Default: no +#LogClean yes + +# Use system logger (can work together with LogFile). +# Default: no +LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# Default: LOG_LOCAL6 +#LogFacility LOG_MAIL + +# Enable verbose logging. +# Default: no +#LogVerbose yes + +# Enable log rotation. Always enabled when LogFileMaxSize is enabled. +# Default: no +#LogRotate yes + +# Enable Prelude output. +# Default: no +#PreludeEnable yes +# +# Set the name of the analyzer used by prelude-admin. +# Default: ClamAV +#PreludeAnalyzerName ClamAV + +# Log additional information about the infected file, such as its +# size and hash, together with the virus name. +#ExtendedDetectionInfo yes + +# This option allows you to save a process identifier of the listening +# daemon (main thread). +# Default: disabled +#PidFile /run/clamd.scan/clamd.pid + +# Optional path to the global temporary directory. +# Default: system specific (usually /tmp or /var/tmp). +#TemporaryDirectory /var/tmp + +# Path to the database directory. +# Default: hardcoded (depends on installation options) +#DatabaseDirectory /var/lib/clamav + +# Only load the official signatures published by the ClamAV project. +# Default: no +#OfficialDatabaseOnly no + +# The daemon can work in local mode, network mode or both. +# Due to security reasons we recommend the local mode. + +# Path to a local socket file the daemon will listen on. +# Default: disabled (must be specified by a user) +#LocalSocket /run/clamd.scan/clamd.sock + +# Sets the group ownership on the unix socket. +# Default: disabled (the primary group of the user running clamd) +#LocalSocketGroup virusgroup + +# Sets the permissions on the unix socket to the specified mode. +# Default: disabled (socket is world accessible) +#LocalSocketMode 660 + +# Remove stale socket after unclean shutdown. +# Default: yes +#FixStaleSocket yes + +# TCP port address. +# Default: no +#TCPSocket 3310 + +# TCP address. +# By default we bind to INADDR_ANY, probably not wise. +# Enable the following to provide some degree of protection +# from the outside world. This option can be specified multiple +# times if you want to listen on multiple IPs. IPv6 is now supported. +# Default: no +#TCPAddr 127.0.0.1 + +# Maximum length the queue of pending connections may grow to. +# Default: 200 +#MaxConnectionQueueLength 30 + +# Clamd uses FTP-like protocol to receive data from remote clients. +# If you are using clamav-milter to balance load between remote clamd daemons +# on firewall servers you may need to tune the options below. + +# Close the connection when the data size limit is exceeded. +# The value should match your MTA's limit for a maximum attachment size. +# Default: 25M +#StreamMaxLength 10M + +# Limit port range. +# Default: 1024 +#StreamMinPort 30000 +# Default: 2048 +#StreamMaxPort 32000 + +# Maximum number of threads running at the same time. +# Default: 10 +#MaxThreads 20 + +# Waiting for data from a client socket will timeout after this time (seconds). +# Default: 120 +#ReadTimeout 300 + +# This option specifies the time (in seconds) after which clamd should +# timeout if a client doesn't provide any initial command after connecting. +# Default: 30 +#CommandReadTimeout 30 + +# This option specifies how long to wait (in milliseconds) if the send buffer +# is full. +# Keep this value low to prevent clamd hanging. +# +# Default: 500 +#SendBufTimeout 200 + +# Maximum number of queued items (including those being processed by +# MaxThreads threads). +# It is recommended to have this value at least twice MaxThreads if possible. +# WARNING: you shouldn't increase this too much to avoid running out of file +# descriptors, the following condition should hold: +# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual +# max is 1024). +# +# Default: 100 +#MaxQueue 200 + +# Waiting for a new job will timeout after this time (seconds). +# Default: 30 +#IdleTimeout 60 + +# Don't scan files and directories matching regex +# This directive can be used multiple times +# Default: scan all +#ExcludePath ^/proc/ +#ExcludePath ^/sys/ + +# Maximum depth directories are scanned at. +# Default: 15 +#MaxDirectoryRecursion 20 + +# Follow directory symlinks. +# Default: no +#FollowDirectorySymlinks yes + +# Follow regular file symlinks. +# Default: no +#FollowFileSymlinks yes + +# Scan files and directories on other filesystems. +# Default: yes +#CrossFilesystems yes + +# Perform a database check. +# Default: 600 (10 min) +#SelfCheck 600 + +# Execute a command when virus is found. In the command string %v will +# be replaced with the virus name. +# Default: no +#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" + +# Run as another user (clamd must be started by root for this option to work) +# Default: don't drop privileges +User clamscan + +# Stop daemon when libclamav reports out of memory condition. +#ExitOnOOM yes + +# Don't fork into background. +# Default: no +#Foreground yes + +# Enable debug messages in libclamav. +# Default: no +#Debug yes + +# Do not remove temporary files (for debug purposes). +# Default: no +#LeaveTemporaryFiles yes + +# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject +# any ALLMATCHSCAN command as invalid. +# Default: yes +#AllowAllMatchScan no + +# Detect Possibly Unwanted Applications. +# Default: no +#DetectPUA yes + +# Exclude a specific PUA category. This directive can be used multiple times. +# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for +# the complete list of PUA categories. +# Default: Load all categories (if DetectPUA is activated) +#ExcludePUA NetTool +#ExcludePUA PWTool + +# Only include a specific PUA category. This directive can be used multiple +# times. +# Default: Load all categories (if DetectPUA is activated) +#IncludePUA Spy +#IncludePUA Scanner +#IncludePUA RAT + +# This option causes memory or nested map scans to dump the content to disk. +# If you turn on this option, more data is written to disk and is available +# when the LeaveTemporaryFiles option is enabled. +#ForceToDisk yes + +# This option allows you to disable the caching feature of the engine. By +# default, the engine will store an MD5 in a cache of any files that are +# not flagged as virus or that hit limits checks. Disabling the cache will +# have a negative performance impact on large scans. +# Default: no +#DisableCache yes + +# In some cases (eg. complex malware, exploits in graphic files, and others), +# ClamAV uses special algorithms to detect abnormal patterns and behaviors that +# may be malicious. This option enables alerting on such heuristically +# detected potential threats. +# Default: yes +#HeuristicAlerts yes + +# Allow heuristic alerts to take precedence. +# When enabled, if a heuristic scan (such as phishingScan) detects +# a possible virus/phish it will stop scan immediately. Recommended, saves CPU +# scan-time. +# When disabled, virus/phish detected by heuristic scans will be reported only +# at the end of a scan. If an archive contains both a heuristically detected +# virus/phish, and a real malware, the real malware will be reported +# +# Keep this disabled if you intend to handle "*.Heuristics.*" viruses +# differently from "real" malware. +# If a non-heuristically-detected virus (signature-based) is found first, +# the scan is interrupted immediately, regardless of this config option. +# +# Default: no +#HeuristicScanPrecedence yes + + +## +## Heuristic Alerts +## + +# With this option clamav will try to detect broken executables (both PE and +# ELF) and alert on them with the Broken.Executable heuristic signature. +# Default: no +#AlertBrokenExecutables yes + +# Alert on encrypted archives _and_ documents with heuristic signature +# (encrypted .zip, .7zip, .rar, .pdf). +# Default: no +#AlertEncrypted yes + +# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip, +# .rar). +# Default: no +#AlertEncryptedArchive yes + +# Alert on encrypted archives with heuristic signature (encrypted .pdf). +# Default: no +#AlertEncryptedDoc yes + +# With this option enabled OLE2 files containing VBA macros, which were not +# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". +# Default: no +#AlertOLE2Macros yes + +# Alert on SSL mismatches in URLs, even if the URL isn't in the database. +# This can lead to false positives. +# Default: no +#AlertPhishingSSLMismatch yes + +# Alert on cloaked URLs, even if URL isn't in database. +# This can lead to false positives. +# Default: no +#AlertPhishingCloak yes + +# Alert on raw DMG image files containing partition intersections +# Default: no +#AlertPartitionIntersection yes + + +## +## Executable files +## + +# PE stands for Portable Executable - it's an executable file format used +# in all 32 and 64-bit versions of Windows operating systems. This option +# allows ClamAV to perform a deeper analysis of executable files and it's also +# required for decompression of popular executable packers such as UPX, FSG, +# and Petite. If you turn off this option, the original files will still be +# scanned, but without additional processing. +# Default: yes +#ScanPE yes + +# Certain PE files contain an authenticode signature. By default, we check +# the signature chain in the PE file against a database of trusted and +# revoked certificates if the file being scanned is marked as a virus. +# If any certificate in the chain validates against any trusted root, but +# does not match any revoked certificate, the file is marked as whitelisted. +# If the file does match a revoked certificate, the file is marked as virus. +# The following setting completely turns off authenticode verification. +# Default: no +#DisableCertCheck yes + +# Executable and Linking Format is a standard format for UN*X executables. +# This option allows you to control the scanning of ELF files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanELF yes + + +## +## Documents +## + +# This option enables scanning of OLE2 files, such as Microsoft Office +# documents and .msi files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanOLE2 yes + +# This option enables scanning within PDF files. +# If you turn off this option, the original files will still be scanned, but +# without decoding and additional processing. +# Default: yes +#ScanPDF yes + +# This option enables scanning within SWF files. +# If you turn off this option, the original files will still be scanned, but +# without decoding and additional processing. +# Default: yes +#ScanSWF yes + +# This option enables scanning xml-based document files supported by libclamav. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanXMLDOCS yes + +# This option enables scanning of HWP3 files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanHWP3 yes + + +## +## Mail files +## + +# Enable internal e-mail scanner. +# If you turn off this option, the original files will still be scanned, but +# without parsing individual messages/attachments. +# Default: yes +#ScanMail yes + +# Scan RFC1341 messages split over many emails. +# You will need to periodically clean up $TemporaryDirectory/clamav-partial +# directory. +# WARNING: This option may open your system to a DoS attack. +# Never use it on loaded servers. +# Default: no +#ScanPartialMessages yes + +# With this option enabled ClamAV will try to detect phishing attempts by using +# HTML.Phishing and Email.Phishing NDB signatures. +# Default: yes +#PhishingSignatures no + +# With this option enabled ClamAV will try to detect phishing attempts by +# analyzing URLs found in emails using WDB and PDB signature databases. +# Default: yes +#PhishingScanURLs no + + +## +## Data Loss Prevention (DLP) +## + +# Enable the DLP module +# Default: No +#StructuredDataDetection yes + +# This option sets the lowest number of Credit Card numbers found in a file +# to generate a detect. +# Default: 3 +#StructuredMinCreditCardCount 5 + +# This option sets the lowest number of Social Security Numbers found +# in a file to generate a detect. +# Default: 3 +#StructuredMinSSNCount 5 + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxx-yy-zzzz +# Default: yes +#StructuredSSNFormatNormal yes + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxxyyzzzz +# Default: no +#StructuredSSNFormatStripped yes + + +## +## HTML +## + +# Perform HTML normalisation and decryption of MS Script Encoder code. +# Default: yes +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +#ScanHTML yes + + +## +## Archives +## + +# ClamAV can scan within archives and compressed files. +# If you turn off this option, the original files will still be scanned, but +# without unpacking and additional processing. +# Default: yes +#ScanArchive yes + + +## +## Limits +## + +# The options below protect your system against Denial of Service attacks +# using archive bombs. + +# This option sets the maximum amount of time to a scan may take. +# In this version, this field only affects the scan time of ZIP archives. +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result allow scanning +# of certain files to lock up the scanning process/threads resulting in a +# Denial of Service. +# Time is in milliseconds. +# Default: 120000 +#MaxScanTime 300000 + +# This option sets the maximum amount of data to be scanned for each input +# file. Archives and other containers are recursively extracted and scanned +# up to this value. +# Value of 0 disables the limit +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 100M +#MaxScanSize 150M + +# Files larger than this limit won't be scanned. Affects the input file itself +# as well as files contained inside it (when the input file is an archive, a +# document or some other kind of container). +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 25M +#MaxFileSize 30M + +# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR +# file, all files within it will also be scanned. This options specifies how +# deeply the process should be continued. +# Note: setting this limit too high may result in severe damage to the system. +# Default: 16 +#MaxRecursion 10 + +# Number of files to be scanned within an archive, a document, or any other +# container file. +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10000 +#MaxFiles 15000 + +# Maximum size of a file to check for embedded PE. Files larger than this value +# will skip the additional analysis step. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10M +#MaxEmbeddedPE 10M + +# Maximum size of a HTML file to normalize. HTML files larger than this value +# will not be normalized or scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10M +#MaxHTMLNormalize 10M + +# Maximum size of a normalized HTML file to scan. HTML files larger than this +# value after normalization will not be scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 2M +#MaxHTMLNoTags 2M + +# Maximum size of a script file to normalize. Script content larger than this +# value will not be normalized or scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 5M +#MaxScriptNormalize 5M + +# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger +# than this value will skip the step to potentially reanalyze as PE. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 1M +#MaxZipTypeRcg 1M + +# This option sets the maximum number of partitions of a raw disk image to be +# scanned. +# Raw disk images with more partitions than this value will have up to +# the value number partitions scanned. Negative values are not allowed. +# Note: setting this limit too high may result in severe damage or impact +# performance. +# Default: 50 +#MaxPartitions 128 + +# This option sets the maximum number of icons within a PE to be scanned. +# PE files with more icons than this value will have up to the value number +# icons scanned. +# Negative values are not allowed. +# WARNING: setting this limit too high may result in severe damage or impact +# performance. +# Default: 100 +#MaxIconsPE 200 + +# This option sets the maximum recursive calls for HWP3 parsing during +# scanning. HWP3 files using more than this limit will be terminated and +# alert the user. +# Scans will be unable to scan any HWP3 attachments if the recursive limit +# is reached. +# Negative values are not allowed. +# WARNING: setting this limit too high may result in severe damage or impact +# performance. +# Default: 16 +#MaxRecHWP3 16 + +# This option sets the maximum calls to the PCRE match function during +# an instance of regex matching. +# Instances using more than this limit will be terminated and alert the user +# but the scan will continue. +# For more information on match_limit, see the PCRE documentation. +# Negative values are not allowed. +# WARNING: setting this limit too high may severely impact performance. +# Default: 100000 +#PCREMatchLimit 20000 + +# This option sets the maximum recursive calls to the PCRE match function +# during an instance of regex matching. +# Instances using more than this limit will be terminated and alert the user +# but the scan will continue. +# For more information on match_limit_recursion, see the PCRE documentation. +# Negative values are not allowed and values > PCREMatchLimit are superfluous. +# WARNING: setting this limit too high may severely impact performance. +# Default: 2000 +#PCRERecMatchLimit 10000 + +# This option sets the maximum filesize for which PCRE subsigs will be +# executed. Files exceeding this limit will not have PCRE subsigs executed +# unless a subsig is encompassed to a smaller buffer. +# Negative values are not allowed. +# Setting this value to zero disables the limit. +# WARNING: setting this limit too high or disabling it may severely impact +# performance. +# Default: 25M +#PCREMaxFileSize 100M + +# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or +# MaxRecursion limit will be flagged with the virus +# "Heuristics.Limits.Exceeded". +# Default: no +#AlertExceedsMax yes + +## +## On-access Scan Settings +## + +# Don't scan files larger than OnAccessMaxFileSize +# Value of 0 disables the limit. +# Default: 5M +#OnAccessMaxFileSize 10M + +# Max number of scanning threads to allocate to the OnAccess thread pool at +# startup. These threads are the ones responsible for creating a connection +# with the daemon and kicking off scanning after an event has been processed. +# To prevent clamonacc from consuming all clamd's resources keep this lower +# than clamd's max threads. +# Default: 5 +#OnAccessMaxThreads 10 + +# Max amount of time (in milliseconds) that the OnAccess client should spend +# for every connect, send, and recieve attempt when communicating with clamd +# via curl. +# Default: 5000 (5 seconds) +# OnAccessCurlTimeout 10000 + +# Toggles dynamic directory determination. Allows for recursively watching +# include paths. +# Default: no +#OnAccessDisableDDD yes + +# Set the include paths (all files inside them will be scanned). You can have +# multiple OnAccessIncludePath directives but each directory must be added +# in a separate line. +# Default: disabled +#OnAccessIncludePath /home +#OnAccessIncludePath /students + +# Set the exclude paths. All subdirectories are also excluded. +# Default: disabled +#OnAccessExcludePath /home/user + +# Modifies fanotify blocking behaviour when handling permission events. +# If off, fanotify will only notify if the file scanned is a virus, +# and not perform any blocking. +# Default: no +#OnAccessPrevention yes + +# When using prevention, if this option is turned on, any errors that occur +# during scanning will result in the event attempt being denied. This could +# potentially lead to unwanted system behaviour with certain configurations, +# so the client defaults this to off and prefers allowing access events in +# case of scan or connection error. +# Default: no +#OnAccessDenyOnError yes + +# Toggles extra scanning and notifications when a file or directory is +# created or moved. +# Requires the DDD system to kick-off extra scans. +# Default: no +#OnAccessExtraScanning yes + +# Set the mount point to be scanned. The mount point specified, or the mount +# point containing the specified directory will be watched. If any directories +# are specified, this option will preempt (disable and ignore all options +# related to) the DDD system. This option will result in verdicts only. +# Note that prevention is explicitly disallowed to prevent common, fatal +# misconfigurations. (e.g. watching "/" with prevention on and no exclusions +# made on vital system directories) +# It can be used multiple times. +# Default: disabled +#OnAccessMountPath / +#OnAccessMountPath /home/user + +# With this option you can whitelist the root UID (0). Processes run under +# root with be able to access all files without triggering scans or +# permission denied events. +# Note that if clamd cannot check the uid of the process that generated an +# on-access scan event (e.g., because OnAccessPrevention was not enabled, and +# the process already exited), clamd will perform a scan. Thus, setting +# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the +# root user from triggering a scan (unless OnAccessPrevention is enabled). +# Default: no +#OnAccessExcludeRootUID no + +# With this option you can whitelist specific UIDs. Processes with these UIDs +# will be able to access all files without triggering scans or permission +# denied events. +# This option can be used multiple times (one per line). +# Using a value of 0 on any line will disable this option entirely. +# To whitelist the root UID (0) please enable the OnAccessExcludeRootUID +# option. +# Also note that if clamd cannot check the uid of the process that generated an +# on-access scan event (e.g., because OnAccessPrevention was not enabled, and +# the process already exited), clamd will perform a scan. Thus, setting +# OnAccessExcludeUID is not *guaranteed* to prevent every access by the +# specified uid from triggering a scan (unless OnAccessPrevention is enabled). +# Default: disabled +#OnAccessExcludeUID -1 + +# This option allows exclusions via user names when using the on-access +# scanning client. It can be used multiple times. +# It has the same potential race condition limitations of the +# OnAccessExcludeUID option. +# Default: disabled +#OnAccessExcludeUname clamav + +# Number of times the OnAccess client will retry a failed scan due to +# connection problems (or other issues). +# Default: 0 +#OnAccessRetryAttempts 3 + +## +## Bytecode +## + +# With this option enabled ClamAV will load bytecode from the database. +# It is highly recommended you keep this option on, otherwise you'll miss +# detections for many new viruses. +# Default: yes +#Bytecode yes + +# Set bytecode security level. +# Possible values: +# None - No security at all, meant for debugging. +# DO NOT USE THIS ON PRODUCTION SYSTEMS. +# This value is only available if clamav was built +# with --enable-debug! +# TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert +# runtime safety checks for bytecode loaded from other sources. +# Paranoid - Don't trust any bytecode, insert runtime checks for all. +# Recommended: TrustSigned, because bytecode in .cvd files already has these +# checks. +# Note that by default only signed bytecode is loaded, currently you can only +# load unsigned bytecode in --enable-debug mode. +# +# Default: TrustSigned +#BytecodeSecurity TrustSigned + +# Set bytecode timeout in milliseconds. +# +# Default: 5000 +# BytecodeTimeout 1000 + diff --git a/clamd.d/scan.conf.rpmsave b/clamd.d/scan.conf.rpmsave new file mode 100644 index 0000000..3d2bab0 --- /dev/null +++ b/clamd.d/scan.conf.rpmsave @@ -0,0 +1,674 @@ +## +## Example config file for the Clam AV daemon +## Please read the clamd.conf(5) manual before editing this file. +## + + +# Comment or remove the line below. +#Example + +# Uncomment this option to enable logging. +# LogFile must be writable for the user running daemon. +# A full path is required. +# Default: disabled +LogFile /var/log/clamd.scan + +# By default the log file is locked for writing - the lock protects against +# running clamd multiple times (if want to run another clamd, please +# copy the configuration file, change the LogFile variable, and run +# the daemon with --config-file option). +# This option disables log file locking. +# Default: no +#LogFileUnlock yes + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size +# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log +# rotation (the LogRotate option) will always be enabled. +# Default: 1M +#LogFileMaxSize 2M + +# Log time with each message. +# Default: no +LogTime yes + +# Also log clean files. Useful in debugging but drastically increases the +# log size. +# Default: no +#LogClean yes + +# Use system logger (can work together with LogFile). +# Default: no +LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# Default: LOG_LOCAL6 +#LogFacility LOG_MAIL + +# Enable verbose logging. +# Default: no +#LogVerbose yes + +# Enable log rotation. Always enabled when LogFileMaxSize is enabled. +# Default: no +LogRotate yes + +# Log additional information about the infected file, such as its +# size and hash, together with the virus name. +ExtendedDetectionInfo yes + +# This option allows you to save a process identifier of the listening +# daemon (main thread). +# Default: disabled +PidFile /var/run/clamd.scan/clamd.pid + +# Optional path to the global temporary directory. +# Default: system specific (usually /tmp or /var/tmp). +TemporaryDirectory /var/tmp + +# Path to the database directory. +# Default: hardcoded (depends on installation options) +DatabaseDirectory /var/clamav + +# Only load the official signatures published by the ClamAV project. +# Default: no +#OfficialDatabaseOnly no + +# The daemon can work in local mode, network mode or both. +# Due to security reasons we recommend the local mode. + +# Path to a local socket file the daemon will listen on. +# Default: disabled (must be specified by a user) +LocalSocket /var/run/clamav/clamd.sock + +# Sets the group ownership on the unix socket. +# Default: disabled (the primary group of the user running clamd) +#LocalSocketGroup virusgroup + +# Sets the permissions on the unix socket to the specified mode. +# Default: disabled (socket is world accessible) +#LocalSocketMode 660 + +# Remove stale socket after unclean shutdown. +# Default: yes +#FixStaleSocket yes + +# TCP port address. +# Default: no +#TCPSocket 3310 + +# TCP address. +# By default we bind to INADDR_ANY, probably not wise. +# Enable the following to provide some degree of protection +# from the outside world. This option can be specified multiple +# times if you want to listen on multiple IPs. IPv6 is now supported. +# Default: no +#TCPAddr 127.0.0.1 + +# Maximum length the queue of pending connections may grow to. +# Default: 200 +#MaxConnectionQueueLength 30 + +# Clamd uses FTP-like protocol to receive data from remote clients. +# If you are using clamav-milter to balance load between remote clamd daemons +# on firewall servers you may need to tune the options below. + +# Close the connection when the data size limit is exceeded. +# The value should match your MTA's limit for a maximum attachment size. +# Default: 25M +#StreamMaxLength 10M + +# Limit port range. +# Default: 1024 +#StreamMinPort 30000 +# Default: 2048 +#StreamMaxPort 32000 + +# Maximum number of threads running at the same time. +# Default: 10 +#MaxThreads 20 + +# Waiting for data from a client socket will timeout after this time (seconds). +# Default: 120 +#ReadTimeout 300 + +# This option specifies the time (in seconds) after which clamd should +# timeout if a client doesn't provide any initial command after connecting. +# Default: 5 +#CommandReadTimeout 5 + +# This option specifies how long to wait (in miliseconds) if the send buffer is full. +# Keep this value low to prevent clamd hanging +# +# Default: 500 +#SendBufTimeout 200 + +# Maximum number of queued items (including those being processed by MaxThreads threads) +# It is recommended to have this value at least twice MaxThreads if possible. +# WARNING: you shouldn't increase this too much to avoid running out of file descriptors, +# the following condition should hold: +# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024) +# +# Default: 100 +#MaxQueue 200 + +# Waiting for a new job will timeout after this time (seconds). +# Default: 30 +#IdleTimeout 60 + +# Don't scan files and directories matching regex +# This directive can be used multiple times +# Default: scan all +#ExcludePath ^/proc/ +#ExcludePath ^/sys/ + +# Maximum depth directories are scanned at. +# Default: 15 +#MaxDirectoryRecursion 20 + +# Follow directory symlinks. +# Default: no +#FollowDirectorySymlinks yes + +# Follow regular file symlinks. +# Default: no +#FollowFileSymlinks yes + +# Scan files and directories on other filesystems. +# Default: yes +#CrossFilesystems yes + +# Perform a database check. +# Default: 600 (10 min) +#SelfCheck 600 + +# Execute a command when virus is found. In the command string %v will +# be replaced with the virus name. +# Default: no +#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" + +# Run as another user (clamd must be started by root for this option to work) +# Default: don't drop privileges +User amavis + +# Initialize supplementary group access (clamd must be started by root). +# Default: no +AllowSupplementaryGroups yes + +# Stop daemon when libclamav reports out of memory condition. +#ExitOnOOM yes + +# Don't fork into background. +# Default: no +#Foreground yes + +# Enable debug messages in libclamav. +# Default: no +#Debug yes + +# Do not remove temporary files (for debug purposes). +# Default: no +#LeaveTemporaryFiles yes + +# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject +# any ALLMATCHSCAN command as invalid. +# Default: yes +#AllowAllMatchScan no + +# Detect Possibly Unwanted Applications. +# Default: no +#DetectPUA yes + +# Exclude a specific PUA category. This directive can be used multiple times. +# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for +# the complete list of PUA categories. +# Default: Load all categories (if DetectPUA is activated) +#ExcludePUA NetTool +#ExcludePUA PWTool + +# Only include a specific PUA category. This directive can be used multiple +# times. +# Default: Load all categories (if DetectPUA is activated) +#IncludePUA Spy +#IncludePUA Scanner +#IncludePUA RAT + +# In some cases (eg. complex malware, exploits in graphic files, and others), +# ClamAV uses special algorithms to provide accurate detection. This option +# controls the algorithmic detection. +# Default: yes +#AlgorithmicDetection yes + +# This option causes memory or nested map scans to dump the content to disk. +# If you turn on this option, more data is written to disk and is available +# when the LeaveTemporaryFiles option is enabled. +#ForceToDisk yes + +# This option allows you to disable the caching feature of the engine. By +# default, the engine will store an MD5 in a cache of any files that are +# not flagged as virus or that hit limits checks. Disabling the cache will +# have a negative performance impact on large scans. +# Default: no +#DisableCache yes + +## +## Executable files +## + +# PE stands for Portable Executable - it's an executable file format used +# in all 32 and 64-bit versions of Windows operating systems. This option allows +# ClamAV to perform a deeper analysis of executable files and it's also +# required for decompression of popular executable packers such as UPX, FSG, +# and Petite. If you turn off this option, the original files will still be +# scanned, but without additional processing. +# Default: yes +#ScanPE yes + +# Certain PE files contain an authenticode signature. By default, we check +# the signature chain in the PE file against a database of trusted and +# revoked certificates if the file being scanned is marked as a virus. +# If any certificate in the chain validates against any trusted root, but +# does not match any revoked certificate, the file is marked as whitelisted. +# If the file does match a revoked certificate, the file is marked as virus. +# The following setting completely turns off authenticode verification. +# Default: no +#DisableCertCheck yes + +# Executable and Linking Format is a standard format for UN*X executables. +# This option allows you to control the scanning of ELF files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanELF yes + +# With this option clamav will try to detect broken executables (both PE and +# ELF) and mark them as Broken.Executable. +# Default: no +#DetectBrokenExecutables yes + + +## +## Documents +## + +# This option enables scanning of OLE2 files, such as Microsoft Office +# documents and .msi files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanOLE2 yes + +# With this option enabled OLE2 files with VBA macros, which were not +# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". +# Default: no +#OLE2BlockMacros no + +# This option enables scanning within PDF files. +# If you turn off this option, the original files will still be scanned, but +# without decoding and additional processing. +# Default: yes +#ScanPDF yes + +# This option enables scanning within SWF files. +# If you turn off this option, the original files will still be scanned, but +# without decoding and additional processing. +# Default: yes +#ScanSWF yes + +# This option enables scanning xml-based document files supported by libclamav. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanXMLDOCS yes + +# This option enables scanning of HWP3 files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanHWP3 yes + + +## +## Mail files +## + +# Enable internal e-mail scanner. +# If you turn off this option, the original files will still be scanned, but +# without parsing individual messages/attachments. +# Default: yes +#ScanMail yes + +# Scan RFC1341 messages split over many emails. +# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. +# WARNING: This option may open your system to a DoS attack. +# Never use it on loaded servers. +# Default: no +#ScanPartialMessages yes + +# With this option enabled ClamAV will try to detect phishing attempts by using +# signatures. +# Default: yes +#PhishingSignatures yes + +# Scan URLs found in mails for phishing attempts using heuristics. +# Default: yes +#PhishingScanURLs yes + +# Always block SSL mismatches in URLs, even if the URL isn't in the database. +# This can lead to false positives. +# +# Default: no +#PhishingAlwaysBlockSSLMismatch no + +# Always block cloaked URLs, even if URL isn't in database. +# This can lead to false positives. +# +# Default: no +#PhishingAlwaysBlockCloak no + +# Detect partition intersections in raw disk images using heuristics. +# Default: no +#PartitionIntersection no + +# Allow heuristic match to take precedence. +# When enabled, if a heuristic scan (such as phishingScan) detects +# a possible virus/phish it will stop scan immediately. Recommended, saves CPU +# scan-time. +# When disabled, virus/phish detected by heuristic scans will be reported only at +# the end of a scan. If an archive contains both a heuristically detected +# virus/phish, and a real malware, the real malware will be reported +# +# Keep this disabled if you intend to handle "*.Heuristics.*" viruses +# differently from "real" malware. +# If a non-heuristically-detected virus (signature-based) is found first, +# the scan is interrupted immediately, regardless of this config option. +# +# Default: no +#HeuristicScanPrecedence yes + + +## +## Data Loss Prevention (DLP) +## + +# Enable the DLP module +# Default: No +#StructuredDataDetection yes + +# This option sets the lowest number of Credit Card numbers found in a file +# to generate a detect. +# Default: 3 +#StructuredMinCreditCardCount 5 + +# This option sets the lowest number of Social Security Numbers found +# in a file to generate a detect. +# Default: 3 +#StructuredMinSSNCount 5 + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxx-yy-zzzz +# Default: yes +#StructuredSSNFormatNormal yes + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxxyyzzzz +# Default: no +#StructuredSSNFormatStripped yes + + +## +## HTML +## + +# Perform HTML normalisation and decryption of MS Script Encoder code. +# Default: yes +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +#ScanHTML yes + + +## +## Archives +## + +# ClamAV can scan within archives and compressed files. +# If you turn off this option, the original files will still be scanned, but +# without unpacking and additional processing. +# Default: yes +#ScanArchive yes + +# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). +# Default: no +#ArchiveBlockEncrypted no + + +## +## Limits +## + +# The options below protect your system against Denial of Service attacks +# using archive bombs. + +# This option sets the maximum amount of data to be scanned for each input file. +# Archives and other containers are recursively extracted and scanned up to this +# value. +# Value of 0 disables the limit +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 100M +#MaxScanSize 150M + +# Files larger than this limit won't be scanned. Affects the input file itself +# as well as files contained inside it (when the input file is an archive, a +# document or some other kind of container). +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 25M +#MaxFileSize 30M + +# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR +# file, all files within it will also be scanned. This options specifies how +# deeply the process should be continued. +# Note: setting this limit too high may result in severe damage to the system. +# Default: 16 +#MaxRecursion 10 + +# Number of files to be scanned within an archive, a document, or any other +# container file. +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10000 +#MaxFiles 15000 + +# Maximum size of a file to check for embedded PE. Files larger than this value +# will skip the additional analysis step. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10M +#MaxEmbeddedPE 10M + +# Maximum size of a HTML file to normalize. HTML files larger than this value +# will not be normalized or scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10M +#MaxHTMLNormalize 10M + +# Maximum size of a normalized HTML file to scan. HTML files larger than this +# value after normalization will not be scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 2M +#MaxHTMLNoTags 2M + +# Maximum size of a script file to normalize. Script content larger than this +# value will not be normalized or scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 5M +#MaxScriptNormalize 5M + +# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger +# than this value will skip the step to potentially reanalyze as PE. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 1M +#MaxZipTypeRcg 1M + +# This option sets the maximum number of partitions of a raw disk image to be scanned. +# Raw disk images with more partitions than this value will have up to the value number +# partitions scanned. Negative values are not allowed. +# Note: setting this limit too high may result in severe damage or impact performance. +# Default: 50 +#MaxPartitions 128 + +# This option sets the maximum number of icons within a PE to be scanned. +# PE files with more icons than this value will have up to the value number icons scanned. +# Negative values are not allowed. +# WARNING: setting this limit too high may result in severe damage or impact performance. +# Default: 100 +#MaxIconsPE 200 + +# This option sets the maximum recursive calls for HWP3 parsing during scanning. +# HWP3 files using more than this limit will be terminated and alert the user. +# Scans will be unable to scan any HWP3 attachments if the recursive limit is reached. +# Negative values are not allowed. +# WARNING: setting this limit too high may result in severe damage or impact performance. +# Default: 16 +#MaxRecHWP3 16 + +# This option sets the maximum calls to the PCRE match function during an instance of regex matching. +# Instances using more than this limit will be terminated and alert the user but the scan will continue. +# For more information on match_limit, see the PCRE documentation. +# Negative values are not allowed. +# WARNING: setting this limit too high may severely impact performance. +# Default: 10000 +#PCREMatchLimit 20000 + +# This option sets the maximum recursive calls to the PCRE match function during an instance of regex matching. +# Instances using more than this limit will be terminated and alert the user but the scan will continue. +# For more information on match_limit_recursion, see the PCRE documentation. +# Negative values are not allowed and values > PCREMatchLimit are superfluous. +# WARNING: setting this limit too high may severely impact performance. +# Default: 5000 +#PCRERecMatchLimit 10000 + +# This option sets the maximum filesize for which PCRE subsigs will be executed. +# Files exceeding this limit will not have PCRE subsigs executed unless a subsig is encompassed to a smaller buffer. +# Negative values are not allowed. +# Setting this value to zero disables the limit. +# WARNING: setting this limit too high or disabling it may severely impact performance. +# Default: 25M +#PCREMaxFileSize 100M + + +## +## On-access Scan Settings +## + +# Enable on-access scanning. Currently, this is supported via fanotify. +# Clamuko/Dazuko support has been deprecated. +# Default: no +#ScanOnAccess yes + +# Set the mount point to be scanned. The mount point specified, or the mount point +# containing the specified directory will be watched. If any directories are specified, +# this option will preempt the DDD system. This will notify only. It can be used multiple times. +# (On-access scan only) +# Default: disabled +#OnAccessMountPath / +#OnAccessMountPath /home/user + +# Don't scan files larger than OnAccessMaxFileSize +# Value of 0 disables the limit. +# Default: 5M +#OnAccessMaxFileSize 10M + +# Set the include paths (all files inside them will be scanned). You can have +# multiple OnAccessIncludePath directives but each directory must be added +# in a separate line. (On-access scan only) +# Default: disabled +#OnAccessIncludePath /home +#OnAccessIncludePath /students + +# Set the exclude paths. All subdirectories are also excluded. +# (On-access scan only) +# Default: disabled +#OnAccessExcludePath /home/bofh + +# With this option you can whitelist specific UIDs. Processes with these UIDs +# will be able to access all files. +# This option can be used multiple times (one per line). +# Default: disabled +#OnAccessExcludeUID 0 + +# Toggles dynamic directory determination. Allows for recursively watching include paths. +# (On-access scan only) +# Default: no +#OnAccessDisableDDD yes + +# Modifies fanotify blocking behaviour when handling permission events. +# If off, fanotify will only notify if the file scanned is a virus, +# and not perform any blocking. +# (On-access scan only) +# Default: no +#OnAccessPrevention yes + +# Toggles extra scanning and notifications when a file or directory is created or moved. +# Requires the DDD system to kick-off extra scans. +# (On-access scan only) +# Default: no +#OnAccessExtraScanning yes + +## +## Bytecode +## + +# With this option enabled ClamAV will load bytecode from the database. +# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses. +# Default: yes +#Bytecode yes + +# Set bytecode security level. +# Possible values: +# None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS +# This value is only available if clamav was built with --enable-debug! +# TrustSigned - trust bytecode loaded from signed .c[lv]d files, +# insert runtime safety checks for bytecode loaded from other sources +# Paranoid - don't trust any bytecode, insert runtime checks for all +# Recommended: TrustSigned, because bytecode in .cvd files already has these checks +# Note that by default only signed bytecode is loaded, currently you can only +# load unsigned bytecode in --enable-debug mode. +# +# Default: TrustSigned +#BytecodeSecurity TrustSigned + +# Set bytecode timeout in miliseconds. +# +# Default: 5000 +# BytecodeTimeout 1000 + +## +## Statistics gathering and submitting +## + +# Enable statistical reporting. +# Default: no +#StatsEnabled yes + +# Disable submission of individual PE sections for files flagged as malware. +# Default: no +#StatsPEDisabled yes + +# HostID in the form of an UUID to use when submitting statistical information. +# Default: auto +#StatsHostID auto + +# Time in seconds to wait for the stats server to come back with a response +# Default: 10 +#StatsTimeout 10 diff --git a/cloud/cloud.cfg.rpmsave b/cloud/cloud.cfg.rpmsave new file mode 100644 index 0000000..20689ce --- /dev/null +++ b/cloud/cloud.cfg.rpmsave @@ -0,0 +1,69 @@ +users: + - default + +disable_root: 1 +ssh_pwauth: 0 + +mount_default_fields: [~, ~, 'auto', 'defaults,nofail,x-systemd.requires=cloud-init.service', '0', '2'] +resize_rootfs_tmp: /dev +ssh_deletekeys: 0 +ssh_genkeytypes: ~ +syslog_fix_perms: ~ +disable_vmware_customization: false + +cloud_init_modules: + - disk_setup + - migrator + - bootcmd + - write-files + - growpart + - resizefs + - set_hostname + - update_hostname + - update_etc_hosts + - rsyslog + - users-groups + - ssh + +cloud_config_modules: + - mounts + - locale + - set-passwords + - rh_subscription + - yum-add-repo + - package-update-upgrade-install + - timezone + - puppet + - chef + - salt-minion + - mcollective + - disable-ec2-metadata + - runcmd + +cloud_final_modules: + - rightscale_userdata + - scripts-per-once + - scripts-per-boot + - scripts-per-instance + - scripts-user + - ssh-authkey-fingerprints + - keys-to-console + - phone-home + - final-message + - power-state-change + +system_info: + default_user: + name: centos + lock_passwd: true + gecos: Cloud User + groups: [adm, systemd-journal] + sudo: ["ALL=(ALL) NOPASSWD:ALL"] + shell: /bin/bash + distro: rhel + paths: + cloud_dir: /var/lib/cloud + templates_dir: /etc/cloud/templates + ssh_svcname: sshd + +# vim:syntax=yaml diff --git a/cockpit/ws-certs.d/0-self-signed-ca.pem b/cockpit/ws-certs.d/0-self-signed-ca.pem new file mode 100644 index 0000000..ba2d95b --- /dev/null +++ b/cockpit/ws-certs.d/0-self-signed-ca.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF7jCCA9agAwIBAgIIRBtsXU0RPN0wDQYJKoZIhvcNAQELBQAwbzELMAkGA1UE +BhMCVVMxKTAnBgNVBAoMIDk2MDY3Y2NlMjhlNzRlYWY5NmU1NTA2YTFkNmFlNjMx +MR8wHQYDVQQLDBZjYS00OTA3NjM1MzY2OTMxMDIxMDIxMRQwEgYDVQQDDAt6aXJh +Ljg5OC5ybzAeFw0yMDA5MjIwOTQ4MDJaFw0zMDExMTAwMjI4MDJaMG8xCzAJBgNV +BAYTAlVTMSkwJwYDVQQKDCA5NjA2N2NjZTI4ZTc0ZWFmOTZlNTUwNmExZDZhZTYz +MTEfMB0GA1UECwwWY2EtNDkwNzYzNTM2NjkzMTAyMTAyMTEUMBIGA1UEAwwLemly +YS44OTgucm8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCmsBDjel5b +t3yXcb0e1l+hMppQaarUP0Vjb8oYT8Ihj/40sAioc7w2SBvH7brCJFacJi37x9+r +ySfLV7uKgdUX96TvO4xyMgsl4VqWxWiv8avTTNLRlDl5sERnOfo3npyCbEs0J7Iu +T+x6I21B8bb3+GKFjlpRo1J76JjCwAnoa8hcsPpAUZjGlzXpbYU5U5dwtLPIysqG +SS8cAs/J6xGNvFActxrXx9vZQhzVfpyASiBvR6mwZAgMg7SYmZqwbkxr9BcF/WkF +U6RMQG5n9HDVbQWOQqNTwaZrUsqh5gSOzrI/ga74PEMz42Q9gLjU6egIwYsj+utQ +veUgspPLXjxYjxZYzkOB9p+Wx4EJHLDR01jVlO8LjxHaRozD7MEvmDvtSb5Ur2nL +QAI7cW1RYdwwHTCXMf2MVbxvlRBlT54ZszN7zpsS9UFuFQPUKE4T7CcDzC9Q8FSy +KIZHFN3IXHo71CTU4MDKNJSB9iz/+UMFg8nkP5oK15vN16E4kEGLsuiA++5aQae7 +J4UnnsMXIJemTdEJhrKSJIitAHQX0hqcSRDBr0/Q3oxTcUfENfNK5/PQsrlgdL8/ +5KKBKp901O28enYL7xleVw/fbHj0ETWGh/f6obh0LciOXCLTKloDpZ0JNvyFruSP +myaojno4z4Avc+N8FODZUVC4z1E0RO5v2wIDAQABo4GNMIGKMA4GA1UdDwEB/wQE +AwICpDAMBgNVHRMEBTADAQH/MDMGA1UdHgQsMCqgKDANggt6aXJhLjg5OC5ybzAL +gglsb2NhbGhvc3QwCocIfwAAAf////8wFgYDVR0RBA8wDYILemlyYS44OTgucm8w +HQYDVR0OBBYEFB4MRWnz5oM+WZi+YF2MCGMBp5VZMA0GCSqGSIb3DQEBCwUAA4IC +AQBKIymH8/ja26oNK64UQHVohIJ+uWE+o9GuUlcmOA8xbJLKlOiwB475bEH4KMRg +FPlwEWj4JvivnI8aCsjMMzaryh8+sDSEzjshms3/ovC8ATQ801bvY/tZf+O41k4s +ATULeJQpACIMqorDOgrHFZQKbLdUvCnRRtaAEfUchX6xFUgZMFtXlBs705l+VfN4 +73sGTfpfIj1ZuLH0t9Ftt/mA6saZsVvmCXfFeh1KjmNmS0za9SPXN9g/LdQr7zIo +pneGRX/RTebq41tiiNNMOSZZpuFuHxyNO9gSWcR8azsznCBA7pZvDgWR7pzMi+g2 +adBKj33KrGu6pBgv81LVCQ0jOkbcSq4lB9cLGYcxe97piZR9ZgGHpSWlNu5hljrx +qyZl9q68pQloGAHZQkaF61SkEzHgT9m500k8ORckZtwRZBCAdCwQMwNHjmNmTDq5 +owbGSqUX7Q6PJI4upv5g/7WG/wEJSURjCnlCHJWN0dKR27/cuXxX8magguRCrBCY +yMpIEk7y+m17On/cjFu9HFSfcuhKKn7LL3MQR6ylAy3u/hOoHaV72UrtgE3utemT +JhqhTJZWvRiMWffnXyXMWoJ9dFSfACuiHwX3neqcS5rEjna+UfVWRJK1tDBMZVbT +t9bvG+wCiJ8Jqv1IswxO6Auo1yW8O5OxZ90/w/R7d7cVNg== +-----END CERTIFICATE----- diff --git a/cockpit/ws-certs.d/0-self-signed.cert b/cockpit/ws-certs.d/0-self-signed.cert new file mode 100644 index 0000000..f7dfa57 --- /dev/null +++ b/cockpit/ws-certs.d/0-self-signed.cert @@ -0,0 +1,56 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCaqrN0aQ7GBu7C +Po0w1ZXeVKOQ3rCUxcK+746lxu59oVWMvE7JAESXxM1KrIbQU+BQq/Kzlj2wFOLL +hrondb8JBG5ORMHgs70bNztsuFbrgxoUwROgB9oA1iGPkJFtMWZmVgQSRjrd9E8A +IymiBmCs9EWuBZ89UiRYcqCHfZ7/wB8JVMvoH4udLL6fc8QQn03hbuv0liXmGqvA +aiGR35HWPbm+Un4fOUdRLGjChiFlDgFO6zv5D6hDlEt3hl3gU6IWndQ2Nc05vmCN +Yol6CFJ+b85Tqofw0omvWjPyDpRoYmQIQLwomZZgrk4HTkwQBtcExOl6cYVqFwDc +89AdOfSRAgMBAAECggEAVQfPzQoNAzXAga3d9aEW2bpyiizDq6bloA8Xv3AUoaDW +5Z6JOdwZ2c5qhsk+/L2ALxm5Pp40n997qCUTpqoHMq/q7MDETgLCznmZA/Z8YtIa +vpo/bdWjNp6CqOjz6rIj99MGPf26U1gDLrImK1uSPsO0oy2YFCBatv2d359ikHt2 +KUC/c+EyOEfp5udd0DmwhMrm1H7+sCHXqKNoQWkqlXa5BqNK7u3mDC1Ujjkc2/Zu +3OftK1n5AP9ly1pzNj4Ba5TkhvXAyFB/PWTl2sExjEfWFieNXbWpmZzJIs5H89sD +oNYz//KbwAzNiDc+GMRx4svJV79rIkY5UJFKqDZkmQKBgQDN4L16Xg4glT4VYO4Z +PtQUYBQ3OL7NLX3OEF5kVXoC/mZwyn1BSjJweGRPJWhROO9WgiOv2+QIUC2j9scS +wezodvWetdixnETcuxA8AoqCUiJqPy7Q+I835Qpa5JGaH2Hyz++Ng8B8JrT2UYFl +vigg3aCJ3XL+IWN8oyY7912dCwKBgQDAUj/c4cF0oG/nOV50qql4PZ4YI7+tiO7j +x8/vgaXjbtwOYb98DXNB6+YmWXLwm2RgoF3OrjUoToPdfz08a5j9VsxYX+8B9wT2 +7Sn29NkVlI3VGGElDHLYCngSdyzIehA0iu/90OVam+hzDtKquK2fzixYMuFDVQa0 +/X1oxGJeUwKBgQDBzwKwcmB8PeKe/4vFSkceE0CUp5++yUd4OCKT83+T1+eZ4JU/ +ZFjNVhigBUgJxj5RQtvTjn5BcTE1/Hd1agfa4zngObIPqVuOK69hvsajXiy1tlsd +MBCq/rvbyvZij46GpUcPAmuutEWA6EOXAwcFwX2Cq2y4XbgpOfEhXIHM9wKBgQCr +UxoNHReHW70UUKjyaW3a7Zk+i+ofH1Mgm0mDZQ1wk7t5HF7GlfzNBubZ1ulrqiI7 +aeDnU42LQJZ75POaNYfudzpGp/900qcbiZ7OnsQcU2AeKz+vD23nQzw/xuagGQ0C +oZq1kzgeBbGHffbxmt8g8zvRvlGp976n0QG9KOUwfQKBgQCRg28OZjjWJ7aX6a1Q +tpn5nzNKSjbKBABF+sHtlpbCUtctII77HteVVt9GiO2So0rWyBEUtu64agus1/LK +yrl1xhO45SL/aNYOhCTq4mO5kjjccI+7YfKnuEtjNu+rie7kqttKSwRDCKwMAHeJ +ZytGsZtBWcrbPeqVvwZPehzCyg== +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIEuzCCAqOgAwIBAgIIAL+1yWTxNMwwDQYJKoZIhvcNAQELBQAwbzELMAkGA1UE +BhMCVVMxKTAnBgNVBAoMIDk2MDY3Y2NlMjhlNzRlYWY5NmU1NTA2YTFkNmFlNjMx +MR8wHQYDVQQLDBZjYS00OTA3NjM1MzY2OTMxMDIxMDIxMRQwEgYDVQQDDAt6aXJh +Ljg5OC5ybzAeFw0yMDA5MjIwOTQ4MDJaFw0zMDExMTAwMjI4MDJaME4xCzAJBgNV +BAYTAlVTMSkwJwYDVQQKDCA5NjA2N2NjZTI4ZTc0ZWFmOTZlNTUwNmExZDZhZTYz +MTEUMBIGA1UEAwwLemlyYS44OTgucm8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCaqrN0aQ7GBu7CPo0w1ZXeVKOQ3rCUxcK+746lxu59oVWMvE7JAESX +xM1KrIbQU+BQq/Kzlj2wFOLLhrondb8JBG5ORMHgs70bNztsuFbrgxoUwROgB9oA +1iGPkJFtMWZmVgQSRjrd9E8AIymiBmCs9EWuBZ89UiRYcqCHfZ7/wB8JVMvoH4ud +LL6fc8QQn03hbuv0liXmGqvAaiGR35HWPbm+Un4fOUdRLGjChiFlDgFO6zv5D6hD +lEt3hl3gU6IWndQ2Nc05vmCNYol6CFJ+b85Tqofw0omvWjPyDpRoYmQIQLwomZZg +rk4HTkwQBtcExOl6cYVqFwDc89AdOfSRAgMBAAGjfDB6MA4GA1UdDwEB/wQEAwIF +oDATBgNVHSUEDDAKBggrBgEFBQcDATAJBgNVHRMEAjAAMCcGA1UdEQQgMB6CC3pp +cmEuODk4LnJvgglsb2NhbGhvc3SHBH8AAAEwHwYDVR0jBBgwFoAUHgxFafPmgz5Z +mL5gXYwIYwGnlVkwDQYJKoZIhvcNAQELBQADggIBAHk0zcmMJy33NpV6DOJXXx/G +KR3s2v83iu6wkbsb8zDMS1Bpw2nNaNFvn/o8blqY037s780aHSXADkykE3zIUeO5 +y0E9E6EnJFLIAuOuGzSQOsuSicryI65G+7klNpu88gy1RJbaGzsV143CExQBfn82 +2NZd6/HiBV2yQiQcX4S5nw5+fG2pCw2Wh0wZfEAAwx/PfqP1C5Qpg/4GLEd60HTL +GxMQQU8oJ2LPOAZX9F02CEFxK+Kqv52u3CA5UvKEnArtJAvAFHxWBpyHZcDmKIQs +x6pIqTYhTZTSTXwE5/hcyHxaeS+aBhipRORkHMKzcV1F1yxtOKAMlL3JDrTk9NxK +ShMmeKKAr4ga7+UgeUSPGLG5HrZcr/aJ7T6v52IPONhSJLZ0i5C1/e9G0xHlD4dR +wD6FGBIDTigqfzPHwY2DrhEpTZe6Nd3s6zdHB16LK/tTLJHl97SBXE2P6U/iCTNX +RWB2PBabvjDmK6vh7klfLMNdrdaayH+u19TA9Owui4QUQs6bcobiXRQQedwraEkR +mQ4v3kJvi3YyNKcfIGEMnetF0QF/P9HibLHOYUukjxBv101SBXWJMCvGx9QpzQdm +fy2/KfOsS9EZ5hrQIzVydPX/BWWELey64avh6/Cqvx1TlrGqHJDXFQGP/iEe38aP +5wk6yQ25iJ717AWwRj0o +-----END CERTIFICATE----- diff --git a/colordiffrc b/colordiffrc new file mode 100644 index 0000000..e0598ed --- /dev/null +++ b/colordiffrc @@ -0,0 +1,30 @@ +# Example colordiffrc file for dark backgrounds +# +# Set banner=no to suppress authorship info at top of +# colordiff output +banner=no +# By default, when colordiff output is being redirected +# to a file, it detects this and does not colour-highlight +# To make the patch file *include* colours, change the option +# below to 'yes' +color_patches=no +# Sometimes it can be useful to specify which diff command to +# use: that can be specified here +diff_cmd=diff +# +# available colours are: white, yellow, green, blue, +# cyan, red, magenta, black, +# darkwhite, darkyellow, darkgreen, +# darkblue, darkcyan, darkred, +# darkmagenta, darkblack +# +# Can also specify 'none', 'normal' or 'off' which are all +# aliases for the same thing, namely "don't colour highlight +# this, use the default output colour" +# +plain=off +newtext=darkgreen +oldtext=darkred +diffstuff=darkcyan +cvsstuff=cyan +difffile=white diff --git a/containerd/config.toml b/containerd/config.toml new file mode 100644 index 0000000..ccbbd5b --- /dev/null +++ b/containerd/config.toml @@ -0,0 +1,31 @@ +# Copyright 2018-2020 Docker Inc. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +disabled_plugins = ["cri"] + +#root = "/var/lib/containerd" +#state = "/run/containerd" +#subreaper = true +#oom_score = 0 + +#[grpc] +# address = "/run/containerd/containerd.sock" +# uid = 0 +# gid = 0 + +#[debug] +# address = "/run/containerd/debug.sock" +# uid = 0 +# gid = 0 +# level = "info" diff --git a/cron.d/0hourly b/cron.d/0hourly new file mode 100644 index 0000000..1ab8c17 --- /dev/null +++ b/cron.d/0hourly @@ -0,0 +1,5 @@ +# Run the hourly jobs +SHELL=/bin/bash +PATH=/sbin:/bin:/usr/sbin:/usr/bin +MAILTO=root +01 * * * * root run-parts /etc/cron.hourly diff --git a/cron.d/clamav-unofficial-sigs b/cron.d/clamav-unofficial-sigs new file mode 100644 index 0000000..86127a5 --- /dev/null +++ b/cron.d/clamav-unofficial-sigs @@ -0,0 +1,31 @@ +# https://eXtremeSHOK.com ###################################################### +# This file contains the cron settings for clamav-unofficial-sigs.sh +################### +# This is property of eXtremeSHOK.com +# You are free to use, modify and distribute, however you may not remove this notice. +# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com +################## +# +# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs +# +# Originially based on: +# Script provide by Bill Landry (unofficialsigs@gmail.com). +# +# License: BSD (Berkeley Software Distribution) +# +################## +# Automatically Generated: Fri Oct 23 14:08:33 EEST 2020 +################## +# +# This cron file will execute the clamav-unofficial-sigs.sh script that +# currently supports updating third-party signature databases provided +# by Sanesecurity, SecuriteInfo, MalwarePatrol, OITC, etc. +# +# The script is set to run hourly, at a random minute past the hour, and the +# script itself is set to randomize the actual execution time between +# 60 - 600 seconds. To Adjust the cron values, edit your configs and run +# bash clamav-unofficial-sigs.sh --install-cron to generate a new file. +MAILTO=root +1 0 * * * amavis [ -x /usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh --force && /usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh --update && sudo systemctl restart clamd +# https://eXtremeSHOK.com ###################################################### + diff --git a/cron.d/csf-cron b/cron.d/csf-cron new file mode 100644 index 0000000..42ce93b --- /dev/null +++ b/cron.d/csf-cron @@ -0,0 +1 @@ +SHELL=/bin/sh diff --git a/cron.d/csf_update b/cron.d/csf_update new file mode 100644 index 0000000..573aa8b --- /dev/null +++ b/cron.d/csf_update @@ -0,0 +1,2 @@ +SHELL=/bin/sh +7 20 * * * root /usr/sbin/csf -u diff --git a/cron.d/lfd-cron b/cron.d/lfd-cron new file mode 100644 index 0000000..6e7553e --- /dev/null +++ b/cron.d/lfd-cron @@ -0,0 +1,2 @@ +SHELL=/bin/sh +0 0 * * * root /usr/sbin/csf --lfd restart > /dev/null 2>&1 diff --git a/cron.d/maldet_pub b/cron.d/maldet_pub new file mode 100644 index 0000000..a74db20 --- /dev/null +++ b/cron.d/maldet_pub @@ -0,0 +1 @@ +*/5 * * * * root /usr/local/maldetect/maldet --mkpubpaths >> /dev/null 2>&1 diff --git a/cron.daily/aide b/cron.daily/aide new file mode 100755 index 0000000..29ddbc0 --- /dev/null +++ b/cron.daily/aide @@ -0,0 +1 @@ +18 01 * * * /usr/bin/perl /opt/aide.pl diff --git a/cron.daily/csget b/cron.daily/csget new file mode 100755 index 0000000..349bee8 --- /dev/null +++ b/cron.daily/csget @@ -0,0 +1,90 @@ +#!/usr/bin/perl +############################################################################### +# Copyright 2006-2020, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +use strict; +use warnings; +use diagnostics; + +if (my $pid = fork) { + exit 0; +} elsif (defined($pid)) { + $pid = $$; +} else { + die "Error: Unable to fork: $!"; +} +chdir("/"); +close (STDIN); +close (STDOUT); +close (STDERR); +open STDIN, "<","/dev/null"; +open STDOUT, ">","/dev/null"; +open STDERR, ">","/dev/null"; + +$0 = "ConfigServer Version Check"; + +my @downloadservers = ("https://download.configserver.com", "https://download2.configserver.com"); + +system("mkdir -p /var/lib/configserver/"); +system("rm -f /var/lib/configserver/*.txt /var/lib/configserver/*error"); + +my $cmd; +if (-e "/usr/bin/curl") {$cmd = "/usr/bin/curl -skLf -m 120 -o"} +elsif (-e "/usr/bin/wget") {$cmd = "/usr/bin/wget -q -T 120 -O"} +else { + open (my $ERROR, ">", "/var/lib/configserver/error"); + print $ERROR "Cannot find /usr/bin/curl or /usr/bin/wget to retrieve product versions\n"; + close ($ERROR); + exit; +} +my $GET; +if (-e "/usr/bin/GET") {$GET = "/usr/bin/GET -sd -t 120"} + +my %versions; +if (-e "/etc/csf/csf.pl") {$versions{"/csf/version.txt"} = "/var/lib/configserver/csf.txt"} +if (-e "/etc/cxs/cxs.pl") {$versions{"/cxs/version.txt"} = "/var/lib/configserver/cxs.txt"} +if (-e "/usr/local/cpanel/whostmgr/docroot/cgi/configserver/cmm.cgi") {$versions{"/cmm/cmmversion.txt"} = "/var/lib/configserver/cmm.txt"} +if (-e "/usr/local/cpanel/whostmgr/docroot/cgi/configserver/cse.cgi") {$versions{"/cse/cseversion.txt"} = "/var/lib/configserver/cse.txt"} +if (-e "/usr/local/cpanel/whostmgr/docroot/cgi/configserver/cmq.cgi") {$versions{"/cmq/cmqversion.txt"} = "/var/lib/configserver/cmq.txt"} +if (-e "/usr/local/cpanel/whostmgr/docroot/cgi/configserver/cmc.cgi") {$versions{"/cmc/cmcversion.txt"} = "/var/lib/configserver/cmc.txt"} +if (-e "/etc/osm/osmd.pl") {$versions{"/osm/osmversion.txt"} = "/var/lib/configserver/osm.txt"} +if (-e "/usr/msfe/version.txt") {$versions{"/version.txt"} = "/var/lib/configserver/msinstall.txt"} +if (-e "/usr/msfe/msfeversion.txt") {$versions{"/msfeversion.txt"} = "/var/lib/configserver/msfe.txt"} + +if (scalar(keys %versions) == 0) { + unlink $0; + exit; +} + +unless ($ARGV[0] eq "--nosleep") { + system("sleep",int(rand(60 * 60 * 6))); +} +for (my $x = @downloadservers; --$x;) { + my $y = int(rand($x+1)); + if ($x == $y) {next} + @downloadservers[$x,$y] = @downloadservers[$y,$x]; +} + +foreach my $server (@downloadservers) { + foreach my $version (keys %versions) { + unless (-e $versions{$version}) { + if (-e $versions{$version}.".error") {unlink $versions{$version}.".error"} + my $status = system("$cmd $versions{$version} $server$version"); +# print "$cmd $versions{$version} $server$version\n"; + if ($status) { + if ($GET ne "") { + open (my $ERROR, ">", $versions{$version}.".error"); + print $ERROR "$server$version - "; + close ($ERROR); + my $GETstatus = system("$GET $server$version >> $versions{$version}".".error"); + } else { + open (my $ERROR, ">", $versions{$version}.".error"); + print $ERROR "Failed to retrieve latest version from ConfigServer"; + close ($ERROR); + } + } + } + } +} diff --git a/cron.daily/etckeeper b/cron.daily/etckeeper new file mode 100755 index 0000000..eb74401 --- /dev/null +++ b/cron.daily/etckeeper @@ -0,0 +1,8 @@ +#!/bin/sh +set -e +if [ -e /etc/etckeeper/daily ] && [ -e /etc/etckeeper/etckeeper.conf ]; then + . /etc/etckeeper/etckeeper.conf + if [ "$AVOID_DAILY_AUTOCOMMITS" != "1" ]; then + /etc/etckeeper/daily + fi +fi diff --git a/cron.daily/logrotate b/cron.daily/logrotate new file mode 100755 index 0000000..cec101e --- /dev/null +++ b/cron.daily/logrotate @@ -0,0 +1,8 @@ +#!/bin/sh + +/usr/sbin/logrotate /etc/logrotate.conf +EXITVALUE=$? +if [ $EXITVALUE != 0 ]; then + /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]" +fi +exit $EXITVALUE diff --git a/cron.daily/maldet b/cron.daily/maldet new file mode 100755 index 0000000..5666139 --- /dev/null +++ b/cron.daily/maldet @@ -0,0 +1,108 @@ +#!/usr/bin/env bash +export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH +export LMDCRON=1 +inspath='/usr/local/maldetect' +intcnf="$inspath/internals/internals.conf" + +if [ -f "$intcnf" ]; then + source $intcnf +else + echo "\$intcnf not found." + exit 1 +fi +if [ -f "$cnf" ]; then + source $cnf + if [ -f "$compatcnf" ]; then + source $compatcnf + fi +else + echo "could not find \$cnf, fatal error, bye." + exit 1 +fi + +if [ -f "/etc/sysconfig/maldet" ]; then + . /etc/sysconfig/maldet +elif [ -f "/etc/default/maldet" ]; then + . /etc/default/maldet +fi + +if [ -f "$cron_custom_conf" ]; then + . $cron_custom_conf +fi + +if [ -z "$scan_days" ]; then + scan_days=1 +fi + +if [ -z "$cron_prune_days" ]; then + cron_prune_days=21 +fi + +if [ "$find" ]; then + # prune any quarantine/session/tmp data older than 7 days + tmpdirs="$tmpdir $varlibpath/sess $varlibpath/quarantine $varlibpath/pub" + for dir in $tmpdirs; do + if [ -d "$dir" ]; then + $find $dir -type f -mtime +${cron_prune_days} -print0 | xargs -0 rm -f >> /dev/null 2>&1 + fi + done +fi + +if [ "$autoupdate_version" == "1" ] || [ "$autoupdate_signatures" == "1" ]; then + # sleep for random 1-999s interval to better distribute upstream load + sleep $(echo $RANDOM | cut -c1-3) >> /dev/null 2>&1 +fi + +if [ "$autoupdate_version" == "1" ]; then + # check for new release version + $inspath/maldet -d >> /dev/null 2>&1 +fi + +if [ "$autoupdate_signatures" == "1" ]; then + # check for new definition set + $inspath/maldet -u >> /dev/null 2>&1 +fi + +# if we're running inotify monitoring, send daily hit summary +if [ "$(ps -A --user root -o "cmd" | grep -E maldetect | grep -E inotifywait)" ]; then + $inspath/maldet --monitor-report >> /dev/null 2>&1 +elif [ "$cron_daily_scan" == "1" ]; then + if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then + # ensim + $inspath/maldet -b -r /home/virtual/?/fst/var/www/html/,/home/virtual/?/fst/home/?/public_html/ $scan_days >> /dev/null 2>&1 + elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then + # psa + $inspath/maldet -b -r /var/www/vhosts/?/ $scan_days >> /dev/null 2>&1 + elif [ -d "/usr/local/directadmin" ]; then + # DirectAdmin + $inspath/maldet -b -r /home?/?/domains/?/public_html/,/var/www/html/?/ $scan_days >> /dev/null 2>&1 + elif [ -d "/var/www/clients" ]; then + # ISPConfig + $inspath/maldet -b -r /var/www/clients/?/web?/web,/var/www/clients/?/web?/subdomains,/var/www $scan_days >> /dev/null 2>&1 + elif [ -d "/etc/webmin/virtual-server" ]; then + # Virtualmin + $inspath/maldet -b -r /home/?/public_html/,/home/?/domains/?/public_html/ $scan_days >> /dev/null 2>&1 + elif [ -d "/usr/local/ispmgr" ] || [ -d "/usr/local/mgr5" ]; then + # ISPmanager + $inspath/maldet -b -r /var/www/?/data/,/home/?/data/ $scan_days >> /dev/null 2>&1 + elif [ -d "/var/customers/webs" ]; then + # froxlor + $inspath/maldet -b -r /var/customers/webs/ $scan_days >> /dev/null 2>&1 + elif [ -d "/usr/local/vesta" ]; then + # VestaCP + $inspath/maldet -b -r /home/?/web/?/public_html/,/home/?/web/?/public_shtml/,/home/?/tmp/,/home/?/web/?/private/ $scan_days >> /dev/null 2>&1 + elif [ -d "/usr/share/dtc" ]; then + # DTC + if [ -f /var/lib/dtc/saved_install_config ]; then + . /var/lib/dtc/saved_install_config + fi + $inspath/maldet -b -r ${conf_hosting_path:-/var/www/sites}/?/?/subdomains/?/html/ $scan_days >> /dev/null 2>&1 + else + # cpanel, interworx and other standard home/user/public_html setups + $inspath/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ $scan_days >> /dev/null 2>&1 + fi +fi + +if [ -f "$cron_custom_exec" ]; then + . $cron_custom_exec +fi diff --git a/cron.daily/rkhunter b/cron.daily/rkhunter new file mode 100755 index 0000000..1e85c8e --- /dev/null +++ b/cron.daily/rkhunter @@ -0,0 +1,57 @@ +#!/bin/sh +# 01-rkhunter A shell script to update and run rkhunter via CRON + +XITVAL=0 + +# Get a secure tempfile +TMPFILE1=`/bin/mktemp -p /var/lib/rkhunter rkhcronlog.XXXXXXXXXX` || exit 1 + +if [ ! -e /var/lock/subsys/rkhunter ]; then + + # Try to keep the SysInit boot scan from colliding with us (highly unlikely) + /bin/touch /var/lock/subsys/rkhunter + + # Source system configuration parameters. + if [ -e /etc/sysconfig/rkhunter ] ; then + . /etc/sysconfig/rkhunter + else + MAILTO=root@localhost + fi + + # If a diagnostic mode scan was requested, setup the parameters + if [ "$DIAG_SCAN" = "yes" ]; then + RKHUNTER_FLAGS="--checkall --skip-keypress --nocolors --quiet --appendlog --display-logfile" + else + RKHUNTER_FLAGS="--cronjob --nocolors --report-warnings-only" + fi + + # Set a few critical parameters + RKHUNTER=/usr/bin/rkhunter + LOGFILE=/var/log/rkhunter/rkhunter.log + + # Run RootKit Hunter if available + if [ -x $RKHUNTER ]; then + /bin/echo -e "\n--------------------- Start Rootkit Hunter Update ---------------------" \ + > $TMPFILE1 + /bin/nice -n 10 $RKHUNTER --update --nocolors 2>&1 >> $TMPFILE1 + /bin/echo -e "\n---------------------- Start Rootkit Hunter Scan ----------------------" \ + >> $TMPFILE1 + /bin/nice -n 10 $RKHUNTER $RKHUNTER_FLAGS 2>&1 >> $TMPFILE1 + XITVAL=$? + /bin/echo -e "\n----------------------- End Rootkit Hunter Scan -----------------------" \ + >> $TMPFILE1 + + if [ $XITVAL != 0 ]; then + /bin/cat $TMPFILE1 | /bin/mail -s "rkhunter Daily Run on $(hostname)" $MAILTO + fi + /bin/cat $TMPFILE1 >> $LOGFILE + fi + + # Delete the gating lockfile + /bin/rm -f /var/lock/subsys/rkhunter +fi + +# Delete the secure tempfile +/bin/rm -f $TMPFILE1 + +exit $XITVAL diff --git a/cron.deny b/cron.deny new file mode 100644 index 0000000..e69de29 diff --git a/cron.hourly/0anacron b/cron.hourly/0anacron new file mode 100755 index 0000000..027e8b7 --- /dev/null +++ b/cron.hourly/0anacron @@ -0,0 +1,27 @@ +#!/bin/sh +# Check whether 0anacron was run today already +if test -r /var/spool/anacron/cron.daily; then + day=`cat /var/spool/anacron/cron.daily` +fi +if [ `date +%Y%m%d` = "$day" ]; then + exit 0 +fi + +# Do not run jobs when on battery power +online=1 +for psupply in AC ADP0 ; do + sysfile="/sys/class/power_supply/$psupply/online" + + if [ -f $sysfile ] ; then + if [ `cat $sysfile 2>/dev/null`x = 1x ]; then + online=1 + break + else + online=0 + fi + fi +done +if [ $online = 0 ]; then + exit 0 +fi +/usr/sbin/anacron -s diff --git a/cron.hourly/awstats b/cron.hourly/awstats new file mode 100755 index 0000000..c2a44ab --- /dev/null +++ b/cron.hourly/awstats @@ -0,0 +1,3 @@ +#!/bin/bash +exec /usr/share/awstats/tools/awstats_updateall.pl now -configdir="/etc/awstats" -awstatsprog="/usr/share/awstats/wwwroot/cgi-bin/awstats.pl" >/dev/null +exit 0 diff --git a/cron.monthly/psacct b/cron.monthly/psacct new file mode 100755 index 0000000..a803e7c --- /dev/null +++ b/cron.monthly/psacct @@ -0,0 +1,9 @@ +#!/bin/sh +echo -e "User stats\n" +/bin/ac -p +echo -e "root commands\n" +/bin/lastcomm root | /bin/awk '{print $1}' | /bin/sort | /bin/uniq -c | /bin/sort -nr | /bin/head +echo -e "User Logins\n" +/bin/last | /bin/awk '{print $1}' | /bin/sort | /bin/uniq -c | /bin/sort -nr | /bin/head +echo -e "Host Logins\n" +/bin/last | /bin/awk '{print $3}' | /bin/sort | /bin/uniq -c | /bin/sort -nr | /bin/head diff --git a/crontab b/crontab new file mode 100644 index 0000000..c380767 --- /dev/null +++ b/crontab @@ -0,0 +1,15 @@ +SHELL=/bin/bash +PATH=/sbin:/bin:/usr/sbin:/usr/bin +MAILTO=root + +# For details see man 4 crontabs + +# Example of job definition: +# .---------------- minute (0 - 59) +# | .------------- hour (0 - 23) +# | | .---------- day of month (1 - 31) +# | | | .------- month (1 - 12) OR jan,feb,mar,apr ... +# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat +# | | | | | +# * * * * * user-name command to be executed + diff --git a/crypto-policies/back-ends/bind.config b/crypto-policies/back-ends/bind.config new file mode 120000 index 0000000..ffbe0e5 --- /dev/null +++ b/crypto-policies/back-ends/bind.config @@ -0,0 +1 @@ +/usr/share/crypto-policies/DEFAULT/bind.txt \ No newline at end of file diff --git a/crypto-policies/back-ends/gnutls.config b/crypto-policies/back-ends/gnutls.config new file mode 120000 index 0000000..c59c36d --- /dev/null +++ b/crypto-policies/back-ends/gnutls.config @@ -0,0 +1 @@ +/usr/share/crypto-policies/DEFAULT/gnutls.txt \ No newline at end of file diff --git a/crypto-policies/back-ends/java.config b/crypto-policies/back-ends/java.config new file mode 120000 index 0000000..c5ded3a --- /dev/null +++ b/crypto-policies/back-ends/java.config @@ -0,0 +1 @@ +/usr/share/crypto-policies/DEFAULT/java.txt \ No newline at end of file diff --git a/crypto-policies/back-ends/krb5.config b/crypto-policies/back-ends/krb5.config new file mode 120000 index 0000000..dfa92ca --- /dev/null +++ b/crypto-policies/back-ends/krb5.config @@ -0,0 +1 @@ +/usr/share/crypto-policies/DEFAULT/krb5.txt \ No newline at end of file diff --git a/crypto-policies/back-ends/libreswan.config b/crypto-policies/back-ends/libreswan.config new file mode 120000 index 0000000..bad1a34 --- /dev/null +++ b/crypto-policies/back-ends/libreswan.config @@ -0,0 +1 @@ +/usr/share/crypto-policies/DEFAULT/libreswan.txt \ No newline at end of file diff --git a/crypto-policies/back-ends/libssh.config b/crypto-policies/back-ends/libssh.config new file mode 120000 index 0000000..9aeef89 --- /dev/null +++ b/crypto-policies/back-ends/libssh.config @@ -0,0 +1 @@ +/usr/share/crypto-policies/DEFAULT/libssh.txt \ No newline at end of file diff --git a/crypto-policies/back-ends/nss.config b/crypto-policies/back-ends/nss.config new file mode 100644 index 0000000..a35edba --- /dev/null +++ b/crypto-policies/back-ends/nss.config @@ -0,0 +1,10 @@ +library= +name=Policy +NSS=flags=policyOnly,moduleDB +config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" + + +name=p11-kit-proxy +library=p11-kit-proxy.so + + diff --git a/crypto-policies/back-ends/openssh.config b/crypto-policies/back-ends/openssh.config new file mode 120000 index 0000000..8cc67ec --- /dev/null +++ b/crypto-policies/back-ends/openssh.config @@ -0,0 +1 @@ +/usr/share/crypto-policies/DEFAULT/openssh.txt \ No newline at end of file diff --git a/crypto-policies/back-ends/opensshserver.config b/crypto-policies/back-ends/opensshserver.config new file mode 120000 index 0000000..0dd0619 --- /dev/null +++ b/crypto-policies/back-ends/opensshserver.config @@ -0,0 +1 @@ +/usr/share/crypto-policies/DEFAULT/opensshserver.txt \ No newline at end of file diff --git a/crypto-policies/back-ends/openssl.config b/crypto-policies/back-ends/openssl.config new file mode 120000 index 0000000..632d1b3 --- /dev/null +++ b/crypto-policies/back-ends/openssl.config @@ -0,0 +1 @@ +/usr/share/crypto-policies/DEFAULT/openssl.txt \ No newline at end of file diff --git a/crypto-policies/back-ends/opensslcnf.config b/crypto-policies/back-ends/opensslcnf.config new file mode 120000 index 0000000..4740381 --- /dev/null +++ b/crypto-policies/back-ends/opensslcnf.config @@ -0,0 +1 @@ +/usr/share/crypto-policies/DEFAULT/opensslcnf.txt \ No newline at end of file diff --git a/crypto-policies/config b/crypto-policies/config new file mode 100644 index 0000000..1b2860b --- /dev/null +++ b/crypto-policies/config @@ -0,0 +1 @@ +DEFAULT diff --git a/crypto-policies/local.d/nss-p11-kit.config b/crypto-policies/local.d/nss-p11-kit.config new file mode 100644 index 0000000..0ebf073 --- /dev/null +++ b/crypto-policies/local.d/nss-p11-kit.config @@ -0,0 +1,4 @@ +name=p11-kit-proxy +library=p11-kit-proxy.so + + diff --git a/crypto-policies/state/CURRENT.pol b/crypto-policies/state/CURRENT.pol new file mode 100644 index 0000000..b2618d6 --- /dev/null +++ b/crypto-policies/state/CURRENT.pol @@ -0,0 +1,22 @@ +# Current runtime policy dump +# DEFAULT +arbitrary_dh_groups = 1 +cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 CAMELLIA-256-GCM AES-256-CTR AES-256-CBC CAMELLIA-256-CBC AES-128-GCM AES-128-CCM CAMELLIA-128-GCM AES-128-CTR AES-128-CBC CAMELLIA-128-CBC +group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 +hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA1 +ike_protocol = IKEv2 +key_exchange = ECDHE RSA DHE DHE-RSA PSK DHE-PSK ECDHE-PSK ECDHE-GSS DHE-GSS +mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512 +min_dh_size = 2048 +min_dsa_size = 2048 +min_dtls_version = DTLS1.2 +min_rsa_size = 2048 +min_tls_version = TLS1.2 +protocol = TLS1.3 TLS1.2 DTLS1.2 +sha1_in_certs = 1 +sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA3-384 ECDSA-SHA2-384 ECDSA-SHA3-512 ECDSA-SHA2-512 EDDSA-ED25519 EDDSA-ED448 RSA-PSS-SHA2-256 RSA-PSS-SHA2-384 RSA-PSS-SHA2-512 RSA-SHA3-256 RSA-SHA2-256 RSA-SHA3-384 RSA-SHA2-384 RSA-SHA3-512 RSA-SHA2-512 ECDSA-SHA2-224 RSA-PSS-SHA2-224 RSA-SHA2-224 ECDSA-SHA1 RSA-PSS-SHA1 RSA-SHA1 +ssh_certs = 1 +ssh_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 CAMELLIA-256-GCM AES-256-CTR AES-256-CBC CAMELLIA-256-CBC AES-128-GCM AES-128-CCM CAMELLIA-128-GCM AES-128-CTR AES-128-CBC CAMELLIA-128-CBC +ssh_etm = 1 +ssh_group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 +tls_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC diff --git a/crypto-policies/state/current b/crypto-policies/state/current new file mode 100644 index 0000000..1b2860b --- /dev/null +++ b/crypto-policies/state/current @@ -0,0 +1 @@ +DEFAULT diff --git a/crypttab b/crypttab new file mode 100644 index 0000000..e69de29 diff --git a/csf.tgz b/csf.tgz new file mode 100644 index 0000000..92041be Binary files /dev/null and b/csf.tgz differ diff --git a/csf/alerts b/csf/alerts new file mode 120000 index 0000000..7f5aa4a --- /dev/null +++ b/csf/alerts @@ -0,0 +1 @@ +/usr/local/csf/tpl \ No newline at end of file diff --git a/csf/changelog.txt b/csf/changelog.txt new file mode 100644 index 0000000..d7ddbbe --- /dev/null +++ b/csf/changelog.txt @@ -0,0 +1,6013 @@ +ChangeLog: + +14.10 - Fixed error message regarding location/permissions to the iptables + binary in correctly referencing ip6tables + + Added PASV port range hole for VZ servers on cPanel for new installs + + Fixed MESSENGERV3 Apache tree search where ServerRoot is not configured + so that csf defaults to /etc/apache2/ so that relative Includes are + still defined correctly + + Modified LF_BIND regex to deal with new log field + +14.09 - Improvements to CC IP lookup binary search + + Modified index.recaptcha.php and index.php to use square instead of + deprecated curly brackets on array index for PHP v7.4+ + + Modified Server Check regex matching on include in dovecot config files + in RHEL v8+ + + Added workaround for iOS issue with bootstrap modals + + Added EOL messages to Server Check report + + Modified dovecot.conf parsing on cPanel for include_try in Server Check + + Modified Apache 404 regex to check for either "info" or "error" + + Added two new CLI options: --temprma [ip], --temprmd [ip]. This allows + distinction between allow and deny that does not exist for + --temprm [ip] + + Updated UI to offer either --temprma [ip] or --temprmd [ip] instead of + --temprm [ip] + + Added PHP v7.2 EOL notice to Server Report + +14.08 - Added missing images/ subdir to webmin and interworx installers + + Added new option LF_TEMP_EMAIL_ALERT. This allows the disabling of temp + IP block emails. It is enabled by default (send temp email alerts as + before) + +14.07 - Added missing images/ subdir to DA installer + +14.06 - If DOCKER is enabled and the iptables nat table exists, csf now creates + a DOCKER chain in the nat table for IPv4 + + cPanel additions to csf.pignore on new and existing installs + + Disable reputation service on error + + Added new options MESSENGERV3PERMS and MESSENGERV3GROUP for the + creation of the MESSENGER_USER public_html directory. See csf.conf for + information, defaults set for each install control panel type where + possible + + Added exe:/sbin/rngd to csf.pignore for new installations + +14.05 - Modified dovecot pop3d/imapd log line parsing to repeat single lines + reporting multiple login failure attempts + + Additional entries in csf.pignore for new installs on CyberPanel v2 + + cPanel additions to csf.pignore on new and existing installs + + Convert embedded IPv4 addresses in /proc/net/tcp6 back to IPv4 + +14.04 - Added two new options: CC_MESSENGER_ALLOW, CC_MESSENGER_DENY. These + options can control which Country Code IP blocks are redirected to the + MESSENGER service, if it is enabled + + Fixed some typos in csf.conf + + Added DirectAdmin diagnostics to the admin UI for session security + checks, together with a method to skip the checks if desired + +14.03 - Updated DSHIELD blocklist to use https + + Updated Server Check PHP EOL information + + Improved DA session checking + + Improved DA Server Check report + + Modified cpanel.comodo.allow and cpanel.comodo.ignore with an + additional IP address + + MESSENGERv3 now out of BETA testing + + Added UDP ports 80 and 443 to UDP_IN/UDP6_IN for new installations to + support QUIC/HTTP3 + + Modified DA regex for Roundcube v1.4+ + + Modified DIRECTADMIN_LOG_R to point to + /var/www/html/roundcube/logs/errors.log for Roundcube v1.4+ by default + on new installs and change for old installs if not already set + + Added a new DA regex for phpMyAdmin + + Modified iframe resizer on DA, thank you to Martynas @ DirectAdmin + + Updated Integrated User Interface documentation to point to the latest + Apache docs + + Added newly generated self-signed keys for lfd UI + + Updated Server Report descriptions for cPanel + + Updated Server Report for systemd processes + + Added back cPanel update check to the Server Report now that it has + been reinstated by cPanel + + Removed outdated Server Report checks + +14.02 - Added new BETA TESTING option: MESSENGERV3. This provides the MESSENGER + service utilising the local webserver. It currently supports Apache + v2.4+ and Litespeed/Openlitespeed. As the first iteration this likely + contains bugs and may not be suitable for production environments. See + csf.conf and readme.txt for more information + + Changed Country Code Lookup source to ipdeny.com + + Added CC_ALLOW_SMTPAUTH to all configurations for the benefit of + servers other than cPanel running Exim + + Modify CC_ALLOW_FILTER to allow RELATED, ESTABLISHED connections + through so that outgoing connection replies from remote sites not in + CC_ALLOW_FILTER are accepted + + Added a note in csf.conf regarding MESSENGER_CHILDREN, that + consideration needs to be made for local images displayed on the page. + The default has also been increased to 20 for new installations + + Modifications to MESSENGER server to speed up connection response time + and improve stability + + Modifications to LFD UI and CLUSTER server to improve stability + + Added SUDO login alerts: LF_SUDO_EMAIL_ALERT. This will send an email + alert using the sudoalert.txt template whenever there is a failed or + successful SUDO connection. SUDO_LOG must be set to the correct log + file. LF_SUDO_EMAIL_ALERT is disabled by default + + Added new entry in csf.pignore on cPanel servers for v86+: + exe:/usr/libexec/dovecot/imap-hibernate + + Added Server Check for EOL PHP v7.1 + + Removed cPanel update checks from the Server Report now that the + options are no longer available in cPanel v86+ + + NOTICE: We are deprecating support for Virtuozzo/OpenVZ servers. Future + releases will not take into consideration those platforms which have + become onerous to support. The software application may continue to + work but support and functionality is no longer guaranteed + +14.01 - Changed mailman listings in csf.pignore on cPanel servers to cater for + changes in python versions in RHEL v6/7 and 8 + + Fixed issue with CC_ALLOW_FILTER when not using IPSET but using + SAFECHAINUPDATE would cause the new chain to be created in the wrong + place by lfd when the zone is retrieved/updated + + Fixed issue when using CC_ALLOW_FILTER with IPSET enabled not adding + the final DROP rule in lfd + + Further modifications to support RHEL/CentOS v8 + + Fixed issues with MESSENGER and CLUSTER server listeners terminating + prematurely + +14.00 - Added alternative database for Country Code Lists and Settings. These + do not currently require logins/keys and in some cases are better + optimised. A new setting CC_SRC allows switching between sources. For + new installations these new sources are used. Existing installations + are configured to continue to use the MaxMind databases. See the + "Country Code Lists and Settings" section in /etc/csf/csf.conf for + detailed information + + Added binary locations for CURL and WGET which will be tried if data + retrieval fails when using the LWP perl module, e.g. on outdated OS's + + Added new option for URLGET setting "3". This allow the use of either + CURL or WGET instead of the perl modules + +13.12 - Modified CyberPanel installation to support move to python3 + +13.11 - Fixed interdependence issue between Country Code lookups and Country + Code filters in lfd introduced in v13.09 + + Improved MM_LICENSE_KEY error messages + +13.10 - Removed hard-coded date from MaxMind ASN url + +13.09 - Due to MaxMind changing their free download policy to require signup + and a license key, a new option MUST be configured to continue to use + Country Code lookups (CC_LOOKUPS). The option MM_LICENSE_KEY must be + set to the key obtained from the MaxMind site. See: + https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/ + https://www.maxmind.com/en/geolite2/signup + Note: Existing installations will continue to use downloaded d/b's from + before the MaxMind change, though may be cleared after CC_INTERVAL + + Changed CC_LOOKUPS option 4 from freegeoip.net to db-ip.com as the + former no longer exists + + Fixed System Stats graphs not displaying on CyberPanel + + Updated csf control panel reporting in version display + +13.08 - Added official CyberPanel integration and CyberPanel panel specific + configuration (only tested on CentOS v7) + + More changes to support RHEL/CentOS v8 + +13.07 - Added format requirements for ASN entries in CC_* settings + + Removed SSHDSPAM exploit check as it's no longer critically relevant + + Modifications to support RHEL/CentOS v8 + + Modified systemd service to cater for RHEL/CentOS v7.7 pidfile symlink + check changes + + Fixes and improvements to UI Ajax code + + Removed legacy bandmin code for cPanel servers and LF_CPANEL_BANDMIN + setting + + Modified default InterWorx csf.conf to set SMTP_ALLOWGROUP + appropriately for SMTP_BLOCK + +13.06 - Removed debugging code from log file globbing routine + + Fixed reseller UI HTML text for each supported control panel + + Replaced the need in InterWorx for a custom Firewall.php with a + preAction to intercept calls instead + + Moved csf in InterWorx to the Advanced section in Plugins UI + + Updated the InterWorx plugin.ini information to be more descriptive + +13.05 - Added official CentOS Web Panel (CWP) integration and CWP panel + specific configuration. See /etc/csf/readme.txt for more information + (only tested on CentOS v7) + + Added official VestaCP integration and VestaCP specific configuration + (only tested on CentOS v7) + + Additional entries to csf.pignore for new DirectAdmin installations + + Corrected DirectAdmin UI link text + + Fixed UI presentation HTML + + Fixed vsftpd regex for single character date of the month + + Modified Debian installation to detect ip(6)tables-legacy and use + update-alternatives to switch to using them + + Modified InterWorx installation to not use chattr on /etc/apf/apf stub + which was preventing apf upgrading. The lfd daemon will now reapply + the stub if needed + + Modified Server Check on DA to get case-insensitive config from the + binary rather than the directadmin.conf file + + Modified csf warning text on cPanel DNSONLY servers regarding the + smtpgidonlytweak to disable it from CLI as it is not currently possible + from the DNSONLY WHM UI + +13.04 - Fixed issue with ConfigServer::CheckIP generating incorrect IPv6 + addresses during validation using Net::CIDR::Lite + + Added UI entry for editing csf.reseller for DirectAdmin and InterWorx + +13.03 - Fixed PATH issue in DirectAdmin installer when used from within the UI + to upgrade + +13.02 - Removed perl CGI::Carp module use from the DirectAdmin reseller UI as + the module may not be present + +13.01 - Added reseller support in InterWorx + + Added reseller support in DirectAdmin + + Added login failure detection on InterWorx (v6.3.16+). If LF_INTERWORX + is enabled, INTERWORX_LOG will be scanned for login failures to + NodeWorx and SiteWorx. This is enabled by default on all InterWorx + installations + + Fixed text in Firewall.php stub in InterWorx + + Improved UI display in DA + + Improved UI display in InterWorx + + Fixed InterWorx UI issue with "Service Status" NodeWorx feature caused + by Firewall.php stub + + Created cronjob to check for new product versions for the UI + (/etc/cron.daily/csget). A manual check is still available if needed. + This does not affect the daily upgrade check if enabled + +13.00 - Added InterWorx integration and InterWorx panel specific configuration. + See /etc/csf/readme.txt for more information (only tested on CentOS v7) + + Added InterWorx regex detection for proftpd, dovecot imap, dovecot pop3, + and smtp auth login failures. Added regex detection for LF_DISTSMTP and + LF_DISTFTP. Added regex detection for LF_CXS and LF_MODSEC. Added Login + Tracking for LT_POP3D and LT_IMAPD + + Ensure UI errors are displayed in browser to avoid blank pages + + Display install.txt if perl module checks fail + + Reworked DirectAdmin UI to display within the parent template + +12.12 - Updated CloudFlare code to use GET instead of POST to retrieve the id + of an entry as POST in the API is no longer working, which affected + entry deletion + + Modified --denyrm [ip] to not remove "do not delete" entries. This now + must be done by editing /etc/csf/csf.deny to prevent unintentional + unblocking, e.g. by MESSENGER reCAPTCHA or the UI + + MESSENGERv2: Set KeepAlive to Off + + Added new csf CLI cluster option: -cir, --cirm ip + This will remove the IP from each remote /etc/csf/csf.ignore member and + then restart lfd. This has also been added to the UI + + Added missing comment to cluster --ctempdeny entries + + Added missing timestamp to cluster --cignore entries + + Cluster command --cignore now checks for duplicates + +12.11 - Added port 8443/tcp to cPanel server new installs to cater for the v80 + calendar service. Existing installs will need to be modified manually + if the service is used by adding the port to TCP_IN and TCP6_IN + + Updated various EOL version checks in Server Report + + Updated version modification system to check existing version before + performing updates. Ensured that updates are applied chronologically + +12.10 - Added routine to select from multiple download servers for script + updates + + Added Sectigo (formerly Comodo) IPv6 DCV addresses to + cpanel.comodo.allow and cpanel.comodo.ignore + + Added support to LF_CXS for litespeed logs on cPanel + + Added exception to csf.fignore for NodeJS yarn temporary files in + cPanel v80 + +12.09 - Added new option CT_SUBNET_LIMIT. If the total number of connections + from a class C subnet is greater than this value then the offending + subnet is blocked according to the other CT_* settings. This option is + disabled by default + + Removed ALTTOR from csf.blocklists on new installations as it has been + discontinued + + Use ConfigServer::Slurp to read csf.resellers to avoid invalid line + endings + + Modified CLUSTER_SENDTO and CLUSTER_RECVFROM so that they can be set to + a file instead of listing IP's within the respective setting. See + csf.conf for more details + + Removed open_basedir check on cPanel servers in Server Check + + Fixed csf.conf typo + + Updates to Courier IMAP regexes for Plesk + +12.08 - Removed debugging code from lfd output + + Improvements for reason text information to IPs and CC_LOOKUPS to + netblocks for LF_PERMBLOCK and LF_NETBLOCK reports + +12.07 - Added commented out regex lines in csf.pignore on cPanel servers for + the upcoming ubic implementation by cPanel + + Added port 53 filters in cpanel.comodo.allow on cPanel servers + + Added postfix support for LF_DISTSMTP + + Switched Sendmail and URLGET modules from using croak to carp to avoid + unexpected parent death from child failure + + Double fork external commands in DA UI to work around DA mod_perl + restrictions, allowing full functionality + + Added reason text information to IPs and CC_LOOKUPS to netblocks for + LF_PERMBLOCK and LF_NETBLOCK reports and csf.deny entries + +12.06 - Removed new regex for LF_EXIMSYNTAX + +12.05 - Removed rbl.jp RBLs from csf.rbls + + Modify Project Honey Pot blocklist URLs to use https + + Ignore $SIG{PIPE} when running ipset + + Ensure csf shows ipset warnings + + Added osmd to lfd restart routine when cPanel upgrades + + Modified Server Check to look for underscore as well as dash settings + + Added test in lfd to ensure the pidfile is open before attempting to + close it + + Added new regex for LF_EXIMSYNTAX + + Added new option: URLPROXY. If you need csf/lfd to use a proxy, then + you can set this option to the URL of the proxy + +12.04 - Updated license terms for GDPR compliance + +12.03 - Make CC_IGNORE check case-insensitive + + Improved TCP/UDP port inspection for IPv6 connections (affecting CT_*, + PT_* and PT_SSHDKILL) + + Updated cxs FontAwsome to v5 + + Added fixes for additional Include line processing + + Fixed race condition when processing CC_* zip files that could + sometimes prevent the csv files from being extracted + + Updated HTTP::Tiny to v0.070 + +12.02 - Removed CC_OLDGEOLITE and associated code so that all installations + will now use the MaxMind GeoLite2 databases + + Added more CLI options that work if csf is disabled + + Added Include line support to 20 more /etc/csf/csf.* configuration + files. See /etc/csf/readme.txt under "Include statement in + configuration files" for the list of supported files + + Added mangle and raw tables to csf --grep [IP] and modified output to + show a new column with the table then the chain that a rule is in + + Added mangle and raw tables to csf --status output and modified output + to show a new header line with the table that a rule is in + + Added new option USE_FTPHELPER. This enables the ftp helper via the + iptables CT target on supporting kernels instead of the current method + via /proc/sys/net/netfilter/nf_conntrack_helper and unrestricted use of + RELATED state + + Modified ICMP_IN/ICMP_OUT to only affect PING (echo-request), all other + ICMP traffic is allowed (which can help network performance) unless + otherwise blocked. This is for IPv4, it does not affect IPv6 + + Improved rule placement to prevent existing connections bypassing + ICMP_IN_RATE/ICMP_OUT_RATE limits + + Updated csf.conf documentation relating to the ICMP/PING settings + + Added new option ICMP_TIMESTAMPDROP. For those with PCI Compliance + tools that state that ICMP timestamps should be dropped, you can enable + this option. Otherwise, there appears to be little evidence that it has + anything to do with a security risk but can impact network performance, + so should be left disabled by everyone else + + csf and lfd now exit with status 1 on error or if disabled. However, + this will not happen with csf if the CLI option used still works while + disabled + + USE_CONNTRACK is now enabled by default on new installations + + Fixed DOCKER IPv6 warning message when DOCKER not enabled + + Modified csf.blocklists for GREENSNOW to use https on existing and new + installations + +12.01 - Added missing DOCKER_DEVICE setting from the generic and directadmin + csf.conf files + + Ensure iptables/ip6tables mangle and raw tables are flushed on + stop/start if they exist + + CC_OLDGEOLITE set to "0" on new servers and those upgrading to v12.* + for the first time. This enables MaxMind GeoLite2 by default unless + already set + + Note: The old MaxMind Geolite v1 database code will be removed in the + near future, before the end of March, in favour of the v2 databases + +12.00 - Added support for GeoLite2 databases from Maxmind for CC_*. These + databases are significantly larger than the soon to be deprecated + GeoLite ones stored in /var/lib/csf/ + + Added support for GeoLite2 databases from Maxmind for CC_LOOKUPS and + CC6_LOOKUPS. + + Added new option: CC_OLDGEOLITE. This option is enabled by default to + continue using the old GeoLite databases. See csf.conf for more + information. This option will be removed in the near future so that all + installations use the new GeoLite2 databases + + GeoLite2 lookups now use the CSV files instead of the formatted Data + files because the Perl dependencies for the MaxMind Perl modules that + access the Data files are prohibitively excessive. We have developed + our own fast binary search module to perform the required lookups on + the CSV files for both IPv4 and IPv6 + + An advantage of the new GeoLite2 databases is that IPv6 lookups can now + be done to the same level as IPv4: Country Code; Country; Region; City; + ASN + + Unified storage of GeoLite2 database to avoid duplication between + CC_LOOKUPS and CC_* databases + + Added new CC_LOOKUPS value of "4". This option does not use the MaxMind + databases directly for lookups. Instead it uses a URL-based lookup from + a third-party provider at https://freegeoip.net and so avoids having to + download and process the large databases. See csf.conf for more + information and limitations + + Modified CC_INTERVAL default to 14 days on new installations + + Ensure MESSENGERV2 service will not start if using a valid cPanel + account in MESSENGER_USER (must be non-cPanel account) + + Create entry in /etc/aliases for "csf" if MESSENGERV2 is enabled on + cPanel servers to reserve the account name + + Added new feature: DOCKER support. This configures iptables rules to + allow Docker containers to communicate through the host. This is + currently in BETA testing. See csf.conf for more information. Thanks to + Marcele for the rules + + Removed redundant nat table check for ip6tables in Config.pm + + Replaced all remaining bareword file handles + +11.07 - Added missing WAITLOCK to iptables when processing advanced port + filters in csf and lfd and checking csf status in UI + + Added WAITLOCK, if enabled, to iptables-restore commands during + FASTSTART + + Server Check Report - removed ini_set check as so many scripts use + ini_set nowadays. Updated text on various checks + + Updated the postfix SMTP AUTH regex + + Added new SSHD "maximum authentication attempts exceeded" regex + + Set basic PATH before running csfpre.sh/csfpost.sh to avoid binary + location issues + + csf now runs csfpre.sh/csfpost.sh directly without forcing it through + /bin/sh. If present, csf chmods the script 0700 and checks for a + shebang. If the shebang is missing #!/bin/bash is added to the top. The + script is then run + + Added seventh parameter to regex.custom.pm to allow Cloudflare blocking + if a CUSTOM regex is triggered (see latest regex.custom.pm in distro) + + Rearranged UI tabs and shortened tab names. Moved quick actions to the + top of the "csf" tab pane + + Added "AUTH command used when not advertised" to the LF_EXIMSYNTAX + regex check + + Added new csf CLI cluster option: -ci, --cignore ip [comment] + This will add the IP to each remote /etc/csf/csf.ignore member and then + restart lfd. This has also been added to the UI + + Fixed cluster grep output in UI + + Modified MESSENGERV2 to support combined certificates+keys in cPanel + v68+ + + Added triggered setting and, if applicable, temporary TTL to the + "Blocked:" status in block alert emails + + Added "wildcard" option to "Search System Logs" UI to use ZGREP to + search the specified log with a wildcard suffix. ZGREP option added to + csf.conf which must point to the zgrep binary + + Added git binaries to csf.pignore on cPanel servers for upcoming v72/74 + features + +11.06 - Modified Integrated UI to use new cxs UI perl modules + + Added custom redirect line for webmin UI when STYLE_CUSTOM enabled + + Ensure ip6tables nat table is flushed if present whether MESSENGER is + enabled or not + +11.05 - Added new configuration option PT_SSHDKILL. This option will terminate + the SSH processes created when blocking an IP + + Added a "Fix Common Problems" section to the csf UI for various common + configuration issues + + Ensure application ports are always defined in lfd + +11.04 - Added new configuration option LF_APACHE_ERRPORT. This option is used + to determine if the Apache error_log format contains the client port + after the client IP. By default it is set to autodetect + +11.03 - Improvements to ajax output in integrated UI + +11.02 - Integrated UI fix for CloudFlare page + + Removed non-participated deny options for cxs reputation service + + Changed PT_SSHDHUNG to use a regex for process cmdline detection + + Fixed issue with IPv6 client detection in Apache logs + +11.01 - Corrections to readme.txt + + In UI, display long output into fixed height divs with scrollbars and + font size changer + + Modified Server Check to not display the mod_cloudflare warning if + CF_ENABLE enabled + + Modified Server Check to display a single warning for each PHP check + listing affected versions instead of multiple warnings + + Additional exim check added to Server Check + + Improvements to ajax output in UI + +11.00 - New Feature: CloudFlare Firewall integration. This feature provides + blocking and unblocking functionality with the CloudFlare Firewall from + within lfd, together with new CLI commands for direct access. See + documentation for CF_ENABLE in csf.conf, information in readme.txt as + well as the csf man page + + Added UI elements for CloudFlare Firewall integration + + New CLI command --trace [ip]. This replaces the --w, --watch CLI + command to Log SYN packets for an IP across iptables chains by using + the iptables TRACE module + + New Feature: Check the size of the ModSecurity IP D/B. This option will + send an alert if the ModSecurity IP persistent storage grows + excessively large. This is enabled on cPanel by default. See csf.conf + for more information + + New Feature: Allow use of comma separated list of ports in Advanced + Allow/Deny Filters + + WATCH_MODE in csf.conf and --w, --watch CLI commands removed in favour + of the new --trace [add/remove] [ip] CLI command + + Restrict the scope of Perl shebang replacement when installing on + cPanel servers + + Modifications and fixes for the example MESSENGERV2 templates + + Ensure /proc/sys/net/netfilter/nf_conntrack_helper is enabled at + startup to allow connection tracking to continue working on newer + kernels + + Stop needlessly setting and elements in Ajax returns + + Various corrections and updates to readme.txt + + Tweaks to the Mobile View UI button arrangement and spacing + +10.25 - CSS change to UI configuration page + + Remove refresh timer from UI log file grep + +10.24 - On webmin servers, added csf.body file to UI skinning (STYLE_CUSTOM). + See readme.txt for more information + +10.23 - On cPanel servers, ensure that the csf driver for WHM is removed on + uninstall + + Added hooks for upcoming cxs IP Reputation Service + + On webmin servers, added csf.htmltag and csf.bodytag files to UI + skinning (STYLE_CUSTOM). See readme.txt for more information + + MESSENGERV2 released as stable on cPanel servers. This uses the Apache + http daemon to provide the web service for MESSENGER HTML and HTTPS + + Additions to csf.logignore on new installs + + Added IPv6 support to BLOCKLISTS + + Added Spamhaus DROPv6 and Stop Forum Spam IPv6 blocklists to + csf.blocklists + + Removed Spamcannibal and added all.s5h.net from/to csf.rbls + + Fixed issues with IPv6 rule creation attempts when IPV6 disabled + + Automatically enable WAITLOCK on initial installation if supported + +10.22 - Fixed issue with the ModSecurity regex modification in v10.20 + +10.21 - Ensure /etc/logrotate.d/lfd is overwritten on upgrade + +10.20 - Prevent lfd logrotate from erroring if log files missing + + Modified Apache ModSecurity regex to cater for changes in logging + format on cPanel servers with ModSecurity v2.9.2 + + Modified Apache cxs regex to cater for changes in logging format on + cPanel servers with ModSecurity v2.9.2 + + Ensure destination files are owned by root during installation + +10.19 - MESSENGERV2: Take a copy of the live certs and keys and use these in + csf.messenger.conf to work around changing filenames for keys and certs + when they are regenerated which causes httpd to fail. This is done each + time lfd restarts + + Added CLI option csf --mregen: MESSENGERV2 + /etc/apache2/conf.d/csf_messenger.conf regeneration. This will also + gracefully restart httpd + +10.18 - Stability improvements to the UI daemon + + Fixed MESSENGER log entry spelling + +10.17 - Prevent Cluster and UI daemons from terminating the main process if + they themselves terminate + + Modify Cluster and UI daemons to restart if they are stopped or fail + + Modify Cluster and UI daemons to be more verbose about reasons for + stopping + + Fixed typos in readme.txt and csf.conf + + Added MESSENGER child logging to /var/log/lfd_messenger.log, also for + MESSENGERV2 via a new index.recaptcha.php + + Modified logrotate configuration to include /var/log/lfd_messenger.log + +10.16 - Fixed issue in 10.15 which was causing the Cluster daemon to exit + unexpectedly + +10.15 - New EXPERIMENTAL feature on cPanel servers: MESSENGERV2. This uses the + Apache http daemon to provide the web service for MESSENGER HTML and + HTTPS + + Added new option LF_APACHE_401 that works in a similar way to + LF_APACHE_404 and LF_APACHE_403 + + Added new option RECAPTCHA_ALERT. This will send an email when a + recaptcha unblock request is attempted by lfd. This option is enabled + by default + + Stability improvements to UI, MESSENGER and CLUSTER daemon processes + + Added memory usage information to lfd log when using MESSENGER_HTTPS + + Add limiter to enforce MESSENGER_CHILDREN when connections are waiting + for a child process + + Modify MESSENGER HTML examples for new installs to use inline images to + improve page load speed and reduce lfd overheads + + Modified network interface detection to allow dash (-) in name + + URL updates in Server Check + + Increased the default value for MESSENGER_RATE to 100/s (from 30/m) + and MESSENGER_BURST to 150 (from 5) for all installations to alleviate + slow MESSENGER response times + + Set the SELinux security context for systemd and executable files + + Ensure firewalld is masked on systemd servers + +10.14 - Made configuration checks on iptables more fault tolerant to avoid + unnecessary failures while loading + + Removed openbl.org from csf.blocklists for new and existing installs + + More generic binaries added to csf.pignore + +10.13 - Fixed looping/timeout of integrated UI children when Chrome client is + used + +10.12 - Configured UI to fully integrate with cPanel templates without using + iframes + + Configured UI to display full cPanel breadcrumbs + + Configured UI to support cPanel v66 WHM UI changes + +10.11 - Modified username regex for csf.syslogusers + + Fixed issue with /var/lib/csf/lfd.stats excessive growth + +10.10 - Modified HTML to cater for major change in cPanel v66 + +10.09 - Added new option DROP_OUT which is set to "REJECT" by default. This + option sets the default target for blocked outgoing ports. See csf.conf + for more information + + Added improved detection of xtables lock and recommend enabling + WAITLOCK on error + + Improved csf down detection when xtables lock in effect and WAITLOCK is + not enabled + + Added support for listing ASNs in CC_IGNORE + +10.08 - Added cpanel.allow and cpanel.ignore Include files for the cPanel + authentication servers. These are included on new installations and + added to existing files on cPanel installations + + If running cPanel 1:1 NAT, use the contents of /var/cpanel/cpnat to + whitelist/ignore the external IP addresses + +10.07 - Fixed bug when using RECAPTCHA_NAT where the listed IP's were not + correctly processed + + Server Check now follows includes in dovecot.conf + + Server Check now reports RHEL/CentOS/CloudLinux v5.* as EOL + +10.06 - Added new entry in csf.pignore on cPanel servers for: + exe:/usr/libexec/dovecot/indexer + exe:/usr/libexec/dovecot/indexer-worker + + Croak if IPTABLES is not set, incorrect or not present in csf.conf + + Set SELinux context for /etc/logrotate.d/lfd on new generic installs + +10.05 - Fixed table header html/css + + Added workaround for adding superusers listed in + /etc/csf/csf.syslogusers to the RESTRICT_SYSLOG_GROUP if the log socket + is not accessed via the owner permissions + + Changes for cPanel v64 template + + Updated text description in csf.dirwatch for new installs + +10.04 - Added error message to RECAPTCHA_* if the non-priveleged user cannot + write to its home directory + + Further improvements to RECAPTCHA_* hostname check + +10.03 - Added new option MESSENGER_HTTPS_SKIPMAIL on cPanel installations. This + option ignores ServerAlias definitions that begin with "mail.". This + can help with memory usage on systems that do not require the use + of MESSENGER_HTTPS on those subdomains. The option is enabled by + default on cPanel servers + + Improved RECAPTCHA_* hostname check + + Cluster CLI can now block CIDRs, e.g LF_NETBLOCK blocks will be applied + cluster-wide + +10.02 - Modified Messenger HTTPS to cater for a wider range of Apache + VirtualHost formatting + + Added Messenger HTTPS workaround for servers using PEM but a version + of IO::Socket::SSL that does not yet support it (pre v1.988) + + Added Messenger HTTPS warning in csf.conf regarding memory usage on + some servers using the option + + Added java binary for cPanel solr process to csf.pignore on new and + existing servers + +10.00 - Added new feature to MESSENGER: MESSENGER_HTTPS*. See /etc/csf/csf.conf + for more detail. This option redirects blocked IP addresses that + connect over an HTTPS connection (port 443) to the HTML MESSENGER + service. The option uses existing SSL certificates on the server for + each domain to maintain a secure SSL SNI connection without browser + warnings. The setting is disabled by default + + Note: The perl module IO::Socket::SSL (v1.83+) with support for SNI + must be available to use MESSENGER_HTTPS* otherwise it will be disabled + + Added new feature to MESSENGER: Google ReCAPTCHA (v2) to allow those + blocked in the firewall to unblock themselves. See RECAPTCHA_* in + /etc/csf/csf.conf for more details and limitations + + Added MESSENGER procedure to restart listening sub-process if it has + died + + Moved MESSENGER processes to a separate module + + Ensure that all forked processes terminate appropriately + + On cPanel servers, use the cPanel WHM Template to support the new v64 + UI layout (as best we can to maintain the look that we want) + + Modified the cPanel csf ACL metadata and driver Perl modules to match + new requirements for v64 and also maintain backwards compatibility + +9.30 - Fix to try and resolve cluster send/recv issues (Note: _All_ members of + the cluster need to be running v9.30 for clustering to function + correctly) + +9.29 - Fixed issue that was breaking LF_DISTSMTP + + Fixed issue in UI lfd Stats. Note: The lfd stats data file has been + renamed from /var/lib/csf/stats/lfdmain to /var/lib/csf/stats/lfdstats + Additionally, the stats for 2016-12-31 will reset to 0 due to this bug + + Corrected text in readme.txt + + Added new csf CLI cluster option: + -ctd, --ctempdeny ip ttl [-p port] [-d direction] [comment] + This sends a temporary deny request to the cluster + + Added new csf CLI cluster option: + -cta, --ctempallow ip ttl [-p port] [-d direction] [comment] + This sends a temporary allow request to the cluster + + Added new csf CLI cluster option: + -cg, --cgrep ip + This requests the --grep output for [ip] from each cluster member + + Modified cluster requests to respond with an acknowledgment to the + sender + + Modified --cdeny [ip] and --callow [ip] to include optional comment + + Added separate tab for Cluster options in UI if enabled and added new + cluster temp allow/deny commands to UI + + Modified Port Scan Tracking. UDP packets destined for the network + broadcast address(es) will now be ignored in Port Scan Tracking unless + BRD is added to PS_PORTS. The broadcast address(es) include the those + listed in IP or IFCONFIG plus the default (255.255.255.255) unless one + of the servers IPs + + Added new feature: PT_USERRSS. This User Process Tracking option sends + an alert if any user process exceeds the RSS memory limit set - RAM + used, not virtual. PT_USERRSS is set to 256 (MB) and PT_USERMEM is now + set to 512 (MB) by default on new installations. On existing installs + PT_USERRSS is set to the same value as PT_USERMEM + +9.28 - New logo added and configured for cPanel plugins + + HTML fixes + + STYLE_CUSTOM is now set to 0 by default on all new installations. If + you want to choose custom styling this option can be enabled + +9.27 - Fix for UI Quick Unblock button + + Fix for UI main page [ENTER] not working on all forms + +9.26 - Fix for webmin UI when watching logs + + Various UI html syntax fixes + + Reduced UI banner padding + + Port 23 added to DROP_NOLOG for new installations + + WAITLOCK taken out of beta + + Modified UI View Listening Ports + + Reworked main UI table to produce syntactically correct HTML + + Fixed duplicate HTML top and bottom page elements + +9.25 - Correct csf lookup failure message + + Converted UI icon for temp allow removal to new format + + Simplified Configuration display of radio toggles to help screen + readers + + Added patch to send message text for CLUSTER blocks + +9.24 - UI html fixes + +9.23 - Added upgrade note to the top of the UI if available + + UI improvements for integrated cse and interface to cxs + + Added Scroll to Top/Bottom buttons + + Consolidate images, css and javascript into a common directory in the + installer + +9.22 - Modify UI temporary IP deny buttons to not wrap in table + + Modified UI Statistics images to be responsive + + Modified readme.txt to detail additional UI styling options + + Added two new options STYLE_CUSTOM and STYLE_MOBILE relating to UI + styling + + Globalised SIGNALs where needed to help prevent zombie children + + Modified UI to use container-fluid to improve whitespace use + + Modified pre tags to wrap on whitespace + +9.20 - Redesigned UI based on Bootstrap + + New functionality: Added integrated mobile device view with subset of + functions + + Modified csf to not warn about the SENDMAIL binary if LF_ALERT_SMTP is + enabled + + Added use of the ace editor if present on cPanel installs to edit + files. Added toggle to switch back to textarea. Added buttons to + decrease and increase font size in editor + + Modified readme.txt to include information regarding changing styles + and disabling Mobile View + +9.14 - Fixed LOGSCANNER logging to only report to the log if DEBUG enabled + + Added new BETA options WAITLOCK and WAITLOCK_TIMEOUT which provide + support for the iptables --wait option + + Added UI support for cxs with Bootstrap + +9.13 - Modify Server Check to prevent hanging process for CloudLinux PHP + versions prior to v5.2 + +9.12 - Improved LOGSCANNER accuracy of hourly and daily runs between restarts + + Added more binaries on cPanel servers to csf.pignore for cPanel v60 + + Fixed repeated check for PHP open_basedir in Server Check + + Do not perform suexec check if mod_ruid2 enabled in Server Check + + Corrected text description of IPv6 port lists in non-cPanel csf.conf + + Export ConfigServer::Logger::logfile + + Detect mpm_itk_module and treat in a similar manner to ruid2_module in + Server Check + + Removed use of Cpanel::cPanelFunctions as it is now being withdrawn + + Updated common ConfigServer UI + + Fix instance where cluster block timeout for temporary blocks was not + being sent + + Check for EOL PHP v5.5 in Server Check + + Added detection of alt-php versions provided by CloudLinux, but do + not check them for EOL version status + +9.11 - Fixed issue with csf.allow Include checks when allowing an IP + + Added the Greensnow blocklist to csf.blocklists for new installs + + Fixed display of ports in CLI temporary blocks + + Fixed issue removing CIDR blocks via the CLI from csf.deny + +9.10 - Fix profile diff in the CLI + + Fixed issue with deny removal by IP address of advanced rules in the + CLI + +9.09 - Additional fix for ip6tables MESSENGER service when LF_IPSET not + enabled (ip6tables nat) + +9.08 - AUTOSHUN list removed from csf.blocklists as the public list is no + longer available + + Added support for ip6tables MESSENGER service when LF_IPSET not + enabled (ip6tables nat) + +9.07 - Fixed removal of complex allow and deny rules + + Fixed IPv6 implementation of CC_ALLOW_PORTS_* and CC_DENY_PORTS_* + + Fixed file upload in cse via the integrated UI + + Fixed "csf --cfile [file]" + + Removed setting: OLD_REAPER + + Localised SIGNALs + + Localised uid and gid change in MESSENGER + + Removed Bareword file handles + + Where ip6tables <= v1.3.5 and IPV6 is enabled, disable USE_CONNTRACK if + enabled as ip6tables does not support the conntrack module in older + versions. This will force the use of the state module instead + +9.06 - Fixed incorrect inclusion of cPanel Free SSL service include entries + on new non-cPanel installations + +9.05 - Fixed RT_AUTHRELAY_LIMIT detection + +9.04 - Fixed issue with custom regex rules where log hash was not being + passed to regex.custom.pm + + Fixed issue with custom regex rules where "use strict" was used + incorrectly + +9.03 - Fixed issue with LF_ALERT_TO and LF_ALERT_FROM not being used when set + +9.02 - Fixed Reseller UI command execution + +9.01 - Fixed graph display when using integrated UI + +9.00 - Convert csfui.pl, csfuir.pl and cseui.pl to perl modules and modify + the calling UI specific scripts + + Updated cseUI so that is passes perl strict module checks + + Fixed issue with deny removal of some IPv6 addresses + + Ensure /etc/chkservd/lfd is recreated when lfd is enabled via csf -e + on cPanel servers + + Added exes to csf.pignore on existing and new cPanel server: + /usr/libexec/dovecot/lmtp + /usr/local/cpanel/3rdparty/php/54/bin/php-cgi + /usr/local/cpanel/3rdparty/php/56/bin/php-cgi + /usr/local/cpanel/3rdparty/php/56/sbin/php-fpm + + Ensure all file opens are properly flocked + + Switch to using require instead of eval/use to load runtime modules + where possible + + Code review - started addressing perl critic suggestions in all + scripts and modules + + Moved regex.pm to a seperate perl module + + Moved email sending to a seperate perl module + + Moved lfd logging to a seperate perl module + + Add allow and ignore Include files for the cPanel Free SSL service + from Comodo in cPanel v58+. These are included on new installations + and added to existing files on cPanel installations + + Fixed spurious Include error in lfd for csf.ignore + +8.26 - Added more dovecot binaries to csf.pignore for new and existing cPanel + servers + + Updated lfd-cron to use the csf startup routines to restart lfd on + systemd servers correctly, existing cron jobs are also modified + + HTTP::Tiny upgraded to v0.058 + +8.25 - Modified Config loading to check for valid ip6tables location before + attempting to use it + + Modify Server Report to support checking of cPanel MultiPHP + configurations when using EasyApache v4 + + Removed PHP check for suhosin from Server Report + + Improved cipher check for pure-ftpd in Server Report + + Added password reset check for subaccounts in Server Report on cPanel + servers + + Added cPanelID check in Server Report on cPanel servers + +8.23 - On cPanel servers ensure the lfd service is always correctly appended + to chkservd.conf on csf installation + +8.22 - Fix csf --tempdeny from allowing blocking of local IPs + + Fix problem where LF_NETBLOCK was no longer affective after blocking + a its first netblock until it timed out from csf.tempip + + Modify UI table spacing + +8.21 - Modified cPanel version check to avoid restart loop if GENERIC set to + 1 in csf.conf + +8.20 - Modify Relay Alert email to specify "localhost" rather than "Local + Account" when localhost IPv6 address detected as it currently does for + IPv4 localhost + + Improvement to lfd restart routine for MailScanner and pure-ftpd when + cPanel upgrades on RHEL/CentOS/CloudLinux v7+ servers + +8.19 - Move SMTP_BLOCK rules to a separate chain to avoid conflicts with + other control panels deleting required rules + +8.18 - Reversed csf.tempip changes to avoid a possible locking issue in + csf.pl, lfd.pl changes retained + +8.17 - Fixed 12 month statistics pie chart rendering + + Increased default value and sanity range for PT_USERMEM + + Modified SMTP_BLOCK to use iptables multiport + + Added new feature: SMTP_REDIRECT. This redirects non-authorised + outbound SMTP connections to the local SMTP server + + Ensure LF_PERMBLOCK IP's are removed from csf.tempip when rotating + csf.deny after reaching DENY_IP_LIMIT + + Remove stale csf.tempip entries on lfd startup + + Added IPv6 support to RT_LOCALHOSTRELAY tracking + + Update binary locations for new installations on DirectAdmin Debian + + Improved fix for detection of ip6tables nat chains + + Added UI Firewall Configuration On/Off buttons + + Added UI Firewall Configuration dropdowns for some value ranges + + Updated UI restricted list + + Updated sanity checks + + Various UI updates and modifications + + Added a warning when using mod_cloudflare to Server Check Report + +8.16 - Removed UI integration from CentOS Web Panel as recent permission + changes break the implementation. The csf installer will restore the + original functionality + +8.15 - Added new configuration option IP to point to the IP binary. This will + be used in preference to IFCONFIG, the latter is no longer required + when the IP binary is correctly configured and executable + + Added full UI integration into CentOS Web Panel (CWP). To disable + integration: + Rename: /usr/local/cwpsrv/htdocs/resources/admin/modules/csf.orig.php + to: /usr/local/cwpsrv/htdocs/resources/admin/modules/csf.php + create: /etc/csf/cwp.disable + + Updated Postfix SMTP AUTH regex (thanks to Marcele) + + Added support for /etc/csf/csf.blocklists in ZIP format. The zip file + MUST only contain a single text file of a single IP/CIDR per line + + Added Stop Forum Spam (ZIP) example to csf.blocklists + + Added IPV6 support to csf.sips + + Fixed detection of ip6tables nat + + Removed development code for ispconfig from distribution as this + should NOT be used. It has never been implemented nor released as a + supported solution and is likely to be insecure. Upgrading will remove + any installations of this development code + +8.13 - Added /usr/local/cpanel/3rdparty/php/54/sbin/php-fpm to csf.pignore + for cPanel installs + + Clarify cluster CLI commands that refer to remote server actions + + Added number of failures to the RBL check Subject field + + Modified Port Scan checks for more kernel log line formats in regex.pm + +8.12 - Additional Feature: Added support for listing ASNs in all Country Code + (CC_*) options + + Fixed GLOBAL_ALLOW and GLOBAL_DENY when LF_IPSET is enabled + + Fixed GLOBAL_DYNDNS when LF_IPSET and LF_IPV6 are enabled + + IPSET binary location set to /sbin/ipset for Debian/Ubuntu new + installs + + Additional regex included for vsftp login failures + +8.11 - Fixed issue on non-RedHat OS installations that failed due to problems + whitelisting the installers IP address + +8.10 - Fixed issues with new non-RedHat OS installations by reasserting perl + module check to the start of the installation process but removing + included modules from checks + + Ports 2079 and 2080 added to TCP_IN for new cPanel installs to allow + CalDAV/CardDAV access + +8.09 - Check /sys/module/ipt_recent/parameters/ip_pkt_list_tot or + /sys/module/xt_recent/parameters/ip_pkt_list_tot if defined to allow + higher settings for PORTFLOOD than the default of 20 if configured + + Added LimitNOFILE to lfd.service on servers using systemd to allow for + large numbers of open files + + Cater for full stops (.) in ethernet device names + + Moved Perl module checks until after csf installation has completed so + that all included modules exist in /usr/local/csf/lib/ + +8.08 - Fixed csf.sips modification via UI on Redhat/CentOS v7.1 + + Raised csf.blocklist names from 9 to 25 characters long. This cannot + be greater due to limits on ipset names on some OS's and the use of + prepended names for new ipset list swapping + + Added output from netstat for PT_LOAD to loadalert.txt for new + installs. For existing installs, latest file copied to + /usr/local/csf/tpl/loadalert.txt.new + +8.07 - Ensure spaces are stripped from values in /etc/cpanel/ea4/paths.conf + on cPanel servers + + Fixed issue with csf --add [ip] not always removing [ip] if present + from csf.deny + + Modified the LF_QOS regex to cater for additional log formats + +8.06 - Added port 24441 to UDP_OUT and UDP6_OUT for new installs on cPanel + servers for Pyzor that was added by cPanel in v11.52 + + Support added for EasyApache4 log locations in cPanel from + /etc/cpanel/ea4/paths.conf + + Added more executable files to csf.pignore on cPanel servers for + cPanel EasyApache4 + + Modify Server Check to support cPanel EasyApache4 + + Added regex to support cPanel/WHM login failures with the new log + format in v11.52+ + + If mod_ruid2 is enabled do not check for mod_userdir in Server Check + + Always ensure binary exists and is executable before performing + processing during Server Check + + Modified ProFTPD regex to support more formats + + vsftpd inbuilt log file format regex added + + Modified cPanel antirelayd Server Check to also support popbeforesmtp + added in v11.52 + + Added dbus and time systemd regexes to csf.logignore for new installs + +8.05 - Added alarms to HOST binary calls + + Added new csf CLI option: --rbl [email]. This generates the report + checking IP addresses against a set of RBLs. Optional configuration is + available through /etc/csf/csf.rblconf + + Added UI to utilise the new --rbl [email] option + + Added systemd status output after lfd restart via the csf CLI + + Modified Server Check to only report bind if a named configuration + file exists + + Require cPanel resellers to enter a Comment when allowing or denying + an IP + + Added new option UI_IP to allow binding to a specific IP address for + the integrated UI + +8.04 - Added more executable files to csf.pignore on cPanel servers for + cPanel v11.5*+ + + Added warning to both csf output and Server Check report if + PT_USERKILL is enabled + +8.03 - Fixed bug where iptables nat tables were not being flushed or grepped + correctly + +8.02 - Modified DYNDNS and GLOBAL_DYNDNS to use the host binary if available + for more reliable IPv4 and IPv6 reverse lookups + + Fixed IPv6 use of ipset for DYNDNS and GLOBAL_DYNDNS + + Added new csf CLI option: --lfd [stop|start|restart|status]. Actions + to take with the lfd daemon + + Added new csf CLI option: -ra, --restartall. Restart firewall rules + (csf) and then restart lfd daemon + + Fixed several output message typos for "FASTSTART" + + Disable IPv6 nat support (and MESSENGER) if ip6tables nat not provided + by the local kernel + + Improve IPv6 detection on installation + + Implemented more efficient csf.conf loading in ConfigServer::Config + +8.01 - Modify ConfigServer::CheckIP to cope with entries not passed by reference + +8.00 - Added new option CC6_LOOKUPS. This adds IPv6 support for Country Code + and Country lookups + + Added new option LF_NETBLOCK_IPV6. This adds IPv6 support for + LF_NETBLOCK + + Modified LF_LOOKUPS to use the host binary if available for more + reliable IPv4 and IPv6 reverse lookups + + Added IPv6 support for LF_IPSET + + Added IPv6 support for CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, + CC_ALLOW_PORTS, CC_DENY_PORTS, CC_IGNORE, CC_ALLOW_SMTPAUTH + (Requires CC6_LOOKUPS and CC_LOOKUPS to be enabled) + + Added IPv6 support for X_ARF report where found in the Abusix Contact + DB + + Added IPv6 nameserver support for /etc/resolv.conf + + Added IPv6 support for MESSENGER if ip6tables version >= 1.4.17 and + perl module IO::Socket::INET6 is installed + + Added IPv6 support for PORTFLOOD if ip6tables version >= 1.4.3 + + Added IPv6 support for CONNLIMIT if ip6tables version >= 1.4.3 + + Added IPv6 support for SYNFLOOD + + Added flush of ip6tables nat table if ip6tables version >= 1.4.17 + + Standardise all IPv6 addresses and networks to use the short form for + consist representation + + Added FASTSTART support to LF_IPSET + + Increased ulimit -n to 4096 in /etc/init.d/lfd + + Included Net::IP for IP address manipulation + + Included version perl module for version comparisons + + Added missing csf.allow search to csf --grep + + Added Server Check report for LF_IPSET when using Country Code filters + +7.73 - Fix for temporary denies allowing duplicate IP/Port blocks/allows + + Speedup csf --grep [ip] when searching IPSET sets. Note: This does + mean that partial IP queries will no longer match IPSET entries + + Added new options LF_IPSET_HASHSIZE and LF_IPSET_MAXELEM to allow for + larger ipset sets + + Added option HOST as the location of the "host" binary for DNS TXT + record lookups + + Modified X_ARF report to include the abuse contact for a reported IP + address where found in the Abusix Contact DB + + Added new option X_ARF_ABUSE. This option allows for automatic sending + of X_ARF reports to the IP addresses abuse contact. See csf.conf for + warnings about using this option + + Added binary location checking in csf and issue warnings if incorrect, + not installed or not executable + +7.72 - Added new option PT_SSHDHUNG. Terminate hung SSHD sessions. When under + an SSHD login attack, SSHD processes are often left hung after their + connecting IP addresses have been blocked. This option will terminate + such processes. See csf.conf for more info + + Added new binaries to csf.pignore on existing cPanel installations to + cater for v11.50 and CentOS v7 + + LF_CONSOLE_EMAIL_ALERT and LF_WEBMIN_EMAIL_ALERT now default to 1 for + new installations + + Updated Server Check ipv6 detection + + Updated sanity checks + +7.71 - Added warning on cPanel servers for GreyListing + + Fixed issue with RedHat/CentOS/CloudLinux v7 where local IPs were not + being successfully detected from IFCONFIG + +7.70 - Removed PayPal Donation buttons due to recent abuse + +7.69 - Modified LF_CSF on cPanel servers to detect a change in the cPanel + version and then trigger a restart of ConfigServer scripts (added + cxs pure-uploadscript restart) + +7.68 - Added Debian v8 and Ubuntu v15 support + + HTTP::Tiny upgraded to v0.054 + +7.67 - Added a workaround for Plesk sendmail wrapper SIGCHLD problem + +7.66 - Fixed UI status form tags + + Added new option LF_SPI. This option configures csf iptables as a + Stateful Packet Inspection (SPI) firewall - the default. If the server + has a broken stateful connection tracking kernel then this setting can + be set to 0 to configure csf iptables to be a Static firewall, though + some funtionality and security will be inevitably lost + + Added common systemd logs to csf.logignore for new installs + + Modify LF_IPSET in csf to print failure messages instead of aborting + on error + + On servers using systemd if firewalld found to be active, csf and lfd + will not start until is is stopped and disabled as csf cannot be used + with firewalld + + Added option SYSTEMCTL to csf.conf as the location of the systemctl + binary for use with servers using systemd + +7.65 - Fixed csf.blocklist for new installs which incorrectly had OPENBL + enabled by default + +7.64 - UI HTML updates and fixes + + Modified openbl.org URLs in csf.blocklist to use https - this will + likely need URLGET set to 2 (LWP) + +7.63 - Modified Server Check to highlight PHP v5.3.* as EOL and therefore a + security risk + + Port 587 added to TCP_OUT/TCP6_OUT on all new installations (previously + only on cPanel) + + Added new CLI option to csf, -i --iplookup will lookup IP address + geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf + + Manually allowed/denied permanent/temporary IPs through the csf CLI + now include the CC information if no comment is used + + Renamed csf and lfd cron jobs in /etc/cron.d/ to cater for non-LSB + compliant Linux cron managers + + Modified Server Check report to cater for servers running systemd + + More Server Check fixes for out of date checks + + Added 2 new alert settings for FTP and SMTP distributed attacks: + LF_DISTFTP_ALERT and LF_DISTSMTP_ALERT + +7.62 - Modified ModSecurity regexes to be more generic + +7.61 - Fix issues with lfd restart via integrated UI and DA UI + +7.60 - Ensure that /usr/lib/systemd/system/ is created on install on systemd + servers + +7.59 - Fix sanity check for SMTPAUTH_RESTRICT + + Fixed incorrect reference to cxs in the generic csf installer + + Modified csf.conf to show that LWP::Protocol::https is needed for LWP + to retrieve https URLs and added examples of how to install these perl + modules + + Implemented native systemd support for startup and shutdown of csf and + lfd + + Added recommendation in csf.conf to use IPSET if wanting to set + DENY_IP_LIMIT to a high value + + If IPSET is enabled, no sanity warnings are issued for DENY_IP_LIMIT + + Also add SSH port to TCP6_IN on new installations + +7.58 - Display warning and revert to HTTP::Tiny if URLGET is set to use LWP + but the perl module is not installed + +7.57 - URLGET now set to "2" to use LWP by default on new installations + instead of HTTP::Tiny + + If URLGET set to use LWP, csf will perform upgrades over SSL to + https://download.configserver.com + + Added check for URLGET to Server Check + + Added option "3" for CC_LOOKUPS to also include IP ASNs via the + MaxMind GeoIPASNum database + + Updated SSH login regexes + + Updated named regex + + Added 30 second timeout for ST_IPTABLES iptables stats writing to + prevent a child creation loop + + Modified lfd to restart if more than 200 children are currently active + to prevent child creation loops + +7.56 - Fixed issue with Restricted UI item sanity checks failing + + Modified LF_CSF on cPanel servers to detect a change in the cPanel + version and then trigger a restart of ConfigServer scripts (lfd, + MailScanner cxs Watch). Restart triggers are limited to every 12 hours + and will only trigger if upcp is not running + +7.55 - If LF_SELECT is enabled the port(s) listed in PORTS_* can now be + specifed as port;protocol,port;protocol, e.g. "53;udp,53;tcp" to allow + for protocol specific port blocks. This port format can also now be + used in regex.custom.pm and csf --td/--ta to allow udp port blocks + + PORTS_bind now defaults to "53;udp,53;tcp" on new installations + + PORTS_directadmin added for DA installs to allow for per port blocks + if LF_SELECT is enabled + + Ports 993 and 995 now added to TCP_OUT and TCP6_OUT on new installs + + LF_IPSET taken out of BETA as it is proving stable + + Modified Server Check to skip checking xinetd on Plesk servers + + Modified UI_SSL_VERSION for new installations to use the new + IO::Socket::SSL default SSL_version setting of SSLv23:!SSLv3:!SSLv2 so + that SSLv3 is disabled + + If systemd is running the installer disables firewalld using systemctl + +7.54 - Added IPv4/IPv6 column to show whether the port in the csf --ports + option is listed in *_IN (e.g. TCP_IN) + + Added Conn column to show the number of ESTABLISHED connections to the + port in the csf --ports + + Modified Server Check text from "SMTP Tweak" to "SMTP Restrictions" + for cPanel/WHM UI + + Added the following to LF_IPSET for IPv4 IPs and CIDRs: + /etc/csf/csf.allow, /etc/csf/csf.deny, GLOBAL_DENY, GLOBAL_ALLOW, + DYNDNS, GLOBAL_DYNDNS, MESSENGER. + IPv6 IPs, Advanced Allow Filters and temporary blocks use traditional + iptables + + Modified ipset information in csf.conf including that only ipset v6+ + is supported + + Modified ConfigServer::Slurp to carp instead of croak + + Improvements to Server Check nameserver checking to include IPv6 + servers and better determine how many are local nameservers + + Modified csf --graphs to append a trailing slash if missing to + directory name + +7.53 - Modified Slurp.pm to use O_RDONLY instead of O_RDWR + +7.52 - Fixed issue with Restricted UI items sanity checks failing + +7.51 - Removed duplicate "Search System Logs" button from the UI + +7.50 - Added new BETA options LF_IPSET, IPSET. Use ipset for CC_* and + csf.blocklist bulk list matching. See csf.conf for more info + + Added new UI option to view ports on the server that have a running + process behind them listening for external connections + + Added new CLI option (csf -p, csf --ports) to view ports on the server + that have a running process behind them listening for external + connections + + Added new CLI option (csf --graphs) to Generate System Statistics html + pages and images for a given graph type into a given directory. See + ST_SYSTEM for requirements + + If using DYNDNS and the FQDN has multiple A records then all IP + addresses will now be allowed + + IPv6 support added to DYNDNS. Requires the Perl module Socket6 from + cpan.org to be installed + + On DA servers, if LF_DIRECTADMIN is enabled, DIRECTADMIN_LOG_* will be + scanned for login failures to Roundcube, SquirrelMail and phpMyAdmin + if installed and logging enabled via CustomBuild v2+. Failures will + contribute to the LF_DIRECTADMIN trigger level for that IP + + On DA servers, FTPD_LOG now defaults to /var/log/messages on new + installs + + Added exe:/usr/libexec/dovecot/anvil to csf.pignore for new installs + on DA + + Added to UI count of entries in /etc/csf/csf.allow + + Added blocklist.de to csf.blocklists for new installs, latest file + copied to /etc/csf/csf.blocklists.new on existing installs + + Started moving common functions to separate modules within csf + + HTTP::Tiny upgraded to v0.050 + + Fixed csf stop/start routines on reboot for servers using systemd + + Modified integrated UI to display die errors to browser + + Modified X_ARF report to use a self-published schema: + http://download.configserver.com/abuse_login-attack_0.2.json + + Modified X_ARF to lowercase the Source-Type field + + Modified X_ARF template to use the v0.2 "X-XARF: PLAIN" header field + + Updated restricted UI items + + Geo::IP upgraded to v1.45 + + Crypt::CBC upgraded to v2.33 + +7.15 - Updated installer to fix generic installs on some Redhat/CentOS setups + + Fixed issue with temporary allow/deny not applying individual port + rules for outgoing connections + +7.14 - Updated scripts to use download.configserver.com + +7.13 - Fixed issue with temporary allow/deny when issued through the UI + +7.12 - Reverted PACKET_FILTER rule changes + + OPEN added as an option to PS_PORTS so that TCP_IN and UDP_IN ports + will be ignored by Port Scan Tracking by default, but can be added if + desired + +7.11 - DROP_PF_LOGGING disabled by default on new installs as enabling by + default will just cause confusion + +7.10 - Removed debugging code from Port Scan Tracking + +7.09 - Set scripts (.pl,.cgi,.php,.sh,.py) in /etc/csf/ to chmod 700 + + Simplified PACKET_FILTER rules for dropping INVALID connection + tracking states. This feature now only applies a single rule for + incoming INVALID packets + + DROP_PF_LOGGING enabled by default on new installs + + INVALID added as an option to PS_PORTS so that PACKET_FILTER logs will + be ignored by Port Scan Tracking by default, but can be added if + desired + + Modified ST_ENABLE locking + + Regex updates to cater for Plesk 12 - thanks to Marcel Evenson + + Fixed issue with temporary allow/deny comment not being parsed + correctly when port * specified + +7.08 - Withdrawn + +7.07 - Modified lfd to silently drop ST_ENABLE lock queue entries unless + DEBUG is enabled + + Modified ST_ENABLE logging to append to data file and only truncate + when needed + +7.06 - Added locking to ST_ENABLE and ST_SYSTEM to prevent child process + queues + +7.05 - Fix SMTPAUTH_RESTRICT where IPv6 addresses need to be quoted for exim + +7.04 - Added new option LF_DIST_ACTION. If LF_DISTFTP or LF_DISTSMTP is + triggered, then if LF_DIST_ACTION is a path to a script, it will run + the script and pass arguments to it. See csf.conf for more info + + Added limit check on VPS servers when using FASTSTART to ensure there + are sufficient numiptents available for all of the iptables rules in + that block + + Modified SMTPAUTH_RESTRICT to add ::1 as a standalone IP to + /etc/exim.smtpauth + + Fixed LF_BIND - BIND_LOG was not being added to the log list to watch + + On DirectAdmin servers, added new feature LF_DIRECTADMIN. This option + scans DIRECTADMIN_LOG for failed logins and blocks accordingly + + Fixed typo in csf.conf + +7.03 - Added new option DROP_UID_LOGGING which allows UID logging to be + disabled for outgoing connections. This option is enabled by default + and can be disabled on OS's that do not support --log-uid + + Preupgrade copy of csf.conf now created in /var/lib/csf/backup/ for + use with the csf --profile option + + Updates to sanity.txt for new options + + Modified DSHIELD blocklist URL from feeds.dshield.org/block.txt to + www.dshield.org/block.txt for new and existing installs + +7.02 - Make auto.pl scripts more resilient to avoid leaving an incomplete + configuration file after upgrades + + Improved output errors if FASTSTART fails + + Ensure UNZIP binary exists before attempting to process GeoLite CSV + Country database + + Corrected FASTSTART description in Server Report check + + Modified auto.pl to not automatically enable IPV6 on Virtuozzo/OpenVZ + + Report all errors after csf starts in case they were missed in the + main output + +7.01 - Fixed issue with FASTSTART and DROP_PF_LOGGING + +7.00 - New feature SMTPAUTH_RESTRICT - This option will only allow SMTP AUTH + to be advertised to the IP addresses listed in /etc/csf/csf.smtpauth + on EXIM mail servers. The additional option CC_ALLOW_SMTPAUTH can be + used with this option to additionally restrict access to specific + countries. See csf.conf and readme.txt for more information + + New FASTSTART procedures in csf and lfd to centralise functions and + add error reporting + + FASTSTART added to GLOBAL_ALLOW, GLOBAL_DENY, GLOBAL_DYNDNS, csf.deny, + csf.allow, Port Settings, PACKET_FILTER, DROP_NOLOG, SMTP Block, DNS + + Remove duplicate IP addresses from individual blocklists + + Remove duplicate IP addresses (not CIDRs) across blocklists as they + are newly retrieved + + Ensure /usr/local/bandmin/bandminstart exists and is executable on + cPanel servers before using it + + Removed MySQL version check as it is currently redundant from Server + Report + + Improve Net::CIDR::Lite use integrity to prevent unnecessary lfd + failures + + Ensure GeoIPCountryWhois.csv is removed before processing a new d/b + download + + Add /etc/csf/csf.smtpauth to UI if SMTPAUTH_RESTRICT is enabled + + Fixed issue with IPv6 generation of SMTP_ALLOWUSER rules + +6.48 - Fixed csf --ta/d not accepting comma separated port list + + Modified csf -t multi-port reporting + + Modified csf UI to support specifying port list in temporary + allow/deny + + Modified integrated UI call to perform separate calls to + IO::Socket::SSL to use the appropriate AF_INET(6) call depending on + the setting for IPV6 + + Updates to integrated cse UI CSS + + Added regular expressions for courier-imap, Qmail SMTP AUTH and + Postfix SMTP_AUTH for Plesk servers + + Removed RBN from csf.blocklist for new installs as it is now obsolete + + Check for an apply correct permissions on /var/lib/csf and + /usr/local/csf in addition to /etc/csf + +6.47 - Overhaul of Apache regexes to cater for Apache v2.4 formats + + Fail with an appropriate error if attempting to use an IPv6 address + but IPV6 is not enabled + + Fix to OUTPUT chain final packet failure still logging to LOGDROPOUT + when DROP_OUT_LOGGING is disabled + + Strip leading and trailing spaces from form IP in csf UI + + DROP_OUT_LOGGING is now enabled by default on new installations + + ST_ENABLE is now enabled by default on new installations + + CC_IGNORE rewritten to use CC_LOOKUPS data to ignore countries. This + provides a more consistent approach and quicker lookups with reduced + memory footprint. CC_LOOKUPS must now be enabled to use CC_IGNORE + +6.46 - HTTP::Tiny reverted to v0.041 as it breaks on some installations + +6.45 - Modified LF_SCRIPT_ALERT to only report detected lines + + Modified Server Check for sshd_config port to be case-insensitive + + Modified PORTS_sshd check of sshd_config port to be case-insensitive + + HTTP::Tiny upgraded to v0.042 + + Reverse sort temp bans in UI + +6.44 - File globbing is now allowed for logs listed in csf.logfiles and + csf.syslogs + + Added Server Reports recommendation for CloudLinux if running CentOS + or RedHat + + Added Server Reports CloudLinux security feature checks + + Modified Server Report check for dovecot v2 + + Updated Server Report version checks for Fedora, MySQL and Apache + + Added missing bracket to regex.custom.pm example + + Added new PORTS_* options to csf.conf to allow custom modification of + LF_SELECT application ports + + Added Cached memory to the System Statistics + + Added full pseudo-breadcrumbs to cPanel csf UI + + Added new CLI and UI commands to backup/restore csf.conf and to apply + preconfigured csf.conf profiles. See "man csf" and UI for more details + of the "csf --profile [OPTIONS]" commands + + HTTP::Tiny upgraded to v0.041 + +6.43 - Modified RESTRICT_SYSLOG_GROUP to always include /dev/log and + /usr/share/cagefs-skeleton/dev/log, if a socket, if syslog/rsyslog + process is not found and also to cater for systems using systemd (e.g. + Fedora, RHEL v7, etc) + + RESTRICT_SYSLOG_GROUP taken out of BETA as it appears stable and + effective. Setting RESTRICT_SYSLOG to "3" is the recommended option + + Updated readme.txt RESTRICT_SYSLOG mitigations to include CloudLinux + method to disable access to caged /dev/log + + csf --dr modified to remove matching IPs from csf.tempip + + File globbing is now allowed for all *_LOG file settings in csf.conf. + However, be aware that the more files lfd has to track, the greater + the performance hit + +6.42 - New BETA option RESTRICT_SYSLOG_GROUP. This has been added for a new + RESTRICT_SYSLOG option "3" which restricts write access to the + syslog/rsyslog unix socket(s). See csf.conf and the new file + /etc/csf/csf.syslogusers for more information + + Those running our MailScanner implementation, you must be running + at least ConfigServer MailScanner Script v2.91 for logging to work + with RESTRICT_SYSLOG_GROUP + + csf UI option added for editing csf.syslogusers + + Fixed a bug in PT_LOAD not producing PS output + +6.41 - SECURITY WARNING: + + Unfortunately, syslog and rsyslog allow end-users to log messages to + some system logs via the same unix socket that other local services + use. This means that any log line shown in these system logs that + syslog or rsyslog maintain can be spoofed (they are exactly the same + as real log lines). + + Since some of the features of lfd rely on such log lines, spoofed + messages can cause false-positive matches which can lead to confusion + at best, or blocking of any innocent IP address or making the server + inaccessible at worst. + + Any option that relies on the log entries in the files listed in + /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered + vulnerable to exploitation by end-users and scripts run by end-users. + + There is a new RESTRICT_SYSLOG option that disables all those features + that rely on affected logs. This option is NOT enabled by default. + + See /etc/csf/csf.conf and /etc/csf/readme.txt for more information + about this issue and mitigation advice + + NOTE: This issue affects all scripts that process information from + syslog/rsyslog logs, not just lfd. So you should use other such + scripts with care + + Our thanks go to Rack911.com for bringing this issue to our attention + + + UI design updates and fixes + + Modify Apache regex to support log lines containing thread ID + + Prevent lfd from blocking CIDRs triggered from log lines + +6.40 - Fix for LF_INTEGRITY which was non-functional after changes in v6.38 + +6.39 - Added error output from IO::Socket::INET for CLUSTER_* commands from + csf if present + + UI HTML fixes and form design elements added + + Improved error report for invalid csf.conf lines + + Removed Server Check tmp mountpoint checks + +6.38 - Parameterise calls to system and Open3 where possible + + HTTP::Tiny upgraded to v0.039 + + Modifications to csftest.pl + + Removed the UI "Pre-configured settings for Low, Medium or High" as + they are outdated and meaningless. Users should go through the csf + configuration and setup the firewall for their individual server needs + + Translate ampersand for HTML output + + Modified csf.blocklist for new installations to use the SSL URL for + the TOR exit list now that they have forced redirection from the + non-SSL URL, with a note to change URLGET to use LWP + + Modified csf.blocklist for new installations to specify an alternative + TOR exit node list + +6.37 - Fixed issue that produced false-positive failures for IP address + actions through UI when checking for a valid IP address + + Modified lfd to support the use of either "password" or "pass" in + /root/.my.cnf for ST_MYSQL + + Updated CLUSTER information in readme.txt + +6.36 - Removed VPS PASV check from Server Check in UI + + Added new option URLGET - This option can be used to select either + HTTP::Tiny or LWP::UserAgent to retrieve URL data. HTTP::Tiny is + faster than LWP::UserAgent and is included in the csf distribution. + LWP::UserAgent may have to be installed manually, but it can better + support https:// URL's. HTTP::Tiny is selected by default + + Removed extraneous bracket in UI output when reporting errors in user + supplied data + + Added new options LF_EXIMSYNTAX, LF_EXIMSYNTAX_PERM - These will block + IP addresses producing repeated exim syntax errors, typically seen + from: spammers, hackers and broken MUAs and MTAs. This option is + enabled by default + + HTTP::Tiny upgraded to v0.036 + +6.35 - Security fix with included cse when using inbuilt User Interface: + prevent XSS due to malicious directory/file names + +6.34 - Load DYNDNS and GLOBAL_DYNDNS from last known values when restarting + csf instead of waiting for lfd to load the initial rules + + Improved performance of file slurping + + Cluster documentation correction in readme.txt + + UI button style modifications + + Added specific check for Spamhaus drop lists so that retrieval is + never attempted before 2 hours elapses between attempts whether those + retrieval attempts are successful or not + + Improvements to SSHD regexes + + Modified mod_security logging to include the last triggered rule id if + present + +6.33 - Modified LF_PERMBLOCK to perform IP lookup on blocked IP + + Perform modprobe when using FASTSTART on server boot to ensure + iptables modules are loaded + + Modified migration detection for particularly old csf installations + + Check that TAIL and GREP exist and are executable in UI + +6.32 - Applied UI changes to inbuilt cse and Reseller UI's + + Improvements to Virtuozzo/OpenVZ system detection where + /proc/vz/veinfo does not exist + + Added System Check on cPanel servers for disable-security-tokens + + If /etc/csuibuttondisable exists then the UI buttons will revert for + those that cannot cope with the themed ones + +6.31 - Fixed "Deny Server IPs" option in UI + + Additional SSHD regex + + Enable account tracking for LF_CPANEL login failures to allow for + LF_DISTATTACK detection + + Ignore Server Check for register_globals for PHP v5.4+ + + Added new option UI_SSL_VERSION, to allow the setting of the SSL + protocol version that the UI server allows + + Added window Detach option to UI search system logs + + UI display changes + + Fixed files permissions issue affecting System Graphs and lfd Graphs + in DA + +6.30 - Prevent HTML rendering of watch and search system log file output + +6.29 - Removed CLUSTER_PORT from sanity checking + + Modified changelog to state that HTACCESS_LOG needs to be correct for + nginx LF_HTACCESS regexes + + Added new UI option to watch (tail) system log files listed in + /etc/csf/csf.syslogs + + Added new UI option to search (grep) system log files listed in + /etc/csf/csf.syslogs + + Improvements to "View iptables Log" output in UI + + Enable "SSL_honor_cipher_order" for UI IO::Socket::SSL sessions + +6.28 - Fixed sanity check for UID_INTERVAL + +6.27 - Modified Apache regexes for Apache v2.4+ + + Fixed UI configurable lines display for lfd.log + + Fixed length display text for CLUSTER_KEY in csf.conf + + Ignore suspendedpage.cgi triggers for LF_SYMLINK on cPanel servers + + Updated sanity checks and ranges for csf.conf settings + + Added RESTRICT_UI to Server Check recommended options + + Modified Virtuozzo/OpenVZ FTP port check to verify kernel version + before issuing PASV port warning + + Added new setting PS_DIVERSITY. To specify how many different ports + qualifies as a Port Scan you can increase this value. The risk in + doing so will mean that persistent attempts to attack a specific + closed port will not be detected and blocked. The setting defaults to + the original setting of 1 + + Added 3 LF_HTACCESS regexes for nginx. Remember to set HTACCESS_LOG + correctly for the location of the nginx error log + +6.26 - Fixed UI issue with some settings sent via the Cluster Config option + + Modified CONNLIMIT_LOGGING rule insertion point + + Added new feature: Outgoing UDP Flood Protection. This option limits + outbound UDP packet floods. These typically originate from exploit + scripts uploaded through vulnerable web scripts. The feature is + controlled by: UDPFLOOD, UDPFLOOD_LIMIT, UDPFLOOD_BURST, + UDPFLOOD_LOGGING, UDPFLOOD_ALLOWUSER + + Update the TOR URL in existing /etc/csf/csf.blocklists file if still + set to the old URL + +6.25 - Fixed UI "Temporary IP entries > Flush all temporary IP entries" + + Fixed UI_USER and UI_PASS being emptied on saving the firewall + configuration through the UI + + Fixed CLUSTER_KEY not displaying when RESTRICT_UI is disabled + +6.24 - Security - Removed items from Cluster Config UI option if RESTRICT_UI + enabled + +6.23 - Security - added new option RESTRICT_UI. This options restricts the + ability to modify settings within csf.conf from the csf UI. Should + the parent control panel be compromised, these restricted options + could be used to further compromise the server. This option is enabled + by default on all installations + + Added entries to csf.pignore on new installations on cPanel servers + for Dovecot v2.2 (cPanel v11.40+) + + Fixed UI Template validation error message + +6.22 - Security Fix - Sanitised user data input to prevent running + unauthorised commands via the UI. A user would require root access to + exploit this, so vulnerability is probably low. Thanks to Steven at + Rack911.com for reporting this issue + + Added Password ENV variable check to Server Check on cPanel servers + + Update cPanel ACL Driver installations to change force cache update + using "touch" instead of removing the cache + + Modified TOR URL in /etc/csf/csf.blocklists to use: + http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1 + +6.21 - Modified auto-update logic to only create the /etc/cron.d/csf_update + file if it does not already exist + + Fix permissions on csf man file and directory + + Modified webmin module paths to be relative rather than absolute so + that webmin via mod_proxy works correctly + + Fixed "in" direction --tempallow/--tempdeny leaking into [comment] + + Added nginx regex for ModSecurity rule detection. Remember to set + MODSEC_LOG correctly for the location of the nginx error log + + Fixed file permission/ownership problem on DirectAdmin servers for the + /plugins directory + +6.20 - Introduced a new directory structure to get closer to the Linux + Filesystem Hierarchy Standard (FHS): + /etc/csf/ - (mostly) configuration files + /var/lib/csf/ - temporary data files + /usr/local/csf/bin/ - scripts + /usr/local/csf/lib/ - perl modules and static data + /usr/local/csf/tpl/ - email alert templates + Existing data and templates files are migrated into the new structure + automatically. Some files and directories are symlinked to /etc/csf/ + for backwards compatibility and ease of use. See the following for + individual file locations in the new configuration: + http://blog.configserver.com/?p=7 + + CC_LOOKUPS rDNS reporting improvements + + HTTP::Tiny upgraded to v0.033 + + Removed Security Token check from Server Check Report now that it is + implicitly set in v11.18.0+ + + Switched the location of the csf.pl and lfd.pl binaries with their + symlinks + + Code tidy for servercheck.pm, csfui.pl + + Allow comments to be appended to csf --tempdeny and csf --tempallow in + the same way as csf --deny and csf --allow. Also made the options more + flexible in usage of optional elements + + Added Comments field to UI for Quick Allow, Quick Deny, and Temporary + Allow/Deny + + Added csf(1) man page and changed csf --help to use a text version of + the new man page + + Fixed unnecessary open of csf.fignore + +6.15 - Modified MaxMind City Database lookup code to be more resilent + +6.14 - Added support for cPanel v11.38.1+ AppConfig addon registration + + NOTE: In accordance with the new conventions for v11.38.1+ AppConfig + the url to the csf WHM plugin will change from /cgi/addon_csf.cgi to + /cgi/configserver/csf.cgi. This will only happen with csf v6.14+ and + cPanel v11.38.1+. Older version of csf will continue to use the old + URL. This has no particular relevance to users accessing through WHM, + but will affect direct URL access by users or third party + applications + + Added support for cPanel v11.38.1+ Custom ACL driver. This creates an + ACL (software-ConfigServer-csf) which must be used to grant resellers + access via "WHM > Edit Reseller Nameservers and Privileges > Third + Party Services > ConfigServer Security & Firewall (Reseller UI)" when + running cPanel v11.38.1+ + + Added Server Check for AppConfig restrictions for cPanel v11.38.1+ + + Switched from using Geo::IP::PurePerl to Geo::IP perl module + + Added MaxMind GeoIP Anonymous Proxies to csf.blocklists for new + installs + + Added new setting CSFDATADIR. This is the location of the csf and lfd + temporary data. By default it is set to the current value of /etc/csf + with the intention of moving this data to /var/lib/csf in the future + in a move towards the Linux Filesystem Hierarchy Standard (FHS) + + Moved the default location for ST_DISKW_DD to /var/lib/dd_test for new + installations + +6.13 - Fixed Server Check for dhclient + +6.12 - Added iptables UID logging for dropped outgoing packets + + New feature - DROP_OUT_LOGGING. Enables iptables logging of dropped + outgoing connections. Where available, these logs will also include + the UID connecting out which can help track abuse. Note: Only outgoing + SYN packets for TCP connections are logged. The option is not enabled + by default, but we recommend that it is enabled + + Option DROP_ONLYRES now only applies to incoming port connections + + New feature - User ID Tracking. This feature tracks UID blocks logged + by iptables to syslog. If a UID generates a port block that is logged + more than UID_LIMIT times within UID_INTERVAL seconds, an alert will + be sent. Requires DROP_OUT_LOGGING to be enabled + + Modified Port Scan Tracking regexes to ensure only incoming + connections are tracked + + Added Server Check for dhclient running + + Added Server Check on cPanel servers for antirelayd + + Added Server Check for a swap file (don't bother on Virtuozo) + + Added Server Check for xinetd, qpidd, portreserve and rpcbind in + Services Check since most people won't use them + +6.11 - Fixed SMTP_ALLOWLOCAL not functioning correctly. Added IPv6 support + for SMTP_ALLOWLOCAL + + Removed SMTP_BLOCK restriction for IPv6 requiring port 25 to be + present in TCP6_OUT + +6.10 - New feature - separate Blocklist configuration file to allow for + expansion of the available block lists. The following options have + been removed from csf.conf and a new csf.blocklists file added to + configure blocklists: + LF_DSHIELD, LF_SPAMHAUS, LF_TOR, LF_BOGON + + During the upgrade if those options were enabled, then they will be + enabled in the new csf.blocklists file. If you used a custom blocklist + URL in one of those options you will have to manually add it to the + new configuration. + + Modified UI to provide edit function for csf.blocklists + +6.09 - Modified csf UI to detect Webmin install and symlink script and images + directory so as to no longer require Webmin module update on a new csf + version + + Tidied up csf UI html + + Fixed System Statistics graph display when using Webmin + + Modified Server Security check to only perform GENERIC test when using + Webmin to prevent hanging processes + + Added CLI options --car, --carm. This removes an allowed IP in a + Cluster and removes it from /etc/csf.allow + + Added new options LF_WEBMIN, LF_WEBMIN_PERM. This feature adds login + failure detection for Webmin in WEBMIN_LOG + + Added new option LF_WEBMIN_EMAIL_ALERT. This feature sends an email + if a successful login to Webmin is detected in WEBMIN_LOG + + Modified LF_SCRIPT_ALERT text in csf.conf for cPanel servers + + Modified proftpd regex to cope with non-standard format and to remove + trailing colons from account name + + Modified LF_SCRIPT_ALERT regex to cater for paths containing spaces + + Improvements to LF_SCRIPT_ALERT memory usage and possible script + detection + + Added alternative LF_SCRIPT_ALERT regex for specific 1H.com exim + logging ACL + +6.08 - Added IPV6_SPI workaround for CentOS/RedHat v5 and custom kernels that + do not support IPv6 connection tracking by opening ephemeral port + range 32768:61000. This is only applied if IPV6_SPI is not enabled. + This is the same workaround implemented by RedHat in their sample + default IPv6 rules + +6.07 - Fixed issue with processing /proc/PID/stat for process information + +6.06 - Prevent csf/lfd from failing to run if a non-critical configuration + file does not exist + + In webmin, force table stylesheet to override webmin css. Requires + webmin module reinstall on existing installations + +6.05 - Improvements to minimal perl module detection on new installs + + Bugfix for default lfd.pl perl shebang + +6.04 - Implement slurp routine for configuration files to cater for incorrect + linefeeds + + Ignore leading and trailing spaces from lines in configuration files + + Fixed Include statements in csf.ignore not implemented in lfd + + Additional debug logging for RT_*_LIMIT added + + Replaced call to Time::HiRes::sleep with standard sleep + + Additional dovecot entries in csf.pignore for new installations + +6.03 - Switched from using LWP to HTTP::Tiny to reduce memory footprint and + reliance on the LWP perl module. The HTTP::Tiny module is included in + the distribution, so no further action is necessary + + Modified lfd perl module loading to be conditional where possible to + reduce lfd memory footprint + + Modify initial file processing to reduce lfd memory footprint + + Modify PS_PORTS processing to reduce lfd memory footprint + + Moved init of Geo::IP::PurePerl into iplookup subroutine + + Removed "DEFERRED" login failure checking from CPANEL_LOG regex due to + false-positives + + Modify LF_DIRWATCH_DISABLE so that only files are added to + suspicious.tar and removed. Suspicious directories will no longer be + removed + + Removed File::Path - no longer required + +6.02 - Modify MESSENGER HTML header to return code 403 instead of 200 + + Modify UI daemon to fallback to IPv4 if IPV6 setting is not enabled + + Added new options LF_SYMLINK and LF_SYMLINK_PERM. This feature enables + detection of repeated Apache symlink race condition triggers from the + Apache patch provided by: + http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html + This patch has also been included by cPanel via the easyapache option: + "Symlink Race Condition Protection" + +6.01 - Ensure all binaries are called with their full paths for the scheduled + Server Security Check reports + + Allow csf -u/-uf/--update and -c/--check when csf is disabled + + Make RT_* checks IPv6 compatible + + Added dns query caching for ip lookups during lfd process lifetime + + Modify TOR rule loading to use FASTSTART in lfd if enabled + + Added iptables locking to FASTSTART code + + LF_INTERVAL now defaults to 3600 on new installations to better cope + with slow brute force login attempts + + Removed references to .cpanel.net being ignored from the changelog as + they no longer apply and could cause confusion + + Fix csf.rignore loader regex causing unnecessary DNS lookups if file + has no entries + + Added "DEFERRED" login failure checking to CPANEL_LOG regex + +6.00 - Major new option - FASTSTART: + + This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE, + IP6TABLES_RESTORE in two ways: + + 1. On a clean server reboot the entire csf iptables configuration is + saved and then restored, where possible, to provide a near instant + firewall startup[*] during the boot sequence + + 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, + DSHIELD, BOGON, TOR are loaded using this method in a fraction of + the time than if this setting is disabled + + [*] Not supported on all OS platforms + + FASTSTART allows for very quick startup at reboot and during + uptime. If the Country Code blocking options (CC_*) are used, their + tables are loaded by csf and lfd almost instantly, compared to many + minutes for large countries previously + + FASTSTART is enabled on new installations (or those in TESTING + mode). Existing installations will need to enable it manually + + Other Changes: + + Improvements to csf and lfd init routines + + LF_QUICKSTART renamed to LFDSTART, setting value preserved + + Fixed a problem with scheduled Server Security Check reports + + Crypt::CBC upgraded to v2.32 + +5.79 - Modified csf error routine to store failing error in csf.error and + display an instructional message + + Check for libkeyutils-1.2.so.2 in LF_EXPLOIT option SSHDSPAM + + Modified the Server Report proxysubdomains check on cPanel servers + + Added new options CC_DENY_PORTS, CC_DENY_PORTS_TCP, + CC_DENY_PORTS_UDP. This feature denies access from the countries + listed in CC_DENY_PORTS to listed TCP/UDP ports. For example, using + this FTP access port 21 could be blocked to only the specified + countries + +5.78 - Due to issues that some are experiencing with the switch from the + state to the conntrack module a new settings has been added + USE_CONNTRACK which is disabled by default except on servers running + kernel 3.7+ where on new installations it will be enabled + +5.77 - Add an exception for the useless Virtuozzo kernels iptables + implementation so that csf uses the deprecated state module instead of + conntrack + +5.76 - Only add the /128 IPv6 bound address per NIC instead of the whole /64 + to the local IPv6 addresses + + Modify SSHD and SU regexes to allow for empty hostname field in log + file + + Added new option UNBLOCK_REPORT. This option will run an external + script when a temporary block is unblocked + + Additional entries in csf.logignore on new installations + + Switched from using the iptables state module to using the conntrack + module in preparation of the formers obsolescence + + Removed LF_EXPLOIT_CHECK and replaced it with LF_EXPLOIT_IGNORE so + that new tests can be easily added and then ignored desired + + Added new LF_EXPLOIT check SSHDSPAM to check for the existence of + /lib64/libkeyutils.so.1.9 or /lib/libkeyutils.so.1.9, See: + http://www.webhostingtalk.com/showthread.php?t=1235797 + +5.75 - Fixed issue with single quotes appearing in CC lookup names leading to + lfd IP blocks to fail + +5.74 - Additional entries in csf.pignore for the cPanel installation to cater + for v11.36 processes on new installations + + Added workaround for cPanel /etc/cpupdate.conf check in Server Report + for changes in v11.36 + + Additional entries in csf.logignore on new installations + + Try harder to get a CPU temperature if lm_sensors is installed for + System Statistics + + Enforce PORTFLOOD setting restrictions and issue warning if entry + discarded + + Correct location of CC_ALLOWF in LOCALINPUT after update from lfd + + Make CC_[chain] actions more verbose in lfd.log + + Added new options CC_ALLOW_PORTS, CC_ALLOW_PORTS_TCP, + CC_ALLOW_PORTS_UDP. This feature allows access from the countries + listed in CC_ALLOW_PORTS to listed TCP/UDP ports. For example, using + this FTP access port 21 could be restricted to only the specified + countries + + Moved temporary and csf.allow/csf.deny rules from + LOCALINPUT/LOCALOUTPUT chains to ALLOWIN/ALLOWOUT to allow for the new + CC_ALLOW_PORTS feature + + Modified SMTP_PORTS to include ports 465 and 587 on new installations + + Added new option PT_FORKBOMB. Fork Bomb Protection. This option checks + the number of processes with the same session id and if greater than + the value set, the whole session tree is terminated and an alert sent + +5.73 - Fixed issue with crontab line for TESTING option not being detected + and removed when TESTING mode is disabled + +5.72 - Added missing DD setting in DA and generic installations for ST_DISKW + + Modified IPv6 port settings to reflect IPv4 port settings for new + installs in csf.conf + + If a deleted executable process is detected and reported then do not + further report children of the parent (or the parent itself if a child + triggered the report) if the parent is also a deleted executable + process + + Parent PID added to PT_DELETED_ACTION parameters + + In the Server Report allow for spaces before Apache directives + + Updated instructions for modifying log_selector for exim + configurations in readme.txt and Server Report + + Modify DD calculation for ST_DISKW for disks that report in GB/s + + Updated to use the new cPanel 11.36+ integrated perl binary if exists + +5.71 - Fixed problem processing dd output for ST_DISKW on some systems + + Fixed dovecot imap login failure regex processing + + Added regexes for dovecot pop3 and imap raw logs (i.e. not syslog) + +5.70 - Fixed an issue with PERMBLOCK introduced in v5.68 + +5.69 - Fixed duplicate entries in csf.conf on GENERIC installations + +5.68 - New feature added - LF_DIST_INTERVAL. This option provides a separate + timing interval for both LF_DISTFTP and LF_DISTSMTP. By default it is + set to 300 seconds + + Implemented better handling of repeat blocks when an IP is already + temporarily or permanenetly blocked + + Added missing inclusion of Time::HiRes in csf.pl + + Silence LF_DISTFTP and LF_DISTSMTP ignored IP logging to lfd.log + unless DEBUG enabled + + Silence DYNDNS IP address updates to lfd.log unless DEBUG enabled + + RELAYHOSTS setting now defaults to "0" to improve security on cPanel + servers + + Increased default value of DENY_IP_LIMIT to 200 + +5.67 - Fixed a problem with permanent IP blocking when using LF_SELECT + +5.66 - Implemented a new locking system to try to mitigate an iptables bug + when issuing concurrent iptables commands + + Implement flushing on the lfd pid file so that it is always accurate + + Improvements to csf --grep [ip] to escape regular expression matching + + New feature added - LF_REPEATBLOCK. This option instructs csf to deny + an already blocked IP address the number of times set. See csf.conf + for more information + + New feature added - LF_BLOCKINONLY. This option instructs csf to only + block inbound traffic from those IP's and so reduces the number of + iptables rules, but at the expense of effectiveness. See csf.conf for + more information + + New feature added - ST_DISKW. This option adds disk write performance + statistics to the stats graphs. See csf.conf for more information + + Fixed file location for Debian and derivative OS's for + /etc/mysql/my.cnf in Server Check + +5.65 - Removed some of the command locking as it was causing hangs + +5.63 - Implemented a locking and retry system to try to mitigate an iptables + bug when issuing concurrent iptables commands + +5.62 - Added ModSecurity connection dropping to the LF_MODSEC regex + + Added new option - ETH6_DEVICE. By adding a device to this option, + ip6tables can be configured only on the specified device. Otherwise, + ETH_DEVICE and then the default setting will be used + + Added new option - LF_SCRIPT_ACTION. On cPanel servers, this can + contain the path to a script that is run whenever LF_SCRIPT_ALERT is + triggered + + Fixed stats graph average calculation and display if average equals 0 + + Split Slow MySQL Queries stats graphs from MySQL Queries + + Improvements to Apache CPU Usage stats graphs + +5.61 - On Debian systems, check for my.cnf in /etc/mysql/my.cnf in Server + Check + + Add missing/changed images in the DA/Webmin installs. For webmin, the + csf webmin module will need to be reinstalled + + Another fix for LF_NETBLOCK to skip IPv6 addresses + + Fixed csf --tempallow where -d [direction] was performing inout when + in requested + + Fixed UI option "Edit the Log Scanner file (csf.logfiles)" which was + incorrectly overwriting csf.dyndns instead of writing to csf.logfiles + + Changed ETH_DEVICE_SKIP device check from a failure to a warning + + Skip checks for register_globals and suhosin if running PHP v5.4.* in + Server Check report + +5.60 - Added new options to include the Spamhaus Extended DROP list. These + additional netblocks are included in the main Spamhaus chain. The + feature uses LF_SPAMHAUS_EXTENDED and LF_SPAMHAUS_EXTENDED_URL which + are enabled by default, but used only if LF_SPAMHAUS is enabled. To + force a reload of the SPAMHAUS list to include the Extended list, + delete /etc/csf/csf.spamhaus file after upgrading to this version and + then restart lfd + + Added new options to allow blocking of TOR Bulk Exit nodes. This works + in the same manner as the LF_SPAMHAUS and LF_DSHIELD options. The + feature uses LF_TOR and LF_TOR_URL and is disabled by default. + Warning: This could block legitimate users who are trying to protect + their anonymity, so use with caution + + Fix LF_NETBLOCK to skip IPv6 addresses as it is unsupported as has + long been stated in csf.conf + + Added missing html elements in UI + + Added unblock button to UI IP searches when results is either in + csf.deny or a temporary block + + Implemented a locking system to mitigate iptables stability issues + when loading concurrent iptables chains in lfd + + Fixed bug in the display of the 30 days ST_SYSTEM stats + + Added new option ST_SYSTEM_MAXDAYS. This allows you to define the + maximum number of days of stats to collect (default 30 days) + + Increased stats graph sizes + + Added CIDR checking of csf.allow to the CLI command csf --deny + + Added checking of csf.ignore to the CLI command csf --deny + +5.59 - Fixed a loop which caused high load when using GLOBAL_IGNORE + + Improvements to GLOBAL_IGNORE load speed and effectiveness + + Improvements to CC_IGNORE load speed + +5.58 - Corrected ST_APACHE error message return text + + Add meaningful message if stats graph generation fails in UI + + Added new icon in UI for "Quick Allow" that inserts the current + visitors IP address + + Added new icon in UI for "Quick Ignore" that inserts the current + visitors IP address + + Replaced some of the included icons + +5.57 - Added new option PT_APACHESTATUS to configure the URL to the Apache + Status URL during PT_LOAD alert report + + Added Apache Statistics to ST_SYSTEM. A new option ST_APACHE must be + set to collect these statistics and PT_APACHESTATUS must be correctly + set. ST_APACHE is disabled by default + + Modification to SYSLOG option to remove the later introduced "nofatal" + option to improve backwards compatibility, also enable the "pid" + option to log the process ID + + Added new options SYSLOG_CHECK and SYSLOG_LOG to check whether syslog + is running. See csf.conf for more information. This option is disabled + by default, but we recommend that it is enabled on all servers + + Added SYSLOG_CHECK to Server Check Report recommended settings + +5.56 - Improvements to ST_MYSQL password detection in /root/.my.cnf where the + password is quoted + + Improvements to the SMTP AUTH regex to cope with differing settings in + exim log_selector + + Removed debugging code in SMTP AUTH regex detection + +5.55 - Update Fedora version check now that v17 has been released + + Added MySQL Connection and Thread statistics to ST_MYSQL/ST_SYSTEM + + Modified Server Check Report for cPanel servers see whether mod_ruid2 + has been enabled making the Apache suEXEC check moot + + Improvements to the SMTP AUTH regex to cope with differing settings in + exim log_selector + +5.54 - Modified ST_MYSQL connection errors to advise disabling ST_MYSQL if it + is not used + + ST_MYSQL now disabled by default on new csf installations + +5.53 - Added Email Usage to the ST_SYSTEM System Statistics feature when RT_* + options are enabled + + Fixed incorrect Min/Max calculations in System Statistics + + Improvements to Disk Usage stats in System Statistics for some virtual + environments + + Added CPU Temperature to the ST_SYSTEM System Statistics feature when + lm-sensors/coretemp installed and enabled (highest core temp recorded) + + Added MySQL graphs to the ST_SYSTEM System Statistics feature when + ST_MYSQL is installed and enabled - requires DBI and DBD::mysql perl + modules. Authentication is via new ST_MYSQL* options. The option is + enabled on cPanel servers by default, disabled on others + + Modified stats collection routine to append data to the stats file on + each minute interval and to clean up only on lfd startup. This is to + help minimise the risk of the stats file being incomplete due to + process termination + + Added new options LF_DISTSMTP, LF_DISTSMTP_UNIQ and LF_DISTSMTP_PERM. + This option will keep track of successful SMTP logins. If the number + of successful logins to an individual account is at least LF_DISTSMTP + in LF_INTERVAL from at least LF_DISTSMTP_UNIQ IP addresses, then all + of the IP addresses will be blocked. This option can help mitigate the + common SMTP account compromise attacks that use a distributed network + of zombies to send spam (exim MTA only). Not enabled by default + + Modified Server Check Report for cPanel servers see whether mod_ruid2 + has been enabled making the PHP Handler check moot + + Modified the ModSecurity regex to cater for the paid Atomic rules + Apache error log non-standard format + + Modified non-cPanel new installs to disable ST_SYSTEM by default + +5.52 - Alternative kill and status methods employed for lfd init process on + Debian/Ubuntu + + Added new feature: System Statistics. This option will gather basic + system statstics. Through the UI it displays various graphs for disk, + cpu, memory, network, etc usage. The feature requires the perl module + GD::Graph. It is enabled by default with the ST_SYSTEM option + +5.51 - Updated Donation buttons + +5.50 - Removed check for Melange on cPanel servers from Server Check Report + + Improvements to the cPanel exim SMTP AUTH login failure regex after + changes in cPanel v11.32 + + Added exe:/usr/local/cpanel/3rdparty/sbin/mydns to csf.pignore for new + installs on cPanel servers + + Additional cmd/pcmd suggestions added to csf.pignore for new installs + on cPanel servers (not enabled) + +5.49 - Remove atd from Service Check in Server Check Report + + Ensure all DNS traffic between non-local IP addresses in + /etc/resolv.conf is allowed through the firewall when DNS_STRICT_NS is + not enabled + + Added exim to example script pt_deleted_action.pl + + Added /var/log/cxswatch.log to csf.logfiles for new installations + + Added new option LF_ALERT_SMTP which allows lfd to be configured to + send alert emails via SMTP instead of through the SENDMAIL binary. + LF_ALERT_SMTP needs to be set to the name or IP address of the SMTP + server to use this feature + + Added new option CC_DROP_CIDR. Set this option to a valid CIDR to + ignore CIDR blocks smaller than this value when implementing + CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can help reduce the number of + CC entries and may improve iptables throughput + + Improved installation procedure for checking required perl modules + +5.48 - New option LF_QOS added which matches hits against the mod_qos Apache + module + + New option LF_CXS added which matches hits against the mod_security + Apache module rule for cxs if implemented + +5.47 - Improvements to non-core perl module loading + + Improvements to PT_LOAD Apache Status retrieval and messages + + Regex modifications to cater for Dovecot v2.1+ + + On cPanel servers, block additional ports that exim uses in the WHM > + Service Manager for RT_*_BLOCK + +5.46 - Modified upgrade warning for integrated UI to not use the DA warning + text + + Validate local IP addresses + + Only check local IPv6 addresses if IPV6 is enabled in config + + Separate IPv4 from IPv6 ignore CIDRs due to Net::CIDR::Lite + restrictions + + Improvements to ignore files IP address validation + + Add server check for PHP v5.2.* to the obsolete/security risk list + + Add server check for RedHat/CentOS v4.* and Fedora < v15 to the + obsolete/security risk list + + Removed server checks for RLimitMEM/RLimitCPU + +5.45 - Only log Log Scanner in lfd.log if DEBUG set to 2 to allow empty + reports if monitoring lfd.log + + Added new option LF_BOGON_SKIP. If you don't want BOGON rules applied + to specific NICs, then list them in a comma separated list + + Added new option LF_CONSOLE_EMAIL_ALERT which will send an email if + there is a root login to the server console. This is enabled by + default + +5.44 - New feature - Log Scanner. This feature will send out an email summary + of the log lines of each log listed in /etc/csf/csf.logfiles. All + lines will be reported unless they match a regular expression in + /etc/csf/csf.logignore + + Set LWP::UserAgent agent to "csf/[version]" instead of the default + +5.43 - csf and lfd modified to better handle !lo interface for compatibility + with newer iptables versions + + Removed use of Sys::Hostname::Long + + Added new options LF_APACHE_403 and LF_APACHE_403_PERM. This option + will keep track of the number of "client denied by server + configuration" errors in HTACCESS_LOG. If the number of hits is more + than LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be + blocked. See csf.conf for more information + +5.42 - SECURITY FIX. Anyone running csf on a DirectAdmin server should + upgrade to this release immediately: + + Add check for successful open of admin.list on DA servers to avoid + a segfault, which could lead to a buffer overflow + +5.41 - Added text description of allow/deny made by cPanel Resellers via UI + in csf.allow and csf.deny + + If cPanel UI Resellers email alerts are enabled, a csf grep will be + performed before an IP adress is unblocked and the output included in + the alert email, together with the results of the UNBLOCK + + If cPanel UI Resellers email alerts are enabled, the results of an + ALLOW or DENY will be included in the alert email + + Added logging of cPanel UI Reseller actions ALLOW/DENY/UNBLOCK to + /var/log/lfd.log + + Update to urlget to not fail on empty file if successfully retrieved + + Take Integrated UI out of BETA as no reported issues + + Take csf.redirect out of BETA as no reported issues + +5.40 - Added new feature - csf UI Reseller functions for cPanel. See + /etc/csf/csf.resellers and WHM UI + + Improvements to cse Integrated UI + + Modified redundant cPanel function calls in UI + + Removed ModSecurity functionality in UI + + Modified WHM UI "Remove Deny" to be "Quick Unblock" that now removes + a specified IP address entries from csf.deny and/or temporary blocks + +5.39 - Fixed detection of the nat tables on some Virtuozzo VPS servers + +5.38 - Modification to the Integrated UI to allow access to cxs if it is + installed via UI_CXS + + Include an updated cse with csf for use with the Integrated UI via + UI_CSE + + Added option UI_CIPHER to allow the SSL cipher suite to be set + manually for the Integrated UI + + Added HTTP request internal memory limits to the Integrated UI + +5.37 - Added new BETA feature - User Interface. This feature provides a HTML + UI to csf and lfd, without requiring a control panel or web server. + The UI runs as a sub process to the lfd daemon. See csf.conf and + readme.txt for information and requirements + + Fixed issue with RT_* regex routine ignoring 127.0.0.1 + + Fixed detection of DNSONLY cPanel installs + + Added Security Check on cPanel server checks for disabled "Proxy + subdomains" and "Proxy subdomain creation" + + Added new option LF_CPANEL_ALERT_ACTION. If a LF_CPANEL_ALERT event is + triggered, then if LF_CPANEL_ALERT_ACTION contains the path to a + script, it will run the script and passed the ip and username and the + DNS IP lookup result as 3 arguments + +5.36 - Fix for the lfd child lock mechanism effectiveness + +5.35 - Added new BETA feature - Port/IP address Redirection. This feature + uses the file /etc/csf/csf.redirect to redirect connections from/to + IP/port combinations to alternative IP/ports. See readme.txt for more + information + + Updated syslog daemon checking in Server Report + + Set PT_DELETED to 0 by default on new installations + + Improvements to csf startup locking within lfd + + Improvements to error trapping between csf and lfd + + Check minimum values for interval settings and set to recommended + values if too low during lfd startup to improve stability + + Added lfd child locks to improve stability due too server or network + resource issues or too low an interval setting + + Updated Sanity Checks for settings + + lfd will now not start if TESTING is enabled + + Do not require write permissions to /etc/crontab when no changes + required for TESTING mode enable/disable + + Prevent parricide by lfd children unless required + + Added nat table check in csf + + Fixed bug in csf --grep not matching the nat table + +5.34 - Improvement to dovecot account name sanitisation checks in lfd + + Modified cronjobs for new installs to be compatible with anacron + + Added new option CLUSTER_BLOCK which is enabled by default. This + allows you to disable automatic sharing of lfd blocks around a csf + cluster, e.g. if you only wish to use the CLUSTER option to share + settings and manual blocks and allows + + Added new option RT_ACTION. If an RT_* event is triggered, + then if RT_ACTION contains the path to a script, it will be run in a + child process and be passed a list of items (see csf.conf - for cPanel + and DA only) + + Fix to DYNDNS Advanced Allow/Deny Filters using pipe separator + + Set permissions to 700 on *.sh, *.pl and *.php in /etc/csf/ instead of + a blanket 600 of non-csf scripts + +5.33 - Add link to the Changelog when csf is upgraded + + Extended urlget timeout to 300 seconds to help cope with the large + MaxMind City Database download where enabled + + Include cpdavd login failures for LF_CPANEL. Added port 2077 and 2078 + to the cPanel block ports when LF_SELECT enabled + + Disable ftp Server Check reports if ftp server disabled in cPanel + + Added regex validation to any specified csf.pignore or csf.figonre + entries to lfd + + Updated cPanel tier checks to cope with old STABLE and DNSONLY + releases and newer v11.30+ + + Improvement to account name sanitisation checks in lfd + +5.32 - AUTO_UPDATES enabled for new installations in csf.conf + + Removed the JS LF_EXPLOIT_CHECK as it is no longer prevalent. If still + set in csf.conf it will be ignored + + Check MESSENGER service to ensure privileges are dropped before + starting the daemon + + Drop privileges when performing removal during LF_DIRWATCH_DISABLE + + For new installations, IPV6 enabled if IP6TABLES exists and an IPv6 + address is found in the output from IFCONFIG. IPV6_SPI is set + according to the kernel version (i.e. whether SPI is supported or not) + +5.31 - Updated the LF_TRIGGER_PERM explaination in csf.conf to properly + reflect the possible settings of LF_TRIGGER + + Perform account name sanitisation checks in lfd + +5.30 - Fixed a SECURITY BUG that can be exploited remotely via log file + spoofing resulting in root privilege escalation. Our thanks to Jeff + Petersen for reporting this issue + + All csf users should upgrade to this release immediately + +5.22 - New feature: Connection Limit Protection (CONNLIMIT, + CONNLIMIT_LOGGING). This option configures iptables to offer more + protection from DOS attacks against specific ports. It can also be + used as a way to simply limit resource usage by IP address to specific + server services. This option limits the number of concurrent new + connections per IP address that can be made to specific ports. See + csf.conf and readme.txt for more information and about the format of + the CONNLIMIT option and its limitations + + Minor csf UI Firewall Configuration virtual pagination improvements + + Updated cPanel Server Check update settings for v11.30+ + + Removed cPanel Server Check for new versions due to changes in the + v11.30+ versioning system making this redundant + + Updated MySQL Server Check for v5.1.* + + Added a warning to csf.conf for SYNFLOOD to only enable the option if + you know you are under a SYN flood attack as it will restrict all new + connection to the server if triggered + +5.21 - Added port 500 to DROP_NOLOG for new installations + + Corrected the LF_APACHE_404 lfd log line output + + Added startup failure on invalid PORTFLOOD settings + + Make csf.pignore item selector case-insensitive (e.g. exe: and EXE:) + + All user: item selector examples removed from the default csf.pignore + for all new installations (e.g. user:mailman). csf.pignore examples + for some common processes can be found here: + http://forum.configserver.com/viewtopic.php?f=6&t=2059 + + Updated DA and GENERIC default csf.pignore files for new installations + + csf UI Firewall Configuration virtual pagination improvements + + Updated Sanity checks for settings in csf.conf + + Modified Sanity checks for settings in csf.conf to always show the + recommended range in the UI + + Set LF_GLOBAL to 0 instead of an empty string by default on new + installations + + Added new option LF_LOOKUPS to toggle rDNS IP address lookups + +5.20 - Updated installation scripts to distinguish between IPv4 and IPv6 port + report + + Modified Virtuozzo VPS numiptent check to distinguish between host and + client servers + + Added exe:/usr/sbin/ntpd to csf.pignore on new installations + + Don't perform the runlevel check on Debian/Ubuntu servers as it isn't + indicative of a potential security issue as with other Linux distros + + Added new option PT_DELETED_ACTION which if defined with an executable + script will run if PT_DELETED is triggered passing the process PID, + executable and account. An example script is provided in: + /etc/csf/pt_deleted_action.pl + + If CC_LOOKUPS enable for the MaxMind City Database then also display + the Region, where available + + Added csf UI Firewall Configuration virtual pagination + + Rearranged csf.conf for csf UI Firewall Configuration virtual + pagination + + Re-instated sanity check highlights in csf UI Firewall Configuration + + Improved Server Check recursion checking in included configuration + files + + Added new options LF_APACHE_404 and LF_APACHE_404_PERM. This option + will keep track of the number of "File does not exist" errors in + HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in + LF_INTERVAL seconds then the IP address will be blocked. See csf.conf + for more information + +5.19 - Added stats workaround for February/March calculations + + Added new option CC_IGNORE - this Country Code list will prevent lfd + from blocking IP address hits for the listed CC's + + Reduced CC_* memory usage when loading zones + + Modified lfd logging for regex.pm and regex.custom.pm login failures + to lfd.log to use the return reason from the regex match instead of a + generic message. This does mean that the format for these messages has + changed + + DA Server Check for proftpd - check whether pureftp=1 in DA config + + Replaced IP::Country and Geography::Countries with Geo::IP::PurePerl + using the MaxMind GeoLite Country database for CC_LOOKUPS + + Added new option GUNZIP which is required to expand the MaxMind + GeoLite Country database + + Extended CC_LOOKUPS which can now be configured to report Country Code + and Country and City using the MaxMind City Database. See csf.conf for + more information + + Added Donation buttons to csf UI main page + +5.18 - Remove RT_POPRELAY_* from csf.conf on DA servers as it does not apply + + Improved Server Check for cPanel Update configuration check + + Modifed csf restart to not start bandmin during the stop phase + + Modified LF_DIRWATCH to remove dependency on File::Type + + Modified LF_DIRWATCH for speedups and removed the need for a file size + limit + + Debian v6 support confirmed + + Added /etc/bind/named.conf.options to the list of named.conf files to + check for recursion settings (for Debian) + +5.17 - Updated Server Check for cPanel Update configuration check to cater + for the new format + + Disable LFD service in DA on uninstall of csf using SED instead of + REPLACE + +5.16 - Fixed missing perm.png from DA install + + Fixed Temporary IP Entries table headers in UI + + If DENY_IP_LIMIT is reached, remove excess IPs from iptables as well + as csf.deny (previously only removed from csf.deny) + + csf on cPanel servers automatically re-enables the cPanel Bandwith + chains after iptables is configured. If bandmin is not functioning, or + you don't use the bandmin stats you can disable this new option + LF_CPANEL_BANDMIN (enabled by default on cPanel servers) + +5.15 - Check for multiple Ports settings for sshd in /etc/ssh/sshd_config + when the LF_SELECT option is enabled + + Updated SMTPAUTH regex to detect more login authentication methods + + Updated AUTHRELAY regex to detect more login authentication methods + + Added option to UI to permanently block temporarily blocked IP's + +5.14 - Updated RELAY regex to detect the dovecot/courier login authentication + methods on cPanel servers + + Updated Server Check Report to reflect cPanel/WHM changes in v11.28, + including additional checks and updating reference text + + Added checks to LF_DIRWATCH_FILE to ensure watched resources exist on + startup and while running a check. Those that do not exist are ignored + and logged in lfd.log + +5.13 - Added obsolete OS checks for Fedora v11 and v12, plus RedHat/CentOS v2 + and v3 in Server Check + + Fixed broken reference URL's in Server Check for cPanel servers + + Modified statistics to not display pie chart if no data is available + + Sort LF_DIRWATCHFILE output by time to improve the reported results + + Added new setting for AT_ALERT to only trigger on modification to the + root account (i.e. not all superuser accounts) + + Tested successfully for support on Fedora v14 and Ubuntu v10.10 + +5.12 - Added some lfd blocking statistics which can be viewed via the UI. + Requires gd graphics library and the GD::Graph perl module with all + dependent modules + + Added 8th argument to BLOCK_REPORT for the setting that triggered the + block + + Added setting that triggered a block to lfd log lines + +5.11 - Removed erroneous Port Knocking messages in lfd.log when + PORTKNOCKING_ALERT not enabled + + Added 'exe:/usr/bin/postgres' to the cPanel csf.pignore for new + installations + + Added retry timeout in WHM UI for checking www.configserver.com for + new version information (to avoid repeated hangs when unreachable) + + Fixed LF_PERMBLOCK issue that flushed all temporary IP blocks, not + just the IP being permanently blocked + + Added check to PHP Server Check that php -i output is complete + +5.10 - Always report UID:GID of a DIRWATCH file incase the user account + owning a reported file no longer exists + + Report error gracefully on CIDR->add failures and continue + + Added "query (cache)" check to BIND flooding regex + + Fix issue with killing Advanced Port blocks using the pipe separator + + Update warning messages to include xt_owner with ipt_owner + + Replace URL in Server Check for instructions on disabling IPv6 + + Fixed a bug in LF_CPANEL_ALERT ip address tracking + + Added new option LF_CPANEL_ALERT_USERS to be used with LF_CPANEL_ALERT + to alert for a specified list of WHM/cPanel account logins. See + csf.conf for more information + + Added new feature: Port Knocking. See csf.conf and readme.txt for more + information on the PORTKNOCKING, PORTKNOCKING_LOG and + PORTKNOCKING_ALERT options + + Added new UI option: Quick Ignore, for IP addresses + +5.09 - Added Server Check report check that klogd is running if using syslogd + or that klog module is loaded if running rsyslogd + + Added Server Check report, checks for apache settings: TraceEnable, + ServerSignature, ServerTokens and FileETag on cPanel servers + + Fixed ip6tables IPV6_SPI check warning for older kernels + + Added instruction to open outgoing TCP6 and UDP6 ports when using an + older kernel for ip6tables + + IPv6 Final (no longer Beta) + + Added new option LT_SKIPPERMBLOCK. If LF_PERMBLOCK is enabled but you + do not want this to apply to LT_POP3D/LT_IMAPD, then enable this + option + + Added new option PT_USER_ACTION. If a PT_* event is triggered, then + PT_USER_ACTION will be run in a child process and passed the PID(s) of + the process(es) + +5.08 - New option CLUSTER_MASTER which is the IP of the master node in a + cluster allowed to send CLUSTER_CONFIG changes. This must be set in + order to use CLUSTER_CONFIG options + + Added new Cluster CLI option --cfile (-cf) for sending a file to + cluster members. The file will only be uploaded to the /etc/csf/ + directory + + Added new Cluster CLI option --crestart (-crs) to initiate a restart + of csf and lfd on all cluster members + + Removed CLI option -ccr, --cconfigr [name] [value] in favour of the + new --crs, --crestart option + + Modified regular expressions to cater for RFC3339 date format in log + files. For example, RFC3339 date format used by default in rsyslog on + CentOS v5.5 + +5.07 - Fixed bug introduced in v5.04 that ommitted two outgoing DNS lookup + rules that could affect servers where iptables connection tracking + isn't working correctly + +5.06 - Increased PT_USERMEM default to 200 from 100 for new installations + + Fixed bug introduced in 5.04 when checking the GLOBAL_ALLOW list for + report generation in lfd which caused lfd to fail in Net::CIDR::Lite + +5.05 - Updated the Server Check report IPv6 text + + Fixed ip6tables command execution in iptables firewall during startup + +5.04 - Added BETA IPv6 support. See csf.conf for more information on the new + settings: IPV6 IP6TABLES IPV6_ICMP_STRICT IPV6_SPI TCP6_IN TCP6_OUT + UDP6_IN UDP6_OUT + + New CLI option csf --status6 (csf -l6) added to list ip6tables rules + + Changed temporary DENY and ACCEPT working file formats to use a + different record separator to cater for future IPv6 support + + Advanced Allow/Deny Filters now use | as the separator character to + cope with IPv6 addresses. Legacy support remains for the old : + separator for IPv4 addresses, though these should also now use | as + the field separator + + In Server Check report, don't issue IPv6 warning if only ::1/128 is + bound to a NIC (i.e. loopback) + + Upgraded Net::CIDR::Lite to v0.21 + + Upgraded from IP::Countries to Geography::Countries + +5.03 - Added new option LF_DISTATTACK_UNIQ so that you can specify how many + unique IP addresses are required to trigger LF_DISTATTACK + + Added new options LF_DISTFTP, LF_DISTFTP_UNIQ and LF_DISTFTP_PERM. + This option will keep track of successful FTP logins. If the number of + successful logins to an individual account is at least LF_DISTFTP in + LF_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses, then all of + the IP addresses will be blocked. This option can help mitigate the + common FTP account compromise attacks that use a distributed network + of zombies to deface websites + + Changed DA default configuration of FTPD_LOG to "/var/log/secure" + +5.02 - Added new options X_ARF, X_ARF_FROM and X_ARF_TO which allows sending + X_ARF reports (see http://www.x-arf.org/specification.html). See + csf.conf for more information + + Added new options SMTP_ALLOWUSER and SMTP_ALLOWGROUP so that users and + groups that can bypass SMTP_BLOCK can be easily added. These default + to the original values previously hard-coded + + Modified SMTP_ALLOWLOCAL to use the loopback device (lo) instead of + 127.0.0.1 to cater for multiple loopback devices and allows connection + to locally configured IPs as well + + Modified lfd code to ignore any 127.0.0.0/8 address not just 127.0.0.1 + + Added new option CLUSTER_LOCALADDR to send out cluster requests on an + IP other than the default IP + + Added lfd check to enforce 0600 permissions on /etc/csf/ + +5.01 - Added a new 7th argument to BLOCK_REPORT that includes the log lines + that triggered the block (excludes LF_NETBLOCK and LF_PERMBLOCK) + + Added new CLI option csf --tempallow (csf -ta) which works in exactly + the same way as csf --tempdeny (csf -td) except it provides a method + of temporary IP allows for a given duration. csf -t, csf -tf and + csf -tr now apply to both deny and allow entries + + Allow the use of a duration suffix in csf -ta and csf -td for m, h and + d (minutes, hours and days). Only one suffix allowed and only integers + + Updated UI entry for adding and removing temporary allows and blocks + + Display temporary block TTL in days hours minutes and seconds + + Added new CLI option csf --watch [ip] (csf -w [ip]) and configuration + option WATCH_MODE. This new option logs SYN packets from a specified + source as they traverse the iptables chains. This can be extremely + useful in tracking where that IP is being DROPed or ACCEPTed by + iptables. See readme.txt for more information + + Modified csf and lfd init scripts to be LSB-compliant + + Modified BOGON/DSHIELD/SPAMHAUS block list retrieval to only download + the list if it has not already been retrieved within the configured + interval. This is to help prevent blacklisting by the list provider + for repeated downloads after frequent lfd restarts + + Fixed problem with csf -q and csf -sf not restarting the firewall if + there was a previous startup error + +5.00 - lfd Clustering, final release. This new set of options (CLUSTER*) in + csf.conf allows the configuration of an lfd cluster environment where + a group of servers can share blocks and, via the CLI, configuration + option changes, allows and removes. See the readme.txt file for more + information and details, setup and security implications + + Added new option LF_DISTATTACK. Distributed Account Attack detection. + This option will keep track of login failures from distributed IPs to + a specific application account. If the number of failures matches the + trigger value, ALL of the IP addresses involved in the attack will be + blocked. This option is currently disabled by default - see csf.conf + for more information + + Added new option PT_USERKILL_ALERT if you want to disable email alerts + for PT_USERKILL triggers. This option is enabled by default, i.e. + alerts are sent + + Added new options LF_QUICKSTART in csf.conf and CLI options -q, + --startq, -sf, --startf to allow deferral of csf startup to lfd + instead of waiting for the CLI to perform the work. See the CLI help + and csf.conf for more information + + Added UI option for "Firewall Quick Restart" which uses csf -q, + "Firewall Restart" uses csf -sf + + lfd now restarts csf (if stopped and LF_CSF enabled) within the main + process to enhance the integrity of the firewall + + Multiple login failure regex detection improvements + + Fixed typos in permblock.txt + +4.99 - Improved csf locking to enhance the integrity of the firewall + + Log lfd csf deny failures + + New SSHD regex added + + Improved the dovecot regex's + + New Beta option: lfd Clustering. This new set of options (CLUSTER*) in + csf.conf allows the configuration of an lfd cluster environment where + a group of servers can share blocks and, via the CLI, configuration + option changes, allows and removes. See the readme.txt file for more + information and details, setup and security implications + +4.89 - New SSHD regex added + + Added Server Check to check whether SSHD UseDNS is set to "no" - it + should be disabled + + Added an Important Note to the readme.txt regarding the sshd UseDNS + setting + + Speedup for LF_DIRWATCH regex matching + +4.88 - Fixed URL's in Server Check report for cPanel if Security Tokens are + enabled in v11.25+ + + Added ipv6 explanation that the information is determined from the + output from ifconfig and display ipv6 addresses found + + Added the ability to use Include statements in csf.deny and csf.allow, + see readme.txt for information and restrictions + +4.87 - Ignore csf.rignore for LT_POP3D and LT_IMAPD + + Removed unnecessary csf.locks during some GLOBAL list updates + + Updated Copyright notice + + Modified the block message for LF_MODSEC and LF_SUHOSIN to be more + appropriate (i.e. not "login failures") + + Added new block options for BIND denied requests: LF_BIND, + LF_BIND_PERM, BIND_LOG. This works in the same way as the other + similar blocks, e.g. LF_SUHOSIN. It will block IP addresses that have + had BIND (named) requests denied more than LF_BIND times in + LF_INTERVAL seconds. Currently named client denied log lines for + "update" and "zone transfer" trigger the option + + Modified GLOBAL_ routines to continue if retrieval for one fails + instead of immediately exiting + + Added IPv6 check to Server Check + + Display DNS lookup results for IP addresses if CC_LOOKUPS is enabled + on single line comments (lfd.log, csf.deny, etc) + + Added new options LF_PERMBLOCK_ALERT and LF_NETBLOCK_ALERT so that the + respective email alerts can be disabled + + Updated IP::Country + +4.86 - Added Dovecot regex checking for LT_POP3D and LT_IMAPD + + Modified Server Check for Fedora v10 EOL now that Fedora v12 has been + released + + Improved Dovecot IMAP and POP3D login failure regex + + Ignore RELAYHOSTS setting for LT_POP3D and LT_IMAPD + + Fixed TLSCipherSuite Server Check for proftpd + + Added SSHD regex for "Did not receive identification string from IP" + failures + +4.85 - Further improvements to ICMP rule filters + + - Added backup mod_security log viewer for non-cPanel servers + +4.84 - Mod_security log viewer removed from csf in favour of cmc + + Improved ICMP rule filters. This could help some hosts that experience + connection issues with csf + + Added ICMP regex checking to Port Scan Tracking. Add ICMP to PS_PORTS + to include this, i.e. to Port Scan for all ports use: + PS_PORTS = "0:65535,ICMP" + This is now the default on new installations + +4.83 - Added multiple checks to the Server Check for new cPanel v11.25 + security settings + + Tidied up and rearranged the main UI + + Removed redundant UI options + + Added total perm bans to UI + +4.82 - Removed the need for UI lfd cron restart jobs on Direct Admin + +4.81 - Fixed case sensitivity issue introduced in v4.80 with port specific + lfd deny lines being ignored + +4.80 - Modified WHM login regex to only trap successful root page displays + for LF_CPANEL_ALERT + + Apache status for PT_LOAD now checks http://127.0.0.1/server-status on + GENERIC/DA servers. You need to ensure that the server-status page + has access from 127.0.0.1 in the apache server-status Location + container + + Extended SU log file regex for Debian servers + + Sanitise UI file edit HTML output + + Improvements to the removal of alternative firewalls script + + Added new options GLOBAL_DYNDNS, GLOBAL_DYNDNS_INTERVAL and + GLOBAL_DYNDNS_IGNORE which provide for retrieval of a global DYNDNS + list via URL + + Improved firewall log lines detection for PS_INTERVAL and ST_ENABLE, + especially on Debian + + Improved detection of already blocked IP addresses + +4.79 - Withdrawn + +4.78 - Modified DA installation to overcome permissions problems on some + systems preventing the UI from working + +4.77 - Expanded dovecot regex matching + + Fixed the generic installation to install regex.custom.pm + +4.76 - Added check for FrontPage extensions to Server Check as they should be + considered a security risk as they were EOL in 2006 + + Added support for the impending cPanel v11.25 Security Tokens feature + +4.75 - Added a [block] section to the Login Failure alert.txt template. This + new report template will be copied to /etc/csf/alert.txt.new on + existing installations, rename it to alert.txt to use it + + Modified existing lfd alerts to use currently used tags instead of + appending block information to the IP address (alert.txt modified as + above) + + Added new options trigger for RT_LOCALHOSTRELAY_* to csf.conf for + email sent via a local IP addresses, separating the trigger from + RT_LOCALRELAY_* which is now only for /usr/sbin/sendmail. See csf.conf + for more information + + Added Relay Tracking to Direct Admin running exim. See RT_* and + SMTPRELAY_LOG in csf.conf for more information + + Added csf.mignore to allow ignoring of specified usernames or local IP + addresses from RT_LOCALRELAY_ALERT + + Modified csf UI to use a single dropdown for all lfd ignore files + + Added proftpd regex matching for "UseReverseDNS on" in proftpd config + +4.74 - Removed FUSER from csf.conf as it is no longer used + + Added UNZIP to csf.conf which is required for Country Code to CIDR + functions + + Modified the Country Code allow/deny/allow_filter feature to generate + CC CIDRs from the Maxmind GeoLite Country database instead of using + iplocationtools.com. Note: GeoLite is much more accurate that the + previous zones used. This also means that there are usually more CIDRs + for each CC which adds to the burden of using this feature + +4.73 - Added checks before Net::CIDR:Lite calls to ensure inputs are CIDR's + to prevent module failures + + New feature - LF_CPANEL_ALERT. Send an email alert if anyone accesses + WHM via root. An IP address will be reported again 1 hour after the + last tracked access (or if lfd is restarted) + +4.72 - Modified mail sending code to use a common procedure that copes better + with differing combinations and variations of From:, To:, LF_ALERT_TO + and LF_ALERT_FROM settings for lfd alerts + +4.71 - Code speedups in csf --grep + + Added csf.allow and GLOBAL_ALLOW lookups during lfd blocking and note + added to alert if ip match found + + Modified Server Check for Fedora v9 EOL now that Fedora v11 has been + released + + Modified iptables output from csf.pl to exclude the Fedora v11 + intrapositioned negation messages + + Fixed typo in integrity.txt alert template for new installations + + Modified the email header for csf --mail + + Fix Relay Tracking from 127.0.0.1 to always report as a LOCALRELAY + + Modified lfd output filehandle names to avoid read/write conflicts + + Added Advanced Allow/Deny Filters for csf.dyndns. See readme.txt for + an example + + Added new option CC_ALLOW_FILTER as an alternative to CC_ALLOW where + only listed Country Codes are allowed, however normal port and packet + filter rules are still applied to those connections. All other + connections are dropped + +4.70 - Modified UI access to csf.sips to display checkboxes instead of direct + editing, for ease of use + + Fixed problem where RELAYHOSTS setting wasn't always being honoured + + Modified mod_security configuration editor to handle HTML elements + + Rewritten RT_*_ALERT regex and counting code to better deal with a + variety of exim log output formats + + Added recipient count to RT_*_ALERT to include emails sent to multiple + recipients. This option requires that the exim log_selector setting in + the exim configuration includes the option: +received_recipients + So, the recommended log_selector setting is now: + log_selector = +subject +arguments +received_recipients + + Modified Server Check cPanel version check to cater for x86_64 OS's + + Added check to prevent Server Check mail report cron duplicates + + Added abbreviated UI for mobile phone access to Quick Allow, Quick + Deny and Remove Deny. Direct URLs: + cPanel: https://1.2.3.4:2087/cgi/addon_csf.cgi?mobi=1 + DA: https://1.2.3.4:2222/CMD_PLUGINS_ADMIN/csf/index.html?mobi=1 + Webmin: https://1.2.3.4:10000/csf/?mobi=1 + +4.69 - Added Gentoo (generic) support + + Added Server Check for MySQL LOAD DATA LOCAL + + Modified Server Check for enable_dl to also check whether dl is in + disable_functions + +4.68 - Added ipv6 IP detection for proftpd login failures + + Removed ossec and webmin from the Server Check services section + +4.67 - Modified the Country Code allow/deny feature to use + iplocationtools.com now that ipdeny.com has gone offline + +4.66 - Modified OS version check to prevent Fedora v10 obsolete + false-positive in Server Check + + Modified the exim SMTP AUTH regex to use the latest cPanel/exim format + + Added failure notification for DYNDNS entry lookups in lfd if they + fail to resolve or timeout + +4.65 - Modified Firewall Security Level UI to set PS_LIMIT within range + + Fixed problem processing template for SU_ALERT + + Empty csf.dshield on upgrade to work around problem where DSHIELD + blocked themselves in their own BLOCK list + +4.64 - Removed SMTP_BLOCK warning on VPS servers where ipt_owner doesn't work + if SMTP_BLOCK isn't actually enabled + + Added new CLI option (csf -uf) which forces an update of csf+lfd + + Added new CLI option (csf -df) which removes and unblocks all entries + in /etc/csf.deny (excluding those marked "do not delete") + + Added new UI option to that removes and unblocks all entries in + csf.deny (excluding those marked "do not delete") and all temporary IP + bans + + Added csf file names to the csf UI options + +4.63 - New feature - Added new CLI option: csf --mail (or csf -m) which can + take an email address as an argument. It will display the Server Check + in HTML or send the output to the email address if present + + Added option to UI Server Check to schedule csf to generate the report + and email the results to the address specied at the interval specified + + Removed MySQL check from cPanel DNSOnly Server Check + + Updated the perl v5.8.8 Server Check comment + + Fixed sanity check for RT_*_BLOCK + + Fixed copy of install.txt for generic installs and upgrades + + Modified UI for Deny Servers IPs > Change to indicate that csf needs + restarting, not lfd + + Added built-in replacement function for the Messenger Service message + files for [HOSTNAME] which will be replaced by the servers FQDN + hostname. Updated the sample Messenger index templates + + Updated the uninstall scripts to remove the cronjob and logrotate + files + + Added colour highlights to the Quick Allow and Quick Deny UI boxes + +4.62 - Fixed problem with SU_ALERT alert report in v4.61 + + Modified the Server Check for cPanel update settings to check for + daily updates more accurately + + Added Server Check for cPanel tree + + Upgraded IP::Country + + New feature - Added sanity check to configuration values in csf, UI + Server Check and UI Firewall Configuration. In the UI Firewall + Configuration: lines highlighted in red fall outside the recommended + range; lines highlighted in pale green differ from the default on + installation + + Added cPanel Security Check to check that at least one configured + nameserver is on a different server + + Added proftpd checks to csf (for VPS servers) and in Server Check + + Added DirectAdmin Checks to UI Server Check for: SSL login to DA; + proftpd cipher; nameserver on a different server; PHP version and + configuration checks; Apache version; dovecot cipher + + Removed resolv.conf localhost check + +4.61 - Modified lfd iptables command error handling to log errors and + continue instead of terminating when in TESTING mode + + Removed loading of iptables modules from csftest.pl to avoid modprobe + problems with some OS kernels + + Added Connection Tracking check for pre-existing block to cater for + linux connection status timeouts + + Moved LF_CSF check to the start of the lfd processing interval + + New option LF_ALERT_FROM. If set, the value of this option will + override the From: field in all of the lfd alert templates. This + change also uses the From: field in the template (or this option if + set) as the value for the SENDMAIL -f option + + Modified POP/IMAP Server Checks for the chosen mail server only on + cPanel servers + + Modified FTP Server Checks for the chosen ftp server only on cPanel + servers + + Added SMTP Tweak to Server Check on cPanel servers and removed block + on csf starting if enabled + +4.60 - Modified cipher checks to strip out quotes + + Modified Apache cipher message to remoind that you have to rebuild the + Apache configuration and restart for changes to be effective + +4.59 - Added proftpd regex for Plesk server log file format + + Modifed the Server Check cipher checks for pure-ftpd and Apache to use + openssl to ensure SSLv2 is disabled + + Added cPanel Server Check checks for dovecot, courier-imap IMAP and + POP3D SSL cipher list + + New option SAFECHAINUPDATE added. If enabled, all dynamic update + chains (GALLOW, GDENY, SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, + ALLOWDYN) will create a new chain when updating, and insert it into + the relevant LOCALINPUT/LOCALOUTPUT chain, then flush and delete the + old dynamic chain and rename the new chain. See csf.conf for more + information. This option is disabled by default, but we do recommend + that it is enabled on non-VPS servers with restrictive numiptent + values + + Added SAFECHAINUPDATE to the firewall Server Check (except for + Virtuozzo VPS servers) + + Modified Server Check on cPanel to make the PHP v4 warning clear and + to warn where PHP v5 and v4 have both been compiled (PHP v4 is + obsolete and should not be used at all anymore) + + Added WHM checks for skipparentcheck and cpsrvd-domainlookup to + Security Check + + New option LF_ALERT_TO. If set, the value of this option will override + the To: field in all of the lfd alert templates + +4.58 - Modified exim cipher check in Server Check to use openssl to test the + expanded configured cipher suites to ensure SSLv2 is disabled + +4.57 - Improved exim configuration option detection in Server Check + + Added Exim Configuration checks to DirectAdmin Server Check + + Modified csftest.pl to perform a modprobe on all used iptables modules + before testing + + Added PASV port hole warning on VPS servers to the output of csf on + start and to the cPanel (if using pure-ftpd) Server Check + + Added lfd to the DirectAdmin Service Monitor + + Added back a revised Firewall Security Level option to UI + +4.56 - Added TCP_OUT port 2222 for the DA default configuration for new + installations + + Added ICMP protocol to Advanced Allow/Deny Filters. See readme.txt for + more information and examples + + Updated readme.txt to reflect the Control Panel UI availability for + cPanel, DirectAdmin and Webmin + + Modified mod_security configuration file check to the TLD only of + /usr/local/apache/conf/ and only files ending in .conf + +4.55 - Fixed issue with csf.conf not being loaded for the Server Check Report + + Removed erroneous chkconfig check from Server Check Report + + Disabled various checks in Server Check Report for non-cPanel servers + + Modified Debian/Ubuntu init entry creation and removal procedure + + Modified Server Check to search for multiple named.conf locations + +4.54 - Bug fix to Exploit Check code + + Fixed problem with iptables logs not being collated if PS_INTERVAL is + disabled but ST_ENABLE is enabled + + Fixed potential problem with SMTPRELAY_LOG not being scanned when + RT_RELAY_ALERT, RT_AUTHRELAY_ALERT or RT_POPRELAY_ALERT enabled + +4.53 - Upgraded the csf Webmin UI module to the new csf UI and added + installation/upgrade instructions to the install.txt for Webmin + + Fixed image locations and javascript in DA and webmin UI + + Updated the uninstall scripts and the uninstall section of install.txt + +4.52 - Reverted lfd signalling on cPanel servers to allow UI restarts of lfd + + Added warning in DA UI to upgrade csf from the root shell due to + restrictions in DirectAdmin + + NOTE: DA users should upgrade csf to this version from the root shell + using "csf -u" and not use the Upgrade button in the UI + +4.51 - Fixed csf --upgrade (csf -u) for DA installations + +4.50 - Added restrictions information regarding the PORTFLOOD setting and + ipt_recent to readme.txt (i.e. hit count max is 20) + + Modular development of csf UI + + Added DirectAdmin UI and installation support for csf/lfd + + Added Statistics options (ST_ENABLE, etc) to generic csf installation + + Added SMTP options (SMTP_BLOCK, etc) to generic csf installation + + Removed pre-configured firewall settings through UI for redevelopment + as it has become out-dated + + Modify csf UI to signal lfd to start/restart/enable only. A one + minute cron job will actually perform the signalled function. The CLI + is unaffected and performs the command immediately. This is introduced + to overcome fork issues from within an Apache session + +4.41 - Added information about runing external iptables commands using + csfpre.sh and/or csfpost.sh to readme.txt + + Added new CLI option csf --addrm (csf -ar) to remove an IP address + from csf.allow and delete the associated iptables rules + + Removed the need for the MONOLITHIC_KERNEL option and made modprobe + perform silently on csf startup. Added the relevant information + regarding some Monolithic kernels and the need for a PASV port range + hole to readme.txt + + Added timeout to csf modprobe to avoid startup hanging on buggy + kernels + +4.40 - Added workaround for php --info bug in Server Report when checking PHP + configuration settings + + Modified LF_INTEGRITY to regenerate the md5sum comparison file + immediately after a match is found instead of waitng for the next + cycle + + Fixed LF_INTEGRITY aborting if the temporary md5sum file is empty + +4.39 - Updated csf.conf to clarify that LF_PERMBLOCK_COUNT and + LF_NETBLOCK_COUNT with act if more than the number of hits are + detected, not on the exact number set + + Modified csf WHM UI to use csf -u to upgrade csf when a new version is + available + + Added new script /etc/csf/csftest.pl which will test the servers + iptables modules for functionality. The tests are for the required + iptables modules and the optional modules for the SMTP_BLOCK, + PORTFLOOD and MESSENGER features. This adds a useful diagnostic tool + for kernel/iptables problems and to check whether the features above + will function + + Added csf WHM UI option to run csftest.pl + + Updated the csf install.txt to run csftest.pl before running up csf + +4.38 - Improved detection of working ipt_owner iptables module on VPS servers + such that if ipt_owner does not work SMTP_BLOCK and UID/GID blocks + will be automatically disabled and csf will continue to start + +4.37 - Default setting for ICMP_OUT_RATE set to 0 - this is the recommended + setting for cPanel servers which use ping times to determine fastest + mirrors for various update functions + + Modified PT_LOAD_ACTION code to stop duplicate load emails from being + send by lfd + + Moved ETH_DEVICE_SKIP to the top of the INPUT/OUTPUT chains + + Allow enabling of SMTP_BLOCK and use of UID/GID advanced port filter + rules on VPS Servers for as ipt_owner is now apparently supported on + the latest kernels. However, if the latest kernel isn't being used or + the VPS host hasn't included the ipt_owner iptables module for the + client VPS, then csf will fail with an error + +4.36 - Modified Process Tracking to allow regex exceptions in csf.pignore for + deleted executable processes + +4.35 - Modified regex.pm detection of iptables kernel log lines to cater for + alternative formatting + + Restored the substitution of the NULL separator with spaces for the + /proc/PID/cmdline in Process Tracking + +4.34 - Added code to Process Tracking to translate non-printable characters to + especially help detect and report deleted executable file processes + + WARNING: Removed hard-coded exceptions for spamd, cpanellogd, cpdavd + and awstats.pl from lfd.pl. If you want to ignore such processes for + Process Tracking, you will need to add appropriate ignore rules to + csf.pignore for them + +4.33 - Disable ST_LOOKUP by default on new installations + + Modified lfd stats performance when ST_LOOKUP is enabled and added a + warning for this setting to csf.conf for when DROP_IP_LOGGING is + enabled + +4.32 - Modified the su tracking regex to better trap RHE/CentOS v5 su login + attempts + + Added a Server Check for "FTP Logins with Root Password" + + Added new WHM UI option to display Last X iptables Log Lines. Note + that the report will only display log lines since this update. The + new statistics will be expanded in future developments. Added new ST_* + options to the cPanel csf.conf to control the recording of stats + + Removed fwlogwatch from distro and will use self-produced reports + +4.31 - Added warning for those that enable PT_USERKILL in csf.conf - i.e. It + is not a good idea to use that option + + Modified PT_USERKILL to not kill (deleted) processes (these should be + restarted manually after investigation) as per the documentation + +4.30 - If you add the text "do not delete" to the comments of an entry in + csf.deny then DENY_IP_LIMIT will ignore those entries and not remove + them. Updated csf.deny information text for new installations + + Made the (deleted) process text even more explicit for those that are + not reading csf.conf or the FAQ for their explanation + + Updated DSHIELD information URL in csf.conf + + Added new feature - csf.rignore is an ignore file that lists domains + and partial domains that lfd should ignore. Read /etc/csf/csf.rignore + for more information + + Option GOOGLEBOT removed. This feature is now performed using + csf.rignore. If GOOGLEBOT was previously enabled it will be added to + csf.rignore + +4.29 - Added Slackware support (tested on v12.2.0) + + Added Fedora v10 support + + Added new option GOOGLEBOT - Prevent *.googlebot.com from being + blocked by lfd. See csf.conf for more information + + Added csf version from/to to output from csf --update when upgrading + +4.28 - Fixed GENERIC csf problem with csf.pl perl modules + +4.27 - New Feature - Port Flood Protection. This option configures iptables + to offer protection from DOS attacks against specific ports. This + option limits the number of connections per time interval that new + connections can be made to specific ports. See csf.conf and readme.txt + for more information. This option is only available on servers with + the ipt_recent kernel module + + cPanel DNSONLY compatibility added - Thanks to JJ for the assistance + + Improved Cipher suite checking and advice for Apache and FTP in Server + Check + + Remove md5sum check from JS exploit check as it is covered by + LF_INTEGRITY and causes confusion + + Added new option LOGFLOOD_ALERT which will send an email alert based + on logfloodalert.txt if lfd skips logs lines due to log file + processing problems + + Added new option PT_DELETED together with the FAQ explaination as to + why lfd reports deleted processes. The option can be disabled to + ignore such processes + + Rearranged LOCALINPUT and LOCALOUTPUT rule positions to allow + exceptions to SMTP_BLOCK + +4.26 - New Feature - Country Code to CIDR allow/deny. This feature can allow + or deny whole country CIDR ranges. The CIDR blocks are downloaded from + http://www.ipdeny.com/ipblocks/. For more information, see CC_ALLOW, + CC_DENY and CC_INTERVAL in csf.conf + + Expanded the dovecot regex to include more login failure permutations + + Added exe:/var/cpanel/3rdparty/bin/php to csf.pignore on cPanel + servers + + SMTP_ALLOWLOCAL set to 1 on new cPanel installations by default + +4.25 - Fixed bug in csf --grep when CIDRs used in advanced port filters + + Fixed problems with aborted Server Check Report + + Fixed position of the lo device rule in the OUTPUT chain which broke + SMTP_BLOCK + + Added new option SMTP_PORTS which is used by SMTP_BLOCK to block all + listed ports (not just port 25). This is populated on installation or + when TESTING = 1 if an additional port is listed in "WHM > Service + Manager > exim on another port". Otherwise, SMTP_PORTS needs to be + updated manually. The default setting contains port 25 + + SMTP_BLOCKs will now log if DROP_IP_LOGGING is enabled + +4.24 - Added workaround for issue with WHM image display in the addon header + for cPanel v11.24 + + *Added cPanel v11.24 FTP Anonymous Upload checks in Server Report + + *Added cPanel v11.24 FTP Cipher Suite checks in Server Report + + *Added cPanel v11.24 Apache Cipher Suite checks in Server Report + + *Added cPanel v11.24 Exim Cipher Suite checks in Server Report + + Added Fedora v8 to the obsolete OS list now that v10 is out + + Updated dovecot regex in regex.pm for v1.1.6 used by cPanel + + * Will only display if cPanel version is >= 11.24 + +4.23 - Added skip to connection and process tracking for empty tcp6 + connection data + + Fixed PT_LOAD email output of ps and vmstat + +4.22 - Additional fixes for an issue on VPS servers where temporary block + removal from csf.tempban failed + +4.21 - Fixed an issue on VPS servers where temporary block removal from + csf.tempban failed + +4.20 - Modified csf.tempban processing code in lfd to perform more stringent + file locking to preserve temporary bans if lfd is writing during + shutdown + + Modified Port Scan tracking of IP's to not attempt multiple blocks on + the same IP address in the same log line processing batch + + Fixed broken timestamp in lfd.log for dates < 10th of the month + + Various code modifications to improve performance and stability + +4.19 - Reverted the tied file changes as they were causing a deadlock + situation locking csf.tempban + + Improved the process tracking detection of deleted executables of + running processes + +4.18 - Modified temporary IP address storage to use a tied file to preserve + temporary bans if lfd is writing during shutdown + +4.17 - Replaced the use of backticks in csf, lfd and the WHM UI with calls to + IPC::Open3 + + Various lfd and csf code improvements and tidy up + + Ensure lfd parent dies cleanly on error + + Debug information improved and timer modified to use Time::HiRes for + more accuracy + +4.16 - Removed port 953 from the TCP and UDP allow lists for new csf + installations as it's not necessary to whitelist as bind listens on + the localhost device for such control connections by default + + Added exe:/usr/sbin/nsd, exe:/usr/libexec/dovecot/pop3-login, + exe:/usr/libexec/dovecot/imap-login to new and old cPanel + installations csf.pignore to cater for cPanel support for both nsd and + dovecot (currently in EDGE) + + Only use Cpanel::Rlimit if it's available in WHM UI + +4.15 - Fixed a problem in v4.* where use of GALLOW and ALLOWDYN was allowing + connections from blocked IP addresses in csf.deny or temporary blocks. + The GALLOW, GDENY and ALLOWDYN chains have been split into GALLOWIN, + GALLOWOUT, GDENYIN, GDENYOUT, ALLOWDYNIN and ALLOWDYNOUT to correct + this. Many thanks to Brian for his help in tracking this issue down. + +4.14 - Implemented the use of cPanel routine Cpanel::Rlimit to remove process + resource limit restrictions as the cPanel memory limitation setting + was causing the Server Check to abort with memory allocations problems + through WHM on some servers + + Modified port checking for 23 and 53 in Server Check to no longer use + the fuser binary and use the port mappings directly from /proc + + Modified lfd and Server Check to check for IPv6 bound processes as the + IPv4 and IPv6 connections are stored in a different file to IPv4 only + bound processes + +4.13 - Updated various comments in csf.conf + + Fixed call to csfpost.sh from csf + +4.12 - Modified lfd Login Failure tracking to use a per IP address rolling + LF_INTERVAL window rather than a static one for all tracked IPs. This + makes login failure counting more accurate and blocking more + responsive + + Added new feature - Block Reporting. lfd can run an external script + when it performs and IP address block following for example a login + failure. BLOCK_REPORT is to the full path of the external script. See + readme.txt for format details + + If csf is installed or upgraded via an SSH session the connecting IP + address will now be automatically added to csf.allow (note: it is not + added to csf.ignore so lfd may still block it). This IP can be removed + after testing if desired + + Modified the lfd.log format to the standard: + :: lfd[]: + If you parse lfd.log you will need to update your scripts! + + Added DEBUG option - for internal use only + +4.11 - Fixed addition of exe:/usr/libexec/hald-addon-keyboard to csf.pignore + for existing installations + + Modified the calculation for the position of LOCALOUTPUT in the OUTPUT + chain + + Added /etc/cron.d/lfdcron.sh to restart lfd daily + + Added exe:/usr/libexec/dovecot/imap and exe:/usr/libexec/dovecot/pop3 + and exe:/usr/sbin/mysqld_safe to csf.pignore + + Modified SCRIPT_ALERT regex to cope with exim log format changes in + FC8+ + + As per RFC5322, adding port 587 to the default TCP_IN list of ports + for new installations (i.e. it is now recommended for SMTP servers to + offer port 587 access for MUA to MTA traffic rather than port 25 which + is for MTA to MTA traffic) + + Added informational text to Process Tracking email report if a process + is running an executable that has been deleted + + Added csf version to the daemon startup log line in lfd.log + +4.10 - Added /usr/libexec/hald-addon-keyboard to csf.pignore + + Modified the static DNS port rules to always allow all OUTGOING (only) + connections to/from port 53 udp/tcp. This should help the situation + where some servers iptables block outgoing port 53 udp connections + despite the port being open + + Added new option DNS_STRICT which will remove all static DNS rules and + allow access only through SPI. For stability reasons, it would be + advisable to leave this option disabled (default) + +4.09 - Modification to cPanel version to restart chkservd using + /scripts/restartsr_chkservd instead of the init script as the latter + is removed in the latest EDGE release that puts chkservd under the + control of tailwatchd (/scripts/restartsrv_chkservd is a stub for + restarting tailwatchd in the latest EDGE instead of a direct restart + script in older cPanel versions). chkservd is restarted when csf + is installed/uninstalled/upgraded/disabled/enabled + +4.08 - Added a new timing system to more accurately trigger lfd tasks. This + should alleviate timing issues such as those seen with LT_POP3D and + LT_IMAPD and improve the overall effectiveness and performance of lfd + + Added new method for reaping child processes. If you find that zombie + lfd processes start to build up you can revert to the old reaper by + enabling new option OLD_REAPER + +4.07 - Messenger service now supports advanced filter permanent port block + redirection + +4.06 - Moved the GALLOW, GDENY, SPAMHAUS, DSHIELD and DYNDNS rules to the + LOCALxxPUT chains so that the entries can be correctly listed with + ACCEPT's at the top and DENY's at the bottom of the chain + + Repositioned the cPanel Bandmin acctboth rule entry in the INPUT and + OUTPUT chains so that bandwidth accounting is kept accurate + + Fixed a problem processing advanced port filters in GLOBAL_ALLOW and + GLOBAL_DENY + +4.05 - Moved resolver ACCEPT rules to the top of the INPUT and OUTPUT chains + +4.04 - Fixed problem with rule placement for ETH_DEVICE_SKIP + + Ensure all ALLOW requests are inserted before DENY requests after csf + has been restarted + + Ensure that fwlogwatch stats creation uses IPTABLES_LOG file + + Only perform operations on the nat table if MESSENGER service is + enabled + + lfd Process Tracking will now ignore MESSENGER_USER messenger services + + Added new option PT_ALL_USERS so that all Linux accounts on a cPanel + server are checked in Process Tracking, not just cPanel users. This + option is disabled by default on cPanel servers. Enabling this option + may require adding exceptions to csf.pignore + + Additional exceptions added to csf.pignore for cPanel servers for the + new PT_ALL_USERS option + + PT_SKIP_HTTP now disabled by default for new installations + + Added PT_ALL_USERS and PT_SKIP_HTTP checks to the WHM Server Check + +4.03 - Fixed problem where the new LOCALxxPUT chains were only processing tcp + requests + + Fixed problem with insertion of SMTP_BLOCK rules exceeding the rule + count in the OUTPUT chain under certain circumstances + +4.02 - If csf fails with an error lfd will now die and require a restart + after the issue with csf is resolved. csf commands apart from start + and restart are also disabled + + Released from BETA + +4.01 - Allow the Messenger Service to be used on VPS servers. However, if the + ipt_REDIRECT module is missing csf will fail to start correctly and + abort + + HTML Messenger service server now only reads a limited line length + instead of unlimited input to prevent overflows + +4.00 - New feature - Messenger Service. This feature allows the display of a + message to a blocked connecting IP address to inform the user that + they are blocked in the firewall. This can help when users get + themselves blocked, e.g. due to multiple login failures. The service + is provided by two daemons running on ports providing either an HTML + or TEXT message. See csf.conf and readme.txt for more information + (not available on VPS platforms and others missing the ipt_REDIRECT + kernel module) + + Moved INPUT and OUTPUT chain rules for blocks and allows to their own + respective chains LOCALINPUT and LOCALOUTPUT. This means that no IP + blocks will be listed in the INPUT or OUTPUT chains, but in the new + ones + + Re-organised all of the INPUT and OUTPUT chain rules to give + precedence to the LOCALINPUT rules before invoking other chains and + port ALLOW rules + + Moved the SYNFLOOD protection chain rule to be the first chain rule + after the LOCALINPUT chain rule + + Moved the lo device rules to the always be at the top of the INPUT and + OUTPUT chains + + Modified the syslog regex matches to only match on local entries to + cope with centralised syslog configurations + +3.43 - Improved application IP block checking + + Restored the option LF_SCRIPT_PERM with additional checks for + directories within the cPanel homedirs and for symlinks. Warning + added to csf.conf for this option + + Added random query-source port setting for BIND to the Server Report + +3.42 - Corrected information for LF_TRIGGER_PERM in the generic csf.conf to + be the same as the cPanel csf.conf + + If LF_SELECT is enabled make sure all cPanel ports are blocked on + cpanel login failure. This was only doing ports 2082,2083 and will now + block 2082,2083,2086,2087,2095,2096 + +3.41 - Added new mechanism to allow custom regular expression matching with + individual settings for lfd login failure detection. See + /etc/csf/regex.custom.pm for details + + Modified all timestamps in lfd reports to also include the standard + timezone offset (i.e. from GMT) + + Added new setting CC_LOOKUPS to control the new Country Code lookups + (enabled by default) + + DROP_IP_LOGGING automatically disabled if PS_INTERVAL is enabled + + PS_INTERVAL enabled by default on new installations + + Doubled the number of lines before log file flooding detection will be + triggered + +3.40 - Added queuealert.txt to the WHM UI dropdown list for editing + + Clarified in csf.conf that setting LF_QUEUE_ALERT to 0 disables the + check + + Added Country Code lookups for IP addresses. Any reported IP addresses + will include the international CC where available. It should be noted + that with international ISPs this may not be wholly accurate. Where + possible the CC will be translated into the associated country name + +3.39 - Added new option IGNORE_ALLOW which, if enabled, lfd will ignore IP + addresses listed in the csf.allow file and not block them + + Added new option LF_QUEUE_ALERT, which will send an email alert using + queuealert.txt if the exim queue length exceeds the value it is set + to. The check is repeated every LF_QUEUE_INTERVAL seconds. If the + ConfigServer MailScanner configuration is being used, both the + MailScanner pending and exim delivery queues will be checked. This is + a cPanel only option + + Added new option CT_PORTS to Connection Tracking so that you can + specify which ports you want to count towards CT_LIMIT, e.g. 80,443 + + Modified Server Report check for register_globals in cPanel's php.ini + incase the new cPanel WHM setting is being bypassed + +3.38 - Additional SSHD regex added to regex.pm + + Improved the WHM UI reporting of the csf status: disabled, running, + testing mode + + Added Enable/Start buttons to WHM UI next to the csf status if + disabled/stopped + + Updated Server Report checks for csf status + + Changed the destination of the ConfigServer Services link at the + bottom of the WHM UI to go to the csf web page + +3.37 - Fixed an issue currently in cPanel EDGE that affects the use of the + cPanel SafeFile module in WHM scripts + +3.36 - Increased the IP lookup timeout for reported IP's from 5 to 10 seconds + + Improved lfd internal timing system for event triggers + + Added new feature - Account Tracking. The new AT_* options configure + an alert system for account modifications which will send an email if + there are new accounts added, existing accounts deleted plus password + uid gid login dir and login shell changes. Each of these changes can + be enabled or disabled. You can also enable tracking for superuser + accounts only. That latter is the default setting. This feature uses + the email template accounttracking.txt + + Added reason text to temporary IP bans + + Added Server Report check for ini_set in PHP disable_functions + + Added ossec to list of processes to disable as it will conflict and + duplicate csf functionality + + Changed Server Check scoring text to instead show a coloured table + indicating score + +3.35 - Changes to WHM UI script for cPanel v11 + + Removed cPanel v10 backported WHM UI settings, i.e. v10 no longer + supported + + Added # of temp blocks to WHM UI "Temporary IP Bans" on main page + + Modified Server Report check for register_globals in cPanel's php.ini + to use the new cPanel WHM setting + + Added Server Report check for passwords in WHM email setting + + Added Server Report check for WHM root/reseller login to users cPanel + + Modified Server Report nobody cron check to only fail on non-zero cron + file + + Modified Server Report check for Fedora now that Fedora 7 is EOL + (2008-06-13) + + Added new option DYNDNS_IGNORE to ignore DYNDNS entries when lfd + blocking + +3.34 - Modified regex matching to allow for trailing spaces in log lines + + Modified PT_LOAD routine to prevent multiple triggers resulting in + more than one alert being email sent + + Removed the need for NETSTAT from lfd to reduce overheads and improve + performance allowing CT_INTERVAL to be set lower. Now uses + /proc/net/[protocol] + +3.33 - Modified skip for su login checking from root to cater for (uid=0) + + Added option SYNFLOOD_BURST to allow configuration of --limit-burst + when SYNFLOOD is enabled. Changed default values + + Added to --grep searches to csf.deny and temporary blocks in addition + to iptables + + Modified SSH regex to improve login failures detection further + + Enabled LF_PERMBLOCK, PT_USERPROC by default on new installations + + Added vsftpd regex for ftp login failures + +3.32 - Modified SSH regex to check for ipv6 addresses + + Added another regex to improve SSH matching + +3.31 - Modified -denyrm to abort if left blank instead of clearing all blocks + + Added lfd check for existing temporary block to avoid duplicates + + Fixed regex handling for courier-imap POP and IMAP login failures + + Added --full-time to the ls command for LF_DIRWATCH_FILE. If you use + this option, LF_DIRWATCH_FILE will likely trigger due to the changed + output the first time you restart lfd after upgrading + + Fixed typo in Suhosin description in the Server Check Report + + Added Referrer Security to the Server Check Report + + Added register_globals check in cPanel php.ini to Server Check Report + +3.30 - Security Fix: lfd vulnerabilities found which could lead to Local and + Remote DOS attacks against the server running csf+lfd + + The DOS attacks could make lfd block innocent IP addresses and one + attack could cause lfd to deplete server resources + + Modified the regular expressions in regex.pm to prevent them from + being triggered by spoofed log line entries + + Option LF_SCRIPT_PERM removed + + Our thanks to Jeff Petersen for the detailed information describing + these issues + + We recommend that all users of csf upgrade to this new version + +3.28 - Fixed a bug with LT_POP3D and LT_IMAPD introduced in v2.88 which broke + login tracking + + Modified relay tracking to not ignore RELAYHOST IP's + + Modified LF_SSH_EMAIL_ALERT to not ignore RELAYHOST IP's + + LF_SUHOSIN will now skip matches for "script tried to increase + memory_limit" + +3.27 - Modified csf -dr option to delete advanced filter IP matches as well + as simple matches in csf.deny + +3.26 - Added new CLI option to csf, -g --grep will search the iptables chains + for a specified match which is either explicit or part of a CIDR + + Added WHM UI option for csf --grep + + Added new CLI option to csf, -dr --denyrm will remove an IP address + from csf.deny and unblock it + + Added WHM UI option for csf --denyrm + +3.25 - Added csf.suignore file where you can list usernames that are ignored + during the LF_EXPLOIT SUPERUSER test + + New option PT_LOAD_ACTION added that can contain a script to be run if + PT_LOAD triggers an event. See csf.conf for more information + + Added SUPERUSER check to Server Check Report + + Added Suhosin check to Server Check Report + +3.24 - Allow comments after IP addresses in csf.dyndns + + Added new login failure option LF_SUHOSIN which detects alert messages + and blocks the attacker IP after the configured number of matches + + Added a new exploit check for non-root superuser accounts + + Added a new configuration option LF_EXPLOIT_CHECK which allows you to + configure which tests are performed by LF_EXPLOIT + +3.23 - Modified the Server Report code for checking PHP variables to be more + lenient when checking the output from /usr/local/bin/php -i + + Modified lfd calculation of Jiffies to use the POSIX::sysconf function + to obtain the clock ticks instead of assuming 100 ticks for Linux + + Fix duplicate LF_INTEGRITY emails + +3.22 - Changed DROP_IP_LOGGING logging advice in csf.conf to NOT use this + setting if you use Port Scan Tracking as it will cause redundant + blocks + + Added tag [hostname] to all of the alert reports. You will need to add + this manually to the report text Subject: line (or anywhere else in + the report that you would like it) for existing installations + + Added "A note about FTP over TLS/SSL" to readme.txt + +3.21 - Fixed problem in Server Check that caused an error in some situations + + Modified netblock caching code to prevent repeated block attempts + +3.20 - Corrected net block logic so that after a net or perm block occurs, + subsequent log entries that would incur the same block are ignored + +3.19 - New feature - LF_PERMBLOCK. Permanently blocks IP addresses that have + had X temporary blocks in the last Y seconds. Uses email template + permblock.txt + + New feature - LF_NETBLOCK. Permanently blocks network classes (A, B or + C) if more than X IP addresses in a specified class have been blocked + in the last Y seconds. This may help within some DDOS attacks launched + from within a specific network class. Uses email template netblock.txt + + Modified MD5SUM comparision code to better reset md5sum checks after a + hit + + Only issue Random JS Tookit warning if all the MD5SUM checks fail for + the relevant files + + Removed POP flood Protection setting check from Server Report as it's + no longer relevant to courier-imap + + Rewritten the Apache Check code for the Server Report to better + detect the current running settings on all Apache and PHP versions + + Don't check Apache RLimitCPU/RLimitCPU limits on VPS servers as they + aren't relevant (as they apply to the host VPS configuration) for the + Server Report + +3.18 - Fixed bug in the generic csf release where the default csf.conf was + missing the DROP, CT_STATES and GLOBAL_IGNORE settings - Thanks to Jim + for the help in tracking the issue down + +3.17 - Rewritten the update code so that a new csf.conf is creating when + upgrading. It now uses the latest csf.conf and transfers the existing + settings to the new configuration file. This way all installations are + sure to have all new settings and the latest comments. It also makes + the release process for new builds much simpler + + Other installation/update improvements + + Updated APF/BFD removal procedure + +3.16 - Fixed bug introduced in v3.14 for generic installation only + +3.15 - Auto-whitelist all DNS traffic to/from IPs in /etc/resolv.conf + + Modified csf.conf text for new installations to account for + auto-configuration of ETH_DEV which has been the case for some time: + +# By default, csf will auto-configure iptables to filter all traffic except on +# the local (lo:) device. If you only want iptables rules applied to a specific +# NIC, then list it here (e.g. eth1, or eth+) +ETH_DEVICE = "" + +# If you don't want iptables rules applied to specific NICs, then list them in +# a comma separated list (e.g "eth1,eth2") +ETH_DEVICE_SKIP = "" + +3.14 - Added new format for cPanel (v11.18.3) login failures to regex.pm + + Added exe:/usr/libexec/gam_server to the default list of ignored + binaries + + Fixed problem with SCRIPT_ALERT not picking up alternative /home + directories from wwwacct.conf + +3.13 - Added new option DENY_TEMP_IP_LIMIT which limits the number of IP bans + held in the temporary IP ban list to prevent iptables flooding. If the + limit is reached, the oldest bans will be removed/allowed by lfd on + the next unblock cycle regardless of remaining TTL for the entry + + Added LF_FLUSH for the flush interval of reported usernames, files and + pids so that persistent problems continue to be reported. Default is + set to the previously hard-coded value of 3600 seconds + + Fixed uw-imap ipop3d regex + + Added check for TESTING mode when using csf -a or csf -d to only add + to the respective csf.allow or csf.deny files and not insert into + iptables to prevent errors if iptables has been flushed after reaching + TESTING_INTERVAL + +3.12 - Added SMTP AUTH failure regex for Kerio MailServers + + Fixed an issue where a permanent Port Scanning alert would report as + a temporary block, eventhough a permanent block was performed + + Added regex for failed SSH key authentication logins (thanks to Paul) + +3.11 - Use /proc for Process Tracking instead of ps output incase of + exploited system binaries and to better determine resource usage of + each process + +3.10 - Modified INPUT and OUTPUT chain rules to always specify the ethernet + device + + csf now re-applies temporary IP blocks on restart + + Added new CLI command to add temporary IP bans. See csf -h for the + new csf -td command + + Added new options to WHM csf UI to unblock temporary IP bans + + Added new option to WHM csf UI to block IP temporarily for a specified + TTL + +3.09 - Fixed missing copy for the portscan.txt report for generic + installations + + Added new option PS_EMAIL_ALERT to enable/disable Port Scan Tracking + email alerts + + Added a sample of the port blocks that trigger the Port Scan to the + report. This new report will be copied to /etc/csf/portscan.txt.new on + existing installations, rename it to portscan.txt to use it + + Added Port Scan Tracking to WHM UI Firewall Security Level + + Added cPAddon update email setting check to Server Security Report + + Modified the SuEXEC link location to the cPanel v11 location in Server + Security Report + + Added portscan.txt template to editable list in WHM UI + + Updated readme.txt + +3.08 - Modified Port Scan Tracking to ignore blocked IP addresses incase + DROP_IP_LOGGING is enabled + +3.07 - Added Apache Server Status report to PT_LOAD for load average report + monitoring. To benefit from this feature you will need to rename the + new report file /etc/csf/loadalert.txt.new to loadalert.txt. The + reports (ps, vmstat and apache) are now included as MIME attachments + in the email report instead of inline text + + New feature: Port Scan Tracking. This feature tracks port blocks + logged by iptables to syslog. It can help block hackers attempting to + scan the server for open ports, or to block them while trying to + access blocked standard ports, e.g. SSH. See csf.conf for more + information + + Upgraded the urlget module + +3.06 - Added System Exploit Checking. This enables lfd to check for the + Random JS Toolkit and may check for others in the future: + http://www.cpanel.net/security/notes/random_js_toolkit.html + It compares md5sums of the binaries listed in the exploit above for + changes and also attempts to create and remove a number directory. The + open is enabled by default. The report is generated from the + exploitalert.txt template file + +3.05 - Added perl regex checking to csf.pignore with the new options puser, + pexe and pcmd. Text added to csf.pignore for new installations: + +# Or, perl regular expression matching (regex): +# +# pexe:/full/path/to/file as a perl regex[*] +# puser:username as a perl regex[*] +# pcmd:command line as a perl regex[*] +# +# [*]You must remember to escape characters correctly when using regex's, e.g.: +# pexe:/home/.*/public_html/cgi-bin/script\.cgi +# puser:bob\d.* +# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.* + +3.04 - Added two new options ICMP_IN_RATE and ICMP_OUT_RATE which allow you + to set the incoming and outgoing ICMP rate limits independently, or to + disable rate limiting in either direction completely for ICMP packets + +3.03 - Modified LF_DIRWATCH_FILE to use the output from "ls -lAR" instead of + "ls -laAR" + + Modified rules so that only icmp ping is blocked and all other icmp + packets allowed if ping disabled in csf configuration. This may well + help improve iptables performance if ping was disabled + + Added rate-limiting for all icmp packets to prevent inbound flooding + + New option SYNFLOOD configures iptables to offer some protection from + tcp SYN packet DOS attempts. SYNFLOOD_RATE sets the inbound packet + rate per IP so the option can be tailored + + Added SYN flag checking of state NEW tcp connections if PACKET_FILTER + is enabled. NEW tcp connections should always starts with a SYN + + Moved PACKET_FILTER rules to their own iptables chain called INVALID + + Fixed issue where some drops were not logging when logging enabled + + Added hourly flush interval of reported usernames, files and pids so + that persistent problems continue to be reported + + Added RELAYHOSTS and SYNFLOOD to Firewall Security Level in UI + +3.02 - Modified the text comments at the top of csf.allow for new installs: + +# Note: IP addressess listed in this file will NOT be ignored by lfd, so they +# can still be blocked. If you do not want lfd to block an IP address you must +# add it to csf.ignore + + Removed RELAYHOSTS check from Server Check report + + Don't show SMTP_BLOCK check if on a VPS in Server Check report + + PT_USERKILL, if set, will now also kill user processes that exceed + PT_USERPROC + + Fixed problem where csf.tempusers was not being cleared down on an lfd + restart + + Added two new csf command line options to flush IP's from the + temporary ban list: -tr -tf (see csf -h for more information) + +3.01 - Tightened DNS port configuration restrictions as the old rules were + being catered for by iptables connection + + Added Kerio Mailserver POP3/IMAP regex's + +3.00 - Added progress information to LWP downloads within csf + + Added numiptent checking for VPS servers. csf will flush iptables and + lfd will stop blocking IP's if numiptent is nearly depleted. This + should help prevent VPS lockouts due to insufficient server + resources. If this happens, you will either need to reduce the number + of iptables rules (e.g. disable Block List usage) or have the VPS + provider increase numiptent. A value of ~700-1000 should be fine for + most SPI firewall applications with full Block List configuration + + Added support for the BOGON List (Block List) with LF_BOGON - + http://www.cymru.com/Bogons/ + See link and csf.conf for more information + + Fixed problem with RELAYHOSTS not working + + Removed use of the replace binary + +2.95 - Reduced memory overhead and added large file skipping for LF_DIRWATCH + + Improved performance of LF_DIRWATCH trigger checks + + Fixed problem with LF_SELECT temporarily blocking outbound access on + all ports. Now now only the relevant inbound only port(s) will be + blocked if triggered + +2.94 - Fixed linux line-endings in some configuration files from v2.93 - + doesn't affect existing installations + +2.93 - Improved mod_security v2 regex for filter triggers + + Added MySQL v5 check + +2.92 - Improved the cPanel version check for < v11 and whether up to date + + Added new CLI option -t (--temp) which lists the temporary IP bans and + the TTL before the IP is flushed from iptables + + Added "View Temporary IP Bans" to WHM UI + + Changed WHM UI lfd Log auto-refresh default to unchecked + + Added regex for dovecot "Aborted login" messages in /var/log/maillog + + Added support for displaying mod_security v2 logs in WHM UI + +2.91 - Added Fedora Core v6 to the obsolete OS check + + Added php v4 check + + Added apache v2.2 check + + Added Perl v5.8.8 check + + Added cPanel v11 check + + Modified Sys::Syslog use to utilise the ndelay and nofatal options + + Added new option GLOBAL_IGNORE which makes lfd ignore IP's listed in + a globally located ignore file + + Added new option CT_STATES to Connection Tracking so that you can + specify which connection states you want to count towards CT_LIMIT, + e.g. SYN_RECV + +2.90 - Ensured that Process Tracking doesn't affect processes running under + root + + Added /usr/local/cpanel/bin/cpwrap to the csf.pignore file for new and + existing installations + + Added Apache v2 checks to Server Checks Report + + Removed mod_evasive from Server Checks Report as it appears to be less + relevant, especially with Apache v2 + +2.89 - Fixed the csf webmin module + + Added updates to the webmin module + + Completely removed use of cat in the WHM module and wget/cat from the + webmin module + +2.88 - Fixed typo in csf.conf for new installs LF_LOAD -> PT_LOAD + + Modified the courier IMAP and POP3D regex's to include connections + over SSL in lfd + + Modified lfd to ignore cpdavd processes + + Modified the cPanel regex's to include cPanel v11 variants in lfd + +2.87 - Fixed duplication of settings during generic configuration upgrade + procedure + + Only display version confirmation update message when running csf -u + interactively (Thanks to Brian Coogan for the perl tip) + + Fixed issue with temporary files not being truncated before being + written to, which caused problems e.g. with global allow/deny files + + Added new option CT_SKIP_TIME_WAIT to exclude TIME_WAIT state from + connection tracking + + Updated the csf webmin module to use the &ReadParse() routine to + overcome problems when running through SSL (Thanks to Tim Ballantine + for this tip) + +2.86 - Added regex for SSH on Debian v4 and for "Failed keyboard-interactive" + on RedHat + +2.85 - Fixed a problem with v2.84 which broke permanent IP blocking in lfd - + it's been a long week :-/ + +2.84 - Fixed problem with permanent LF blocks in lfd for individual + application port blocks when set to permanent + + Added new SYSLOG option to csf.conf to allow additional lfd logging to + SYSLOG (requires perl module Sys::Syslog) + + Added a minimum to LF_DSHIELD and LF_SPAMHAUS ip block lists refresh + interval of 3600 to prevent getting yourself blocked! + +2.83 - Fixed broken Server Check from v2.82 + +2.82 - Fixed a documentation for LF_TRIGGER_PERM + + Fixed issue where RT_[relay]_ALERT set to "0" was being ignored + + Fixed condition from v2.80 which prevented SCRIPT_ALERT from working + + If killproc.conf does not exist the Server Check now links to the + Background Process Killer page instead of issuing a file missing error + +2.81 - Added exe:/usr/local/cpanel/cpdavd to csf.pignore + + Added option to disable refresh in WHM csf UI when viewing lfd.log + + Removed debug code that prevented IP blocking -- oops + +2.80 - Added new lfd feature - Relay Tracking. This allows you to track email + that is relayed through the server (cPanel only). It tracks general + email sent into the server, email sent out after POP before SMTP and + SMTP_AUTH authentication, local email sent from the server (e.g. web + scripts). There are also options to send alerts and block IP addresses + if the number of emails relayed per hour exceeds configured limits. + The blocks can be either permanent or temporary. Currently blocking + does not function for LOCALRELAY email. + + Introduced a new blocking mechanism in lfd that allows a choice of + permanent or temporary IP blocking. See csf.conf (LF_TRIGGER_PERM) for + details on how to configure the various blocking options to use + temporary instead of permanent blocks, e.g. for Login Failure blocking + + Modified new installations to default to using seperate triggers for + login failures, instead of the global LF_TRIGGER value + +2.79 - Bug fixes + + Added ACCEPT rule to 127.0.0.1:25 for the "cpanel" user if SMTP_BLOCK + is enabled for the new cPanel Webmail configuration in v11 + + Added new configuration option DROP that allows you to choose the drop + target for rejected packets (see csf.conf for more information) + + Remove /etc/cron.d/csf_update on uninstall + +2.77 - Closed vulnerability with temporary file checking + + Tighted log file regex's to prevent spoofed remote IP block attacks + +2.76 - Improved file checking in Server Check script to prevent WHM failures + +2.75 - Modified Server Check to only look at pure-ftpd settings if installed + + Simplified throttling mechanism + + +2.74 - Modified PHP Server Checks to use the php binary output instead of + trying to find the active php.ini file + + Added PHP Server Check for register_globals + + Improvements to the Server Check code + + Fixed bug in TCP port 23 check in Server Check + + Added new option --check (-c) to check whether the installed verison + of csf is the latest, no update is performed + + Added multiple csf configuration checks to the Server Check report + + Added throttling to LF_INTEGRITY and increased the timeout + proportionally + +2.73 - Modified SMTP_BLOCK warning on VPS servers to only display if the + option is enabled + + Modifed the Server Services Check text to omit using -del with + chkconfig and better explain that a process is enabled even if it is + not currently running and needs to be disabled to prevent startup on + boot + + Removed reliance on wget for updates and version checks + + Coding improvements in csf.pl and addon_csf.cgi + + Added /var/log/lfd.log tail automatic refresh to WHM UI + +2.72 - Fixed problem with DENY_IP_LIMIT not counting all IP entries in + csf.deny correctly + + Ignore and issue a warning if SMTP_BLOCK is enabled on a Vituozzo VPS + since the Virtuozzo VPS kernel does not support ipt_owner + + Remove Shell/Fork Bomb Protection check in Server Check as the option + breaks a Virtuozzo VPS if enabled + + Added more processes to check in Server Services Check + + Removed restriction on outbound source port rule construction + +2.71 - Added CSS settings to support pre-v11 cPanel installations + +2.70 - Modified to adopt cPanel v11 WHM theme + + Added ports 2077 and 2078 (cPanel WebDAV server) to csf.conf for new + installations for v11 cPanel + + Added FC5 to the list of (or soon to be) unsupported OS's + + Fixed LF_SMTPAUTH not correctly being set to LF_FTPD when upgrading + +2.69 - Added back LF_DIRWATCH_DISABLE functionality securely. Fixed bug where + a suspicious directory would not be removed + + Added perl module check for File::Path + + Added path configuration to tar and chattr in csf.conf + + Added new option LF_SMTPAUTH which checks for SMTP AUTH exim login + failures. When upgrading the new setting will be set to whatever you + have LF_FTPD set to + +2.68 - Security Fix - If you have LF_DIRWATCH_DISABLE on then this can lead + to arbitray code being executed in the context of the user running lfd + , i.e. root. This option has been disabled in the code until further + notice. You will have to manually remove any reported files. + + Tightened csf file ownerships on installation + +2.67 - Security fix - A major security issue has been found in the + LF_DIRWATCH code that can lead to arbitrary code being executed in the + context of the user running lfd, i.e. root, if that option is enabled + and a hacker has access to create a crafted filename in one of the + watched directories. This update closes this hole. + + *ALL INSTALLATIONS SHOULD BE UPGRADED ASAP TO AVOID POTENTIAL + EXPLOITATION* + +2.66 - Modified LF_CPANEL text in csf.conf for new installations to reflect + the change in the SSL login handling by cPanel (i.e. it does now log + SSL login IP's) + + Modified the log line monitoring in lfd to cope with log line flooding + to prevent looping/excessive resource usage. Also recoded without the + use of the POSIX routines + + lfd process name now shows which log file it is scanning + +2.65 - New Feature: System Integrity Checking. This enables lfd to compare + md5sums of the servers OS binary application files from the time when + lfd starts. If the md5sum of a monitored file changes an alert is + sent. This option is intended as an IDS (Intrusion Detection System) + and is the last line of detection for a possible root compromise. See + csf.conf for more information + +2.64 - Modified lfd check for rotated system logs to re-open a log file if + logs are emptied instead of rotated + +2.63 - Added regex support for uw-imap (imap and pop3) login failures + + Added regex support for proftpd login failures + + Timeout version check incase version server is unavailable + +2.62 - Fixed CIDR support issue with csf.ignore only recognising the first + listed entry + +2.61 - Fixed problem with lfd not being killed by /etc/init.d/lfd + +2.60 - Added log file locations to csf.conf + + openSUSE v10 compatible (generic) + + Debian v3.1 (sarge) compatible (generic) + + Unbuntu v6.06 LTS compatible (generic) + + Added installation check for the LWP (libwww-perl) perl module + + Ran spell checker against the readme.txt file + +2.59 - Fixed mod_security report not displaying if only 1 entry + +2.58 - Tweaked the mod_security entry layout + +2.57 - New feature: WHM UI mod_security v1 display last X entries in the + audit_log + + New feature: WHM UI mod_security v1 edit files or directories in + /usr/local/apache/conf/ that are prefixed with modsec or mod_sec + + Tweaked the pre-configured Firewall Security Level settings + +2.56 - Fixed v2.55 fix for non-EDGE versions + +2.55 - Fix to to support current EDGE in csf WHM UI + +2.54 - Tightened the mod_security v1 regex after the changes in v2.52 + +2.53 - Modified Server Check to reflect withdrawn FedoraLegacy support for + FC3 and FC4 which should now be considered insecure + +2.52 - Separated the log file regex's into regex.pm for those feeling brave + to tailor them for non-cPanel servers + + Unified installer for cPanel and non-cPanel installations - so that + only install.sh needs to be run (checks for the existence of: + /usr/local/cpanel/version + If you install on a server intending to use cPanel before cPanel is + installed, run the install.cpanel.sh script instead + + Added mod_security v2 regex when running Apache2 to lfd + + Added [iptext] tag for connectiontracking.txt to list all the + connections of an offending IP. Add this manually for existing + installations + +2.51 - Major Enhancement: csf+lfd can now be installed and used on a generic + Linux OS without cPanel using install.generic.sh - see readme.txt for + more information + + PF INVDROP entries made bi-directional if PF logging enabled (reduces + the number of INVDROP LOG rules by half) + + Fixed Process Tracking throttle control to correctly use PT_INTERVAL + +2.50 - Removed option ALLOW_RES_PORTS from new installs, setting is ignored + + Check for LF at the end of form data for files edited through the WHM + UI and append one if omitted + + Following the changes in 2.48 the LOGDROP chain doesn't distinguish + between incoming and outgoing blocks. So, LOGDROP has now been split + into LOGDROPIN and LOGDROPOUT + +2.49 - Fixed issue if ETH_DEVICE was set and from changes in 2.48 + +2.48 - csf will now specify ! lo as the main ethernet device unless otherwise + defined in ETH_DEVICE. This will mean that the firewall is applied to + all ethernet devices on the server unless otherwise specified in the + configuration + +2.47 - Modified DYNDNS code to set listed domains IP addresses to be ignored + as if they were listed in csf.ignore + + If adding an IP address to csf.allow that is already in csf.deny, the + IP address will now be removed from csf.deny first and the DROP + removed from iptables. It will then be added to csf.allow as normal + +2.46 - Added auto-detection of additional exim port (same as SSH port) which + will be added to TCP_IN on csf installation (or if in TESTING mode) + + Only report PT_USERMEM and PT_USERTIME PIDs once + +2.45 - Added workaround to restart the bandmin acctboth chains if csf is + stopped or (re)started + + Rewritten the way RELAYHOSTS works so instead of using an iptables + chain a check is done at block time on the IP address and if it is in + /etc/relayhosts then it will be treated as if it is listed in + csf.ignore + + Enabled RELAYHOSTS by default, which is now a boolean on off (1 or 0) + instead of a time interval + + Added exe:/usr/local/cpanel/bin/logrunner to csf.pignore + + Added new options PT_USERMEM and PT_USERTIME to report excessive user + process usage and optionally PT_USERKILL to kill such processes. An + alert is sent using resalert.txt + +2.44 - Added new option PT_LOAD which will detect if the server load average + of choice exceeds a set threshold and send an alert + + Reduced the DROP_NOLOG default setting to not include ephemeral ports + for new installations + + Moved DROP_NOLOG rules to the LOGDROP chain + +2.43 - Added new option DROP_PF_LOGGING which will give detailed iptables log + information on dropped packets that are INVALID or out of sequence. + This can help tracking down why iptables may be blocking certain IP + connections + +2.42 - Improved the csf locking mechanism to avoid deadlocks + +2.41 - Fixed syntax in lfd procedure for csf locking + + Added pre and post csf job detection. If /etc/csf/csfpre.sh exists it + will be run before any of the csf iptables rules are applied. If + /etc/csf/csfpost.sh exists it will be run after all of the csf rules + have been applied. This allows you run your own iptables commands + within those files. Each file is passed through /bin/sh + + Added two new command line options to completely enable and disable + csf and lfd + + Added Enable and Disable options to WHM UI + +2.40 - Added csf lock procedure to avoid iptables race conditions if multiple + /simultaneous instances of csf or lfd are executed + + Added check for child reaper looping to dramatically reduce lfd load + +2.39 - Added OS check to Security Check to warn if using RH7/9 FC1/2 which + are no longer supported (or about to be retired) + + Made lfd more lenient when it cannot open a log file (reports the + error but continues to function) + + PHP Server Check - if /opt/suphp_php_bin/php.ini exists use that for + php settings + + Added new option RELAYHOSTS to csf.conf which allows you to + automatically allow access to IP's listed in /etc/relayhosts at a + specified interval + +2.38 - Fixed DYDNS (forgot to add the rule to redirect packets to the + ALLOWDYN iptables chain) + +2.37 - Added canna to the Security Check + + New feature - added support for dynamic dns (DYNDNS) records. See + csf.conf for more information + + Added dyndns file edit to WHM UI + +2.36 - Added runlevel check to Security Check + + Added nobody cron check to Security Check + + Added melange server check to Security Check + + Modified the regex for the php.ini disable_functions check + + Added timing function to lfd that logs how long each stage takes. This + can be enabled by editing lfd.pl and setting $timing=1 - this can help + in tracking down performance issues with lfd + +2.35 - Added specific exclusion for proftpd in lfd.pl process tracking + + Fixed bug with LF_GLOBAL being ignored + +2.34 - Added a new option (beta for now) PT_SMTP. This option will check for + outgoing connections to port 25, ecluding root, exim and mailman. The + purpose of the feature is to log SMTP connections if you believe you + have a spammer on the server who is bypassing exim to send out spam + emails - this is traditionally a very difficult form of spam to track + down. The option currently logs relevant process information to + lfd.log to avoid an email alert flood. + +2.33 - Code modification to allow csf+lfd to run without erroring on cPanel + DNS-Only installations + + Added forced error checking on SMTP blocking iptables commands + + Added check in csf and lfd for duplicate settings in csf.conf + +2.32 - Added new option SMTP_ALLOWLOCAL to allow local connections to port 25 + for web scripts, etc, if SMTP_BLOCK is enabled + + Added check to csf startup to fail if "WHM > Tweak Security > SMTP + Tweak" is enabled otherwise it can break SMTP traffic completely. The + SMTP_BLOCK and SMTP_ALLOWLOCAL options in csf.conf should be used + instead + +2.31 - Added automatic throttling code to help prevent lfd using excessive + resources. Currently only added for LF_DIRWATCH and PT_INTERVAL. If + the sub process takes too long to run, the interval between its next + run is increased temporarily (for the duration lfd runs for, a restart + will reset it) and will continue to extend this time to prevent + excessive server load. However, it will also proportionately increase + the time given for the sub process to complete so that it can at least + attempt to get the check done. If you see throttling messages + appearing in the lfd.log you should consider increasing the process + interval as indicated permanently (i.e. within csf.conf) + + Added throttling to CT_INTERVAL + +2.30 - Modified PT_USERPROC to respect all ignore entries in csf.pignore + +2.29 - New feature - User Process Tracking. This option enables the tracking + of the number of process any given cPanel account is running at one + time. If the number of processes exceeds the value of the PT_USERPROC + setting an email alert is sent with details of those processes. A user + is only reported once, so lfd must be restarted to reinstate checking + of all users. If you specify a user in csf.pignore it will be ignored. + The alert file is useralert.txt + + Added useralert.txt for editing through the WHM UI + + Added PT_USERPROC to the Firewall Security Level settings + +2.28 - Added /usr/local/apache1/bin/httpd and /usr/local/apache2/bin/httpd to + csf.pignore + + Only perform strict iptables error checking when in TESTING mode + +2.27 - Fixed another mis-configuation for outgoing global deny rule - Thanks + again to Marie from Jagwire Hosting + +2.26 - Fixed a mis-configuation for outgoing global deny rule - Thanks to + Marie from Jagwire Hosting + + Allow advanced allow and block filters using the -a and -d options + when running csf in CLI + + Added new option LF_SELECT. If you have LF_TRIGGER set to "0" and the + application trigger levels set, you can now set LF_SELECT to "1" if + you only want to block IP access to that application instead of a + complete block + + Changed installer behaviour to only add SSH port to TCP_IN if TESTING + is set to "1" - done to help those that don't want to always have the + SSH port opened + +2.25 - Modified lfd init procedure to use the init functions + + Modified behaviour of LF_TRIGGER. If LF_TRIGGER is set to "0" then lfd + will instead trigger blocks based on the value of the application + trigger, e.g. if LF_MODSEC is set to "3" then it will trigger on 3 + mod_security alerts. Or if LF_POP3D is set to "10" then it will + trigger on 10 pop3d login failures. When in this mode, i.e. with + LF_TRIGGER set to "0", login failures for different triggers are not + cumulative, whereis LF_TRIGGER set to a number > "0" they are + cumulative as before + + Modification to csf.conf to reflect the changes to LF_TRIGGER - only + applied to new installations + + Rewrite of the iptables command invocation in lfd.pl to trap iptables + errors and shutdown firewall if any found - should help prevent + lockouts + + Allow advanced rules in Global Allow and Deny lists. Input and Output + direction support included. + + Added Global Allow and Deny lists to the OUTPUT chain as well as the + INPUT chain + + Added csf.signore where you can list scripts for LF_SCRIPT_ALERT to + ignore. Updated WHM UI to allow easy file edits + +2.24 - Fixed global allow/deny lists so that you can correctly not have to + specify both an allow and a deny file + +2.23 - Modified LF_SCRIPT checking to also look for HOMEDIR and HOMEMATCH + from the cPanel configuration + + Added maildir check to Security Check + + Fixed a typo in advanced rules - Thank you to Victor from Touch + Support for pointing this out + + Added binary executable check for LF_DIRWATCH files + + Added core dump check in cron directories to LF_DIRWATCH + + Added /var/tmp check to LF_DIRWATCH if inode with /tmp does not match + + Increased LF_DIRWATCH timeout from 10 to 20 seconds - if you still + find it timing out, make sure that you have been clearing down your + tmp directories + +2.22 - Added CIDR recognition to csf.ignore + + Rewrite of the iptables command invocation in csf.pl to trap iptables + errors and shutdown firewall if any found - should help prevent + lockouts + +2.21 - Fixed a problem on some installations where the update process emptied + out csf.conf. If this has happened, you will need to remove + /etc/csf/csf.conf and then rerun the installation procedure and + reconfigure the firewall. If you're already running at least v2.18 you + can probably simply restore /etc/csf/csf.conf.preupdate to csf.conf + and then upgrade to this release + +2.20 - Added workaround for different output from the fuser application in + different OS's + +2.19 - Added Security Check for recurions restrictions in named.conf + + Modified port 23 check to be quicker + + Added Security Check for localhost/127.0.0.1 entry in resolv.conf + + Added Security Check for webmin if running + + Added 3 more WHM Security Checks for domain parking + + Added Security Check for boxtrapper + + Added a Run Again button to the Security Check page + + Added Security Checks for cPanel and security package updates + +2.18 - Fixed an issue with checking the /var/tmp symlink by comparing the + inodes of /tmp and the symlink destination of /var/tmp + + Added checking of /usr/tmp + + Added checking of SSH PasswordAuthentication + + Modified update routine to take a copy of csf.conf before upgrading - + the backup file is /etc/csf/csf.conf.preupdate + + Added check in /etc/cron.daily/logrotate for /tmp noexec workaround + +2.17 - Fixed installation process where duplicate entries were being added to + csf.conf for new settings. Routine added to remove duplicates and + redundant settings + + Added logrotate script for for the lfd.log file + +2.16 - Fixed syntax issue with the csf.deny application feature added in + v2.15 that prevents csf adding the IP to csf.deny + +2.15 - Added a list of the applications that lfd blocks a login failure for + into csf.deny, e.g. (ftpd,mod_security) + + Extended LF_DIRWATCH with a new option LF_DIRWATCH_FILE. This feature + will watch for changes in directories and files listed in csf.dirwatch + using an md5sum for the ls output. If the md5sum changes between + checks an email alert is sent using watchalert.txt + + Modified pid file locking for the lfd process to ensure duplicate + processes won't run + + Completely reworked the child reaper code to prevent SIG_CHLD kernel + errors. Removed DISABLE_SIG_CHLD_IGNORE from csf.conf for new installs + + Added new option to csf.fignore that allows you to ignore files owned + by a specific user by adding an entry in the format user:bob + + Fixed bug in LF_DSHIELD timer code + + Wrapped LF_DSHIELD and LF_SPAMHAUS in a 10 second timeout to fetch + their respective data + + New Feature - GLOBAL_ALLOW and GLOBAL_DENY options allow you to + specify a URL where csf can grab a centralised copy of an IP allow + and/or deny block list of your own. They are both retrieved after a + LF_GLOBAL interval in seconds by lfd + + Added WHM UI changes for LF_DIRWATCH_FILE + +2.14 - Modification to /var/tmp check to cater for symlinks with a trailing + slash + + Added check for native SSL support in cPanel in Server Check for those + versions that now support it + + Added MySQL port check to Server Check + + Added missing comments when clickcing Display All Comments + +2.13 - Added cPanel version check to Security Check + + Added suspicious symlink checking to LF_DIRWATCH + + Added a Display All Comments to Security Check + + Added hyperlinks to WHM URLs in Security Check comments + + Fixed the Apache Limits comments of the Security Check + + Added shell limit checks to Security Check + + Added Background Process Killer to Security Check + +2.12 - Removed duplicate /var/tmp tests + + Fixed another typo + +2.11 - Typo corrections in output text + + Removed dependencies on external modules for the Server Check report + +2.10 - Fixed /dev/shm test + +2.09 - Removed the nodev check on /tmp etc + +2.08 - Changed app name to ConfigServer Security & Firewall + + New Feature - Added Server Security Check report to WHM UI + +2.07 - Improved suspicious directory detection + +2.06 - Document update + + Change directory watching to only check for suspicious sub directories + +2.05 - Fixed log file error if DShield or Spamhaus block list retrieval fails + + Added perl regex matching in csf.fignore (see updated readme.txt) + +2.04 - Added /tmp/.horde/* to csf.fignore + +2.03 - Fixed a looping issue with the temporary Connection Tracking block + code + + Added a 10 second timeout for the LF_DIRWATCH child to prevent looping + +2.02 - In LF_DIRWATCH, allow wildcard matching at the end of a file name in + csf.fignore, such that /tmp/clamav* will ignore any files starting + with /tmp/clamav, e.g. /tmp/clamav-1234 + + Added a throttle to LF_DIRWATCH - if more than 10 emails are being + emailed in one pass, LF_DIRWATCH will create the file + /etc/csf/csf.dwdisable and then disable itself. To get it watching + again, either restart lfd or delete that file + + Fixed a bug where LF_DIRWATCH always reported the same file when + different files had been detected in a pass + +2.01 - Added an LF_DIRWATCH exception for postgres /tmp files + + Prevent a file being reported more than once in an LF_DIRWATCH run + + Removed LF_DIRWATCH check for files being excecutable since too many + apps set temporary files with the flag set, e.g. mod_gzip + +2.00 - New feature: Directory Watching. LF_DIRWATCH enables lfd to check /tmp + and /dev/shm and other pertinent directories for suspicious files, + i.e. script exploits. These can optionally be moved into a tarball + + Directory Watching false-positives can be listed in csf.fignore which + is accessible from the WHM UI + +1.99 - Bug fix for multiple NICs in the lfd code + +1.98 - Modified code to allow for multiple ethernet NICs so that all rules + are applied to all NICs, for example, if you have IP's spread over + eth0 and eth1. To do this you have to set ETH_DEVICE = "eth+" + +1.97 - Tightened DNS port 53 connections in accordance with: + http://www.oreillynet.com/pub/a/network/excerpt/dnsbindcook_ch07 + + Moved no log dropping to the end of the chains + + Moved allowed IP's to before Block Lists + +1.96 - Liberalised connections allowed to and from DNS port 53 + +1.95 - Fixed WHM UI update. If you're running v1.93 or v1.94 you'll have to + update from shell to get to v1.95 using: + csf -u + +1.94 - Set DROP_IP_LOGGING to 0 by default to cut down on syslog traffic + + Added exe:/usr/local/cpanel/bin/cppop-ssl to csf.pignore + +1.93 - Fixed problem where external resolvers were being used and responses + from them were being dropped because they were coming back on + ephemeral ports - added a scan of /etc/resolv.conf and external + nameservers now have whitelisted source port 53 to ephemeral ports + + Drop logging of failed attempts to access port 53 so they don't + consume syslog + + Moved update from /tmp do /usr/src + +1.92 - Fixed bug where the DShield and Spamhaus block lists weren't being + periodically updated by lfd + +1.90 - Minor fix to pre-configured settings + +1.89 - Added Pre-configured settings for Low, Medium or High firewall security + to WHM UI + +1.88 - Fixed csf DSHIELD block logging so it now goes to the BLOCKDROP chain + +1.87 - Modified drop list chains to use their own drop logging to + differentiate from normal drop - if drop logging enabled + +1.86 - Modified lfd connection tracking to drop udp as well as tcp packets + when blocking + + Added support for the DShield Block List with LF_DSHIELD - + http://www.dshield.org/block_list_info.php + See csf.conf for more information + + Added support for the Spamhaus DROP List with LF_SPAMHAUS - + http://www.spamhaus.org/drop/index.lasso + See csf.conf for more information + +1.85 - Workaround for spam PT false-positives + + Added exe:/usr/bin/spamc to csf.pignore + + Added csf version to title bar in WHM + +1.84 - Added new cpsrvd-ssl executable to csf.pignore for the new SSL native + cPanel setup (currently in EDGE) + +1.83 - Enhanced lfd.log logging for application failure detection lines + + Set lfd to ignore child processes to get rid of zombie children. If + you see kernel messages regarding SIG_CHLD (it's a kernel bug) you can + revert to the child reaper method by enabling DISABLE_SIG_CHLD_IGNORE, + but you are likely to see harmless lfd zombie processes + +1.82 - Modified to only load LKM ipt_owner if SMTP_BLOCK enabled + + Extended the Advanced Allow/Deny Filters to allow use of UID and GID + filtering for outgoing packets - see readme.txt for more details + + Modified code to deal with modprobe command output more cleanly + +1.81 - Further modification for the newer xt iptables modules + +1.80 - Modified iptables LKM modprobe code to cater for newer xt_* module + naming scheme + +1.79 - Added new feature to send an alert email if su is used to login from + one account to another. Alerts are sent whether the attempt was + successful or failed + +1.78 - Added workaround for non-ASCII codes after /usr/sbin/pure-ftpd in lfd + process tracking + +1.77 - Added option DISABLE_SIG_CHLD_IGNORE for servers running old kernels, + e.g. RH9/FC1 + + Modified WHM UI textareas to expand to fit file contents + +1.76 - Changed WHM interface to restart csf before lfd when restarting both + +1.75 - Fix to prevent duplicates in csf.deny + + Added a slight pause between stop and start when restarting + + Code fix for TESTING mode crontab entry removal + +1.74 - Fixed lfd to when reading csf.ignore when comments present + +1.73 - Added new option LF_CSF to restart csf if iptables appears to have + been flushed (i.e. stopped) + + Added new option LF_SCRIPT_PERM to disable directories identified by + LF_SCRIPT_ALERT - see csf.conf for more information + + Workaround to child reaper when 2 children die at the same time + + Added workaround for PT spamd false-positives + +1.72 - Fixed bug in (deleted) lfd checks + +1.71 - Added some more exceptions to csf.pignore + + Lowered the default setting for LF_SCRIPT_LIMIT to 100 + + Modified PT to check for deleted binaries on exemptions which happen + when upcp runs and the binaries are replaced + +1.70 - PT now only reports processes with open ports + +1.69 - lfd tweaks + +1.68 - Additions to csf.pignore + + Added new option PT_SKIP_HTTP - see csf.conf/readme.txt + + Updated readme.txt regarding unavoidable false-positives and possible + mitigation. + +1.67 - More tweaks to PT with additions to csf.pignore + +1.66 - Updated csf.pignore file with additional executables + + lfd code tweaks + +1.65 - Added very simple ASCII obfuscation for lfd PT skip lines + + Fixed port typo for entropychat port + +1.64 - Updated CLI help and readme.txt for new csf -u command from v1.63 + + Changed the format of the email templates for new installations - + if you want to use the new format remove /etc/csf/*.txt and then + install csf + + Added mechanism to prevent multiple email/block attempts from login + attacks in lfd + + Added new feature - Process Tracking. This option enables tracking of + user and nobody processes and examines them for suspicious executables + or open network ports. Its purpose is to identify potential exploit + processes that are running on the server, even if they are obfuscated + to appear as system services. If a suspicious process is found an + alert email is sent with relevant information - readme.txt for details + +1.63 - Added feature to WHM UI to enable editing of the email templates + + Modified WHM UI to use fixed-width larger font for command output and + edit boxes + + Added notice to install.txt and readme.txt about enabling klogd (on + VPS systems in particular) + + Added autoupdates system using AUTO_UPDATES - see csf.conf for details + +1.62 - Added to APF/BFD removal in WHM UI the logrotate configuration files + + Added comments system to csf.allow and csf.deny - see readme.txt for + more information + +1.61 - Tighten up some of the csf rules + + Added new fature - LF_SCRIPT_ALERT when enabled will scan + /var/log/exim_mainlog for extended exim logging lines that show the + cwd= line for paths in /home which indicate emails sent from scripts. + If LF_SCRIPT_LIMIT emails from the same path are sent within an hour, + an email alert is sent using scriptalert.txt containing the first 10 + probably exim mainlog line matches and also likely mailing scripts + within the identifed path - an ideal tool to help identify spamming + scripts sending out email through exim. The option is disabled by + default as you do need to enable extended exim logging first as + explained in the csf.conf file + +1.60 - Modified lfd to use a child reaper instead of ignoring the CHLD signal + + Added login failure detection of cpanel, webmail and whm connections - + this will only work for access to non-secure ports as cPanel doesn't + know the IP address of the user when connection are over SSL due to + the way stunnel works + +1.59 - Added workaround to ethernet device detection for VPS servers + +1.58 - Fixed problem where SSH port detection on installation would add an emtpy , if + the SSH port had not been explicitly defined in sshd_config + + Modified csf and lfd ethernet device detection so that if specified in either + csf.conf or /etc/wwwacct.conf dup IP's aren't checked - useful for bonded + ethernet devices on some OS's + +1.57 - Removed erroneous 's in lfd.log + + csf start automatically does a restart to avoid problems with any + existing iptables rules or chains + + Added new option "Deny Server IPs" and associated file csf.sips to + allow blocking of all traffic on server configured IP's if they're + not in use + + Added notification to CLI and WHM UI if TESTING still enabled + +1.56 - lfd modification to avoid a race condition with the ALRM calls + + Added new feature - /etc/csf/csf.ignore can contain IP addresses that + are ignored by lfd. If an event is triggered it may be logged in + lfd.log but will not result in an email alert - e.g. you could list + your own IP address to avoid alerts from when you login over SSH, etc + + Added WHM UI option to edit the ignore file + +1.55 - Fixed a strict refs issue in lfd + +1.54 - Fixed IP DNS lookup routine to avoid empty () when no host found + + Added local DIE for ALRM calls for IP lookups and netstat commands + + Removed chkservd restart from /etc/init.d/lfd so that it behaves like + other monitored services + + Improved error trapping routines to better report to lfd.log if the + process dies + +1.53 - Optimised logging in lfd + + Improved error handling and reporting in lfd + + Modified WHM UI report to include all data, not just a single day + + Improved DROP logging to SYSLOG + + Added logging of dropped ICMP connections + + Added new option DROP_IP_LOGGING to log IP addresses that have been + blocked in csf.deny or by lfd with temporary connection tracking + blocks + +1.52 - beta test release + +1.51 - Added DNS lookups for IP addresses in all lfd alert emails + +1.5 - Added new feature - Connection Tracking. Enables tracking of all + connections from IP addresses to the server. If the total number of + connections is greater than CT_LIMIT then the offending IP address is + blocked in csf, or temporarily blocked in iptables. This can be used + to help prevent some types of DOS attack + + Added new feature - SSH login alerts. An email is sent if a successful + SSH login is detected + + Fixed a descriptive issue with the WHM UI + + Modified so that lfd checks that it doesn't block a server IP + +1.42 - Modified lfd login tracking to check the csf.allow file for an + offending IP address and to skip it if it's allowed - note this only + works for specified full IP addresses (not CIDRs or advanced port/IP) + +1.41 - Added an exception for 127.0.0.1 when checking ethernet interfaces as + VPS servers are setup with that IP on both the loopback and main + interface + +1.4 - Fixed error routine iptables flush command typo + + Modified interface checking for non-english Linux distributions + + Modified interface checking for IP addresses assigned to multiple + interfaces by mistake (I've just seen this happen!) + + Set FORWARD chain to ACCEPT on stopping firewall + + Reorganised csf.pl code + + Added advanced port+ip filtering within csf.allow and csf.deny with + the format: tcp/udp:in/out:s/d=port:s/d=ip (see readme.txt for info) + + Added link to readme.txt in WHM interface + + Added iptables status (Running/Stopped) to WHM interface + + Added Quick Allow and Quick Deny IP address options to WHM interface + +1.33 - Added blocking of SSL POP3 and IMAP ports to LT (993/995) + + Added option to Restart csf+lfd within WHM interface when appropriate + + Added buttons to WHM interface to remove APF or BFD if still installed + + Removed csf nat and mangle chain actions + +1.32 - Modified log line checking to deal with syslog compression. This is + where syslog will add a line "last message repeated X times" if the + next line it were to add is identical to the last. This could lead to + login attempts being missed. But no more - lfd now checks for that + line and repeats the processing of the previous log line X times to + count all the login failures + +1.31 - Removed some redundant code from csf + + Display error in csf if IP already in allow/deny file + + Stopped install.sh from overwriting email templates + + Added email notification for login tracking including a new email + template tracking.txt + + Added mod_security apache module IP blocking in lfd + +1.3 - Fixed a problem with the tick time in the alert report + + Changed the way allow and deny IP addresses are inserted into iptables + so that using the command line -a or -d doesn't require a firewall + restart + + csf -l now shows iptables line numbers + + Added login tracking (LT) options to keep track of POP3 and IMAP + logins and limit them to X connections per hour per account per IP + address. Uses iptables to block offenders to the appropriate protocol + port only and flushes them every hour. All of these blocks are + temporary and can be cleared by restarting csf + +1.21 - Added the real log file failure entry matches to the alert email. Existing + installations will need to add a [text] variable into + /etc/csf/alert.txt + + Added link in WHM to the ChangeLog if a new version is available + +1.2 - Fixed uninstall script to remove lfd from chkservd + + Fixed lfd so that checks were not made on options where a log file is + shared + + Fixed lfd stop/start to dis/enable chkservd option + + Added upgrade feature to WHM when a new version of csf is available + +1.11 - Use full paths to chkconfig within the csf installation scripts + + Documentation improvements + +1.1 - Added option LF_EMAIL_ALERT which enables email alerts if lfd blocks + an IP address. lfd now forks a child process to handle the IP blocking + and email so that it doesn't hinder the daemon process from scanning + the logs. It uses a template file for the email. + +1.0 - Initial public release + + Set ALLOW_RES_PORTS to default to 1 after further RFC 1700 reading + + Check /var/log/messages and /var/log/secure for SSHD logins + + Clarified in the configuration file that only courier-imap/pop3 + connections are trapped in lfd + +1.0RC2 - Added filtering out of \r in WHM interface for allow and deny + + Fixed typo in WHM addon + + Added new configuration option ALLOW_RES_PORTS + +1.0RC1 - Added iptables reporting to WHM interface using fwlogwatch: + http://sourceforge.net/projects/fwlogwatch/ + This processes /var/log/messages and extracts the iptables log entries + (if logging is enabled) and produces a simple HTML summary report + +0.2b - Fixed modprobe errors on MONOLITHIC kernels that don't have the nat + module installed + + Modified lfd to use asterix in the log message when blocking to + highlight in Thunderbird in the same way as the kernel log messages if + you use the "Quote Colors" extension - http://quotecolors.mozdev.org/ + + Added list of TCP and UDP ports currently being listened on to install + + Set DNS_ZONE to default to 1 + + Removed backups of csf.conf files as the WHM interface is stable + + Added ipt_owner module load for SMTP Tweak on LKM kernels + + Added ipt_LOG to the required module list for LKM kernels to ensure + drop logging to syslog + + Added new configuration option DENY_IP_LIMIT + +0.1b - Initial beta release (24 May 2006) diff --git a/csf/csf.allow b/csf/csf.allow new file mode 100644 index 0000000..c70c544 --- /dev/null +++ b/csf/csf.allow @@ -0,0 +1,156 @@ +############################################################################### +# Copyright 2006-2015, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following IP addresses will be allowed through iptables. +# One IP address per line. +# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24). +# Only list IP addresses, not domain names (they will be ignored) +# +# Advanced port+ip filtering allowed with the following format +# tcp/udp|in/out|s/d=port|s/d=ip +# See readme.txt for more information +# +# Note: IP addressess listed in this file will NOT be ignored by lfd, so they +# can still be blocked. If you do not want lfd to block an IP address you must +# add it to csf.ignore + +127.0.0.1 # localhost +172.17.0.0/16 # allow docker container traffic + +192.168.1.2 +192.168.1.3 +192.168.100.3 # vpn ip vampi +192.168.1.0/25 # clasa locala de ip-uri +188.214.17.0/24 # Manually allowed: 188.214.17.0/24 (Unknown) - Thu Apr 30 10:49:31 2015 +188.214.21.0/24 # Manually allowed: 188.214.21.0/24 (Unknown) - Thu Apr 30 10:49:36 2015 +188.215.64.0/24 # Manually allowed: 188.215.64.0/24 (Unknown) - Thu Apr 30 10:49:45 2015 +89.121.131.74 # Manually allowed: 89.121.131.74 (zira) - Thu Apr 30 10:50:04 2015 +185.47.62.100 # Manually allowed: 185.47.62.100 (hera.escorte.pro) - Thu Apr 30 10:50:15 2015 +188.214.17.15 # Manually allowed: 188.214.17.15 (Unknown) - Thu Apr 30 23:05:57 2015 +188.214.17.117 # Manually allowed: 188.214.17.117 (Unknown) - Thu Jul 2 11:39:03 2015 +188.214.17.125 # csf SSH installation/upgrade IP address - Mon Jul 20 17:12:50 2015 +74.86.158.106/25 # uptimerobot +103.18.41.146/29 # peter - Fri Oct 9 08:01:16 2015 +188.215.64.126 # Manually allowed: 188.215.64.126 (gmailrelay.gazduire.ro) - Sat Oct 10 23:10:23 2015 +213.152.162.140 # Manually allowed: 213.152.162.140 (Unknown) - Fri Oct 30 13:29:43 2015 +185.47.61.194 # Manually allowed: 185.47.61.194 (nala.escorte.pro) - Fri Nov 6 17:31:16 2015 + +### GOOGLE APPS ### +64.18.0.0/20 +64.233.160.0/19 +66.102.0.0/20 +66.249.80.0/20 +72.14.192.0/18 +74.125.0.0/16 +108.177.8.0/21 +173.194.0.0/16 +207.126.144.0/20 +209.85.128.0/17 +216.58.192.0/19 +216.239.32.0/19 +172.217.0.0/19 +### GOOGLE APPS ### + +### NAGIOS ### +tcp:in:d=5666:s=91.210.104.27 # mylinkgen +tcp:in:d=5666:s=134.19.177.221 # ganool +tcp:in:d=5666:s=194.63.143.34 # file.rocks +109.101.42.150 # Manually allowed: 109.101.42.150 (Unknown) - Thu Feb 11 02:58:51 2016 +146.148.26.210 # Manually allowed: 146.148.26.210 (210.26.148.146.bc.googleusercontent.com) - Thu Jul 7 11:09:46 2016\ + + +### uptimerobot ### +69.162.124.226 +69.162.124.227 +69.162.124.228 +69.162.124.229 +69.162.124.230 +69.162.124.231 +69.162.124.232 +69.162.124.233 +69.162.124.234 +69.162.124.235 +69.162.124.236 +69.162.124.237 +69.162.124.238 + +### other +46.137.190.132 +122.248.234.23 +188.226.183.141 +178.62.52.237 +54.79.28.129 +54.94.142.218 +104.131.107.63 +54.67.10.127 +54.64.67.106 +159.203.30.41 +46.101.250.135 +82.208.174.39 # Manually allowed: 82.208.174.39 (vip-bogdaniancu-stirbeivoda114-116-fo.b.astral.ro) - Wed Aug 24 00:14:32 2016 +213.233.85.0/24 # Vodafone - Wed Aug 24 08:20:27 2016 +84.247.87.142 # Manually allowed: 84.247.87.142 (Unknown) - Wed Aug 24 14:01:33 2016 +52.57.115.242 # Manually allowed: 52.57.115.242 (ec2-52-57-115-242.eu-central-1.compute.amazonaws.com) - Wed Sep 21 11:48:43 2016 +88.198.19.164 # Manually allowed: 88.198.19.164 (static.88-198-19-164.clients.your-server.de) - Sat Oct 15 09:29:59 2016 +86.104.210.219 # Manually allowed: 86.104.210.219 (rx7.898.ro) - Fri Nov 18 12:49:18 2016 +86.104.210.218 # Manually allowed: 86.104.210.218 (pve1.898.ro) - Fri Nov 18 12:49:22 2016 +86.104.210.220 # Manually allowed: 86.104.210.220 (rx8.898.ro) - Thu Dec 8 13:43:42 2016 +199.217.112.136 # Manually allowed: 199.217.112.136 (Unknown) - Mon Dec 12 16:18:36 2016 +54.234.180.180 # Manually allowed: 54.234.180.180 (ec2-54-234-180-180.compute-1.amazonaws.com) - Mon Dec 19 10:08:02 2016 +77.81.120.181 # Manually allowed: 77.81.120.181 (Unknown) - Sun Jan 8 23:48:45 2017 +172.16.100.0/24 # Manually allowed: 172.16.100.0/24 (Unknown) - Thu Jan 19 23:14:44 2017 +172.16.200.0/24 # Manually allowed: 172.16.200.0/24 (Unknown) - Thu Jan 19 23:14:48 2017 +93.115.240.149 # Manually allowed: 93.115.240.149 (93.115.240.149.ch-center.com) - Mon Feb 20 09:20:50 2017 +188.214.17.243 # Manually allowed: 188.214.17.243 (Unknown) - Tue Mar 14 09:20:32 2017 +10.209.0.0/24 # Manually allowed: 10.209.0.0/24 (Unknown) - Tue Mar 28 10:07:15 2017 +10.208.1.0/24 # Manually allowed: 10.208.1.0/24 (Unknown) - Tue Mar 28 10:12:20 2017 +10.208.99.0/24 # Manually allowed: 10.208.99.0/24 (Unknown) - Wed Mar 29 22:56:32 2017 +10.208.0.0/30 # Manually allowed: 10.208.0.0/30 (Unknown) - Wed Mar 29 22:56:40 2017 +10.208.0.5/30 # Manually allowed: 10.208.0.5/30 (Unknown) - Wed Mar 29 22:56:55 2017 +192.168.1.73 # csf SSH installation/upgrade IP address - Fri Jun 30 08:00:59 2017 +167.114.157.29 # Manually allowed: 167.114.157.29 (ns513087.ip-167-114-157.net) - Sun Jul 30 17:34:11 2017 +79.117.158.127 # Manually allowed: 79.117.158.127 (d-79-117-158-127.craiova.rdsnet.ro) - Sat Sep 23 10:14:06 2017 +192.168.1.254 # Manually allowed: 192.168.1.254 (Unknown) - Wed Dec 20 23:39:19 2017 +86.124.208.123 # Manually allowed: 86.124.208.123 (86-124-208-123.rdsnet.ro) - Tue Dec 26 18:37:44 201 +192.168.1.1 # Manually allowed: 192.168.1.1 (Unknown) - Tue Jan 9 07:56:05 2018 +34.205.69.220 # Manually allowed: 34.205.69.220 (ec2-34-205-69-220.compute-1.amazonaws.com) - Thu Jan 11 10:52:31 2018 +79.116.95.77 # Manually allowed: 79.116.95.77 (79-116-95-77.rdsnet.ro) - Sat Jan 13 20:30:21 2018 +192.168.1.0/24 # Manually allowed: 192.168.1.0/24 (Unknown) - Fri Jan 26 12:28:14 2018 +188.214.17.248 # Manually allowed: 188.214.17.248 (kumba.898.ro) - Wed Feb 7 11:00:36 2018 +159.89.30.41 # Manually allowed: 159.89.30.41 (monitor.898.ro) - Mon Mar 19 09:52:35 2018 +198.199.68.81 # Manually allowed: 198.199.68.81 (Unknown) - Sun Apr 22 00:02:45 2018 +5.102.146.109 # Manually allowed: 5.102.146.109 (5-102-146-109.cust.cloudscale.ch) - Wed May 9 22:05:49 2018 +10.109.0.0/24 # Manually allowed: 10.209.0.0/24 (Unknown) - Tue Mar 28 10:07:15 2017 +10.108.1.0/24 # Manually allowed: 10.108.1.0/24 (Unknown) - Tue Mar 28 10:12:20 2017 +10.108.0.0/30 # Manually allowed: 10.108.0.0/30 (Unknown) - Wed Mar 29 22:56:40 2017 +10.108.0.5/30 # Manually allowed: 10.108.0.5/30 (Unknown) - Wed Mar 29 22:56:55 2017 +10.109.0.1 # Manually allowed: 10.109.0.1 (Unknown) - Wed Aug 29 20:55:44 2018 +5.2.157.178 # Manually allowed: 5.2.157.178 (static-5-2-157-178.rdsnet.ro) - Wed Aug 29 20:57:02 2018 +142.93.109.129 # Manually allowed: 142.93.109.129 (monitor.898.ro) - Mon Sep 17 10:35:34 2018 +10.108.254.0/24 # Manually allowed: 10.108.254.0/24 (Unknown) - Fri Nov 2 20:50:05 2018 +5.2.152.69 # Manually allowed: 5.2.152.69 (static-5-2-152-69.rdsnet.ro) - Wed Nov 28 21:15:21 2018 +35.232.93.107 # Manually allowed: 35.232.93.107 (107.93.232.35.bc.googleusercontent.com) - Mon Jan 14 10:49:18 2019 +198.23.172.114 # Manually allowed: 198.23.172.114 (gpowermail.com) - Thu Jan 31 09:28:22 2019 +172.16.36.21 # Manually allowed: 172.16.36.21 (Unknown) - Tue Feb 12 10:43:19 2019 +10.66.66.0/24 # Manually allowed: 10.66.66.0/24 (Unknown) - Tue May 7 17:07:49 2019 +10.208.150.0/24 # Manually allowed: 10.208.150.0/24 (-) - Mon Jan 20 10:14:14 2020 +92.87.113.0/24 # Manually allowed: 92.87.113.0/24 (RO/Romania/Bacau/Moinesti/-) - Thu Feb 6 16:00:59 2020 +10.208.1.30 # Manually allowed: 10.208.1.30 (-) - Wed Apr 22 21:40:17 2020 +86.104.210.229 # Manually allowed: 86.104.210.229 (RO/Romania/-/-/govoip.ro) - Mon Jun 15 04:24:24 2020 +192.168.1.16 # Manually allowed: 192.168.1.16 (-) - Fri Jul 24 15:11:13 2020 +192.168.42.0/24 # Manually allowed: 192.168.42.0/24 (-) - Thu Oct 29 15:58:40 2020 +86.126.26.216 # Manually allowed: 86.126.26.216 (RO/Romania/Bucuresti/Bucharest/86-126-26-216.rdsnet.ro) - Mon Nov 2 12:06:52 2020 +172.18.0.0/24 # Manually allowed: 172.18.0.0/24 (-) - Tue Nov 10 13:24:40 2020 +172.23.0.0/24 # Manually allowed: 172.23.0.0/24 (-) - Tue Nov 10 15:48:47 2020 +172.19.0.0/24 # Manually allowed: 172.19.0.0/24 (-) - Tue Nov 10 17:40:36 2020 +172.20.0.0/24 # Manually allowed: 172.20.0.0/24 (-) - Tue Nov 10 17:41:26 2020 +172.21.0.0/24 # Manually allowed: 172.21.0.0/24 (-) - Tue Nov 10 17:41:28 2020 +172.22.0.0/24 # Manually allowed: 172.22.0.0/24 (-) - Tue Nov 10 17:41:31 2020 +172.19.1.0/24 # Manually allowed: 172.19.1.0/24 (-) - Tue Nov 10 18:01:52 2020 +188.26.57.165 # Manually allowed: 188.26.57.165 (RO/Romania/Bucuresti/Bucharest/188-26-57-165.rdsnet.ro) - Thu Nov 19 21:17:58 2020 +86.127.10.147 # Manually allowed: 86.127.10.147 (RO/Romania/Dolj/Craiova/static-86-127-10-147.rdsnet.ro) - Mon Nov 23 11:04:24 2020 +188.26.225.85 # Manually allowed: 188.26.225.85 (RO/Romania/Bucuresti/Bucharest/188-26-225-85.rdsnet.ro) - Thu Dec 3 15:27:45 2020 +82.78.61.49 # Manually allowed: 82.78.61.49 (RO/Romania/Dolj/Craiova/82-78-61-49.rdsnet.ro) - Sat Dec 26 18:01:23 2020 +79.117.136.0 # Manually allowed: 79.117.136.0 (RO/Romania/Dolj/Craiova/79-117-136-0.rdsnet.ro) - Mon Feb 8 09:31:24 2021 +192.168.1.5 # Manually allowed: 192.168.1.5 (-) - Fri Feb 26 09:29:17 2021 diff --git a/csf/csf.blocklists b/csf/csf.blocklists new file mode 100644 index 0000000..6fecf59 --- /dev/null +++ b/csf/csf.blocklists @@ -0,0 +1,109 @@ +############################################################################### +# Copyright 2006-2015, Way to the Web Limited +# URL: https://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# This file contains definitions to IP BLOCK lists. +# +# Uncomment the line starting with the rule name to use it, then restart csf +# and then lfd +# +# Each block list must be listed on per line: as NAME|INTERVAL|MAX|URL +# NAME : List name with all uppercase alphabetic characters with no +# spaces and a maximum of 9 characters - this will be used as the +# iptables chain name +# INTERVAL: Refresh interval to download the list, must be a minimum of 3600 +# seconds (an hour), but 86400 (a day) should be more than enough +# MAX : This is the maximum number of IP addresses to use from the list, +# a value of 0 means all IPs +# URL : The URL to download the list from +# +# Note: Some of thsese lists are very long (thousands of IP addresses) and +# could cause serious network and/or performance issues, so setting a value for +# the MAX field should be considered +# +# After making any changes to this file you must restart csf and then lfd +# +# If you want to redownload a blocklist you must first delete +# /var/lib/csf/csf.block.NAME and then restart csf and then lfd +# +# Each URL is scanned for an IPv4/CIDR address per line and if found is blocked + +# Spamhaus Don't Route Or Peer List (DROP) +# Details: https://www.spamhaus.org/drop/ +SPAMDROP|86400|0|https://www.spamhaus.org/drop/drop.lasso + +# Spamhaus Extended DROP List (EDROP) +# Details: https://www.spamhaus.org/drop/ +SPAMEDROP|86400|0|https://www.spamhaus.org/drop/edrop.lasso + +# DShield.org Recommended Block List +# Details: https://dshield.org +DSHIELD|86400|0|https://www.dshield.org/block.txt + +# TOR Exit Nodes List +# Set URLGET in csf.conf to use LWP as this list uses an SSL connection +# Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList +#TOR|86400|0|https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4 + +# Alternative TOR Exit Nodes List +# Details: https://torstatus.blutmagie.de/ +#ALTTOR|86400|0|https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv + +# BOGON list +# Details: https://www.team-cymru.org/Services/Bogons/ +BOGON|86400|0|https://www.cymru.com/Documents/bogon-bn-agg.txt + +# Project Honey Pot Directory of Dictionary Attacker IPs +# Details: https://www.projecthoneypot.org +HONEYPOT|86400|0|https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1 + +# C.I. Army Malicious IP List +# Details: https://www.ciarmy.com +#CIARMY|86400|0|https://www.ciarmy.com/list/ci-badguys.txt + +# BruteForceBlocker IP List +# Details: https://danger.rulez.sk/index.php/bruteforceblocker/ +BFB|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php + +# Set URLGET in csf.conf to use LWP as this list uses an SSL connection + +# MaxMind GeoIP Anonymous Proxies +# Set URLGET in csf.conf to use LWP as this list uses an SSL connection +# Details: https://www.maxmind.com/en/anonymous_proxies +MAXMIND|86400|0|https://www.maxmind.com/en/anonymous_proxies + +# Blocklist.de +# Set URLGET in csf.conf to use LWP as this list uses an SSL connection +# Details: https://www.blocklist.de +# This first list only retrieves the IP addresses added in the last hour +#BDE|3600|0|https://api.blocklist.de/getlast.php?time=3600 +# This second list retrieves all the IP addresses added in the last 48 hours +# and is usually a very large list (over 10000 entries), so be sure that you +# have the resources available to use it +BDEALL|86400|0|https://lists.blocklist.de/lists/all.txt + +# CRYPTOPHP - known ips for domain controllers +CRYPTOPHP|86400|0|https://club3d.ro/crypto-php-ips.txt + +# Wordpress Pingback Attack +#WORDPRESSXMLRPC|1800|0|https://club3d.ro/wordpress-xml.txt + +# Email Spammers +EMAILSPAMMERS|300|0|https://club3d.ro/email-spammers.txt + +# TOR IP Addresses +TOREXITNODES|1800|0|https://club3d.ro/ipuri-tor.txt + +# Bad Bots (Crawlers) +BADBOTS|300|0|https://club3d.ro/badbots.txt + +# Spamhaus IPv6 Don't Route Or Peer List (DROPv6) +# Details: https://www.spamhaus.org/drop/ +#SPAMDROPV6|86400|0|https://www.spamhaus.org/drop/dropv6.txt + +# Stop Forum Spam IPv6 +# Details: https://www.stopforumspam.com/downloads/ +# Many of the lists available contain a vast number of IP addresses so special +# care needs to be made when selecting from their lists +#STOPFORUMSPAMV6|86400|0|https://www.stopforumspam.com/downloads/listed_ip_1_ipv6.zip diff --git a/csf/csf.blocklists.new b/csf/csf.blocklists.new new file mode 100644 index 0000000..13af4f9 --- /dev/null +++ b/csf/csf.blocklists.new @@ -0,0 +1,103 @@ +############################################################################### +# Copyright 2006-2018, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# This file contains definitions to IP BLOCK lists. +# +# Uncomment the line starting with the rule name to use it, then restart csf +# and then lfd +# +# Each block list must be listed on per line: as NAME|INTERVAL|MAX|URL +# NAME : List name with all uppercase alphabetic characters with no +# spaces and a maximum of 25 characters - this will be used as the +# iptables chain name +# INTERVAL: Refresh interval to download the list, must be a minimum of 3600 +# seconds (an hour), but 86400 (a day) should be more than enough +# MAX : This is the maximum number of IP addresses to use from the list, +# a value of 0 means all IPs +# URL : The URL to download the list from +# +# Note: Some of these lists may be very long and could cause serious network +# and/or performance issues unless you are using LF_IPSET in csf, so setting a +# value for the MAX field should be considered +# +# After making any changes to this file you must restart csf and then lfd +# +# If you want to redownload a blocklist you must first delete +# /var/lib/csf/csf.block.NAME and then restart csf and then lfd +# +# Each URL is scanned for an IP/CIDR address per line and if found is blocked +# +# The downloaded list can be a zip file. The zip file MUST only contain a +# single text file of a single IP/CIDR per line +# +# Note: CXS_ is a reserved prefix for the blocklist name and MUST NOT be used + +# Spamhaus Don't Route Or Peer List (DROP) +# Details: http://www.spamhaus.org/drop/ +#SPAMDROP|86400|0|http://www.spamhaus.org/drop/drop.txt + +# Spamhaus IPv6 Don't Route Or Peer List (DROPv6) +# Details: http://www.spamhaus.org/drop/ +#SPAMDROPV6|86400|0|https://www.spamhaus.org/drop/dropv6.txt + +# Spamhaus Extended DROP List (EDROP) +# Details: http://www.spamhaus.org/drop/ +#SPAMEDROP|86400|0|http://www.spamhaus.org/drop/edrop.txt + +# DShield.org Recommended Block List +# Details: https://dshield.org +#DSHIELD|86400|0|https://www.dshield.org/block.txt + +# TOR Exit Nodes List +# Set URLGET in csf.conf to use LWP as this list uses an SSL connection +# Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList +#TOR|86400|0|https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4 + +# BOGON list +# Details: http://www.team-cymru.org/Services/Bogons/ +#BOGON|86400|0|http://www.cymru.com/Documents/bogon-bn-agg.txt + +# Project Honey Pot Directory of Dictionary Attacker IPs +# Details: http://www.projecthoneypot.org +#HONEYPOT|86400|0|https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1 + +# C.I. Army Malicious IP List +# Details: http://www.ciarmy.com +#CIARMY|86400|0|http://www.ciarmy.com/list/ci-badguys.txt + +# BruteForceBlocker IP List +# Details: http://danger.rulez.sk/index.php/bruteforceblocker/ +#BFB|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php + +# MaxMind GeoIP Anonymous Proxies +# Set URLGET in csf.conf to use LWP as this list uses an SSL connection +# Details: https://www.maxmind.com/en/anonymous_proxies +#MAXMIND|86400|0|https://www.maxmind.com/en/anonymous_proxies + +# Blocklist.de +# Set URLGET in csf.conf to use LWP as this list uses an SSL connection +# Details: https://www.blocklist.de +# This first list only retrieves the IP addresses added in the last hour +#BDE|3600|0|https://api.blocklist.de/getlast.php?time=3600 +# This second list retrieves all the IP addresses added in the last 48 hours +# and is usually a very large list (over 10000 entries), so be sure that you +# have the resources available to use it +#BDEALL|86400|0|http://lists.blocklist.de/lists/all.txt + +# Stop Forum Spam +# Details: http://www.stopforumspam.com/downloads/ +# Many of the lists available contain a vast number of IP addresses so special +# care needs to be made when selecting from their lists +#STOPFORUMSPAM|86400|0|http://www.stopforumspam.com/downloads/listed_ip_1.zip + +# Stop Forum Spam IPv6 +# Details: http://www.stopforumspam.com/downloads/ +# Many of the lists available contain a vast number of IP addresses so special +# care needs to be made when selecting from their lists +#STOPFORUMSPAMV6|86400|0|http://www.stopforumspam.com/downloads/listed_ip_1_ipv6.zip + +# GreenSnow Hack List +# Details: https://greensnow.co +#GREENSNOW|86400|0|https://blocklist.greensnow.co/greensnow.txt diff --git a/csf/csf.cloudflare b/csf/csf.cloudflare new file mode 100644 index 0000000..f04e034 --- /dev/null +++ b/csf/csf.cloudflare @@ -0,0 +1,50 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# This file contains configuration elements for the CF_ENABLE CloudFlare +# feature +# +# Entries: +# +# DOMAIN: +# These list the per domain CloudFlare credientials for each matching domain +# for all relevant triggers (i.e. LF_MODSEC) +# +# The special case "any" can be used as the domain name for all relevant +# triggers regardless of domain +# +# USER: +# This must be a unique name for the entry, but does not have to be a local +# linux account name +# +# CFACCOUNT: +# This is the CloudFlare login user (email address) +# +# CFAPIKEY: +# This is the CloudFlare Client API Key +# +# DISABLE: +# Normally, comment out a line to disable it. On servers with CF_CPANEL enabled +# a cPanel user can be disabled here +# +# ANY: +# On servers with CF_CPANEL enabled a cPanel user can be configured to use the +# special "any" case (see above) +# + +# CloudFlare client credientials for any domain triggered: +#DOMAIN:any:USER:myuser:CFACCOUNT:sales@hostsdomain.com:CFAPIKEY:12345abcdef6789 + +# CloudFlare client credientials for domain.com involved in trigger: +#DOMAIN:domain.com:USER:myuser:CFACCOUNT:sales@domain.com:CFAPIKEY:12345abcdef6789 + +# CloudFlare client credientials for domain2.com involved in trigger: +#DOMAIN:domain2.com:USER:myuser:CFACCOUNT:myuser@hotmail.com:CFAPIKEY:12345abcdef6789 + +# Disable CloudFlare cPanel user mycpanel from this feature: +#DISABLE:mycpanel + +# Enable a cPanel user mycpanel to use the "any" feature: +#ANY:mycpanel diff --git a/csf/csf.conf b/csf/csf.conf new file mode 100644 index 0000000..288df01 --- /dev/null +++ b/csf/csf.conf @@ -0,0 +1,2678 @@ +############################################################################### +# SECTION:Initial Settings +############################################################################### +# Testing flag - enables a CRON job that clears iptables incase of +# configuration problems when you start csf. This should be enabled until you +# are sure that the firewall works - i.e. incase you get locked out of your +# server! Then do remember to set it to 0 and restart csf when you're sure +# everything is OK. Stopping csf will remove the line from /etc/crontab +# +# lfd will not start while this is enabled +TESTING = "0" + +# The interval for the crontab in minutes. Since this uses the system clock the +# CRON job will run at the interval past the hour and not from when you issue +# the start command. Therefore an interval of 5 minutes means the firewall +# will be cleared in 0-5 minutes from the firewall start +TESTING_INTERVAL = "5" + +# SECURITY WARNING +# ================ +# +# Unfortunately, syslog and rsyslog allow end-users to log messages to some +# system logs via the same unix socket that other local services use. This +# means that any log line shown in these system logs that syslog or rsyslog +# maintain can be spoofed (they are exactly the same as real log lines). +# +# Since some of the features of lfd rely on such log lines, spoofed messages +# can cause false-positive matches which can lead to confusion at best, or +# blocking of any innocent IP address or making the server inaccessible at +# worst. +# +# Any option that relies on the log entries in the files listed in +# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered +# vulnerable to exploitation by end-users and scripts run by end-users. +# +# NOTE: Not all log files are affected as they may not use syslog/rsyslog +# +# The option RESTRICT_SYSLOG disables all these features that rely on affected +# logs. These options are: +# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT +# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP +# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT +# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT +# +# This list of options use the logs but are not disabled by RESTRICT_SYSLOG: +# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG +# +# The following options are still enabled by default on new installations so +# that, on balance, csf/lfd still provides expected levels of security: +# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT +# +# If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed +# above, it should be done with the knowledge that any of the those options +# that are enabled could be triggered by spoofed log lines and lead to the +# server being inaccessible in the worst case. If you do not want to take that +# risk you should set RESTRICT_SYSLOG to "1" and those features will not work +# but you will not be protected from the exploits that they normally help block +# +# The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access +# the syslog/rsyslog unix socket. +# +# For further advice on how to help mitigate these issues, see +# /etc/csf/readme.txt +# +# 0 = Allow those options listed above to be used and configured +# 1 = Disable all the options listed above and prevent them from being used +# 2 = Disable only alerts about this feature and do nothing else +# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED ** +RESTRICT_SYSLOG = "2" + +# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts +# write access to the syslog/rsyslog unix socket(s). The group must not already +# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option +# to a unique name for the server +# +# You can add users to this group by changing /etc/csf/csf.syslogusers and then +# restarting lfd afterwards. This will create the system group and add the +# users from csf.syslogusers if they exist to that group and will change the +# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be +# monitored and the permissions re-applied should syslog/rsyslog be restarted +# +# Using this option will prevent some legitimate logging, e.g. end-user cron +# job logs +# +# If you want to revert RESTRICT_SYSLOG to another option and disable this +# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then +# syslog/rsyslog and the unix sockets will be reset +RESTRICT_SYSLOG_GROUP = "csfsyslog" + +# This options restricts the ability to modify settings within this file from +# the csf UI. Should the parent control panel be compromised, these restricted +# options could be used to further compromise the server. For this reason we +# recommend leaving this option set to at least "1" and if any of the +# restricted items need to be changed, they are done so from the root shell +# +# 0 = Unrestricted UI +# 1 = Restricted UI +# 2 = Disabled UI +RESTRICT_UI = "1" + +# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which +# runs once per day to see if there is an update to csf+lfd and upgrades if +# available and restarts csf and lfd +# +# You should check for new version announcements at http://blog.configserver.com +AUTO_UPDATES = "1" + +############################################################################### +# SECTION:IPv4 Port Settings +############################################################################### +# Lists of ports in the following comma separated lists can be added using a +# colon (e.g. 30000:35000). + +# Some kernel/iptables setups do not perform stateful connection tracking +# correctly (typically some virtual servers or custom compiled kernels), so a +# SPI firewall will not function correctly. If this happens, LF_SPI can be set +# to 0 to reconfigure csf as a static firewall. +# +# As connection tracking will not be configured, applications that rely on it +# will not function unless all outgoing ports are opened. Therefore, all +# outgoing connections will be allowed once all other tests have completed. So +# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect. +# +# If you allow incoming DNS lookups you may need to use the following +# directive in the options{} section of your named.conf: +# +# query-source port 53; +# +# This will force incoming DNS traffic only through port 53 +# +# Disabling this option will break firewall functionality that relies on +# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall +# less secure +# +# This option should be set to "1" in all other circumstances +LF_SPI = "1" + +# Allow incoming TCP ports +TCP_IN = "20,21,22,25,26,53,80,88,110,143,443,465,587,873,904,953,992,993,995,1907:1909,1723,1986,2082,2083,2086,2087,2095,2096,8080,8443,8800,8988,9391,9999,65534,5080,5665,5666,5222,5269,52222,40000:40100,11898" + +# Allow outgoing TCP ports +TCP_OUT = "1:65535" + +# Allow incoming UDP ports +UDP_IN = "20,21,53,67,68,123,161,500,514,517,518,1194,1514,1701,1981,4500,33434:33523" + +# Allow outgoing UDP ports +# To allow outgoing traceroute add 33434:33523 to this list +UDP_OUT = "1:65535" + +# Allow incoming PING. Disabling PING will likely break external uptime +# monitoring +ICMP_IN = "1" + +# Set the per IP address incoming ICMP packet rate for PING requests. This +# ratelimits PING requests which if exceeded results in silently rejected +# packets. Disable or increase this value if you are seeing PING drops that you +# do not want +# +# To disable rate limiting set to "0", otherwise set according to the iptables +# documentation for the limit module. For example, "1/s" will limit to one +# packet per second +ICMP_IN_RATE = "1/s" + +# Allow outgoing PING +# +# Unless there is a specific reason, this option should NOT be disabled as it +# could break OS functionality +ICMP_OUT = "1" + +# Set the per IP address outgoing ICMP packet rate for PING requests. This +# ratelimits PING requests which if exceeded results in silently rejected +# packets. Disable or increase this value if you are seeing PING drops that you +# do not want +# +# Unless there is a specific reason, this option should NOT be enabled as it +# could break OS functionality +# +# To disable rate limiting set to "0", otherwise set according to the iptables +# documentation for the limit module. For example, "1/s" will limit to one +# packet per second +ICMP_OUT_RATE = "0" + +# For those with PCI Compliance tools that state that ICMP timestamps (type 13) +# should be dropped, you can enable the following option. Otherwise, there +# appears to be little evidence that it has anything to do with a security risk +# and can impact network performance, so should be left disabled by everyone +# else +ICMP_TIMESTAMPDROP = "0" + +############################################################################### +# SECTION:IPv6 Port Settings +############################################################################### +# IPv6: (Requires ip6tables) +# +# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static +# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below +# +# Supported: +# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK, +# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, +# SYNFLOOD, LF_NETBLOCK +# +# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled +# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS, +# CC_ALLOW_SMTPAUTH +# +# Supported if ip6tables >= 1.4.3: +# PORTFLOOD, CONNLIMIT +# +# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is +# installed: +# MESSENGER DOCKER SMTP_REDIRECT +# +# Not supported: +# ICMP_IN, ICMP_OUT +# +IPV6 = "1" + +# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6 +# traffic in the INPUT and OUTPUT chains. However, this could increase the risk +# of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some +# connection types +IPV6_ICMP_STRICT = "0" + +# Pre v2.6.20 kernel must set this option to "0" as no working state module is +# present, so a static firewall is configured as a fallback +# +# A workaround has been added for CentOS/RedHat v5 and custom kernels that do +# not support IPv6 connection tracking by opening ephemeral port range +# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the +# same workaround implemented by RedHat in the sample default IPv6 rules +# +# As connection tracking will not be configured, applications that rely on it +# will not function unless all outgoing ports are opened. Therefore, all +# outgoing connections will be allowed once all other tests have completed. So +# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect. +# +# If you allow incoming ipv6 DNS lookups you may need to use the following +# directive in the options{} section of your named.conf: +# +# query-source-v6 port 53; +# +# This will force ipv6 incoming DNS traffic only through port 53 +# +# These changes are not necessary if the SPI firewall is used +IPV6_SPI = "1" + +# Allow incoming IPv6 TCP ports +TCP6_IN = "22,25,53,80,110,143,443,465,587" + +# Allow outgoing IPv6 TCP ports +TCP6_OUT = "22,25,53,80,110,113,443,587" + +# Allow incoming IPv6 UDP ports +UDP6_IN = "53" + +# Allow outgoing IPv6 UDP ports +# To allow outgoing traceroute add 33434:33523 to this list +UDP6_OUT = "53,113" + +############################################################################### +# SECTION:General Settings +############################################################################### +# By default, csf will auto-configure iptables to filter all traffic except on +# the loopback device. If you only want iptables rules applied to a specific +# NIC, then list it here (e.g. eth1, or eth+) +ETH_DEVICE = "" + +# By adding a device to this option, ip6tables can be configured only on the +# specified device. Otherwise, ETH_DEVICE and then the default setting will be +# used +ETH6_DEVICE = "" + +# If you don't want iptables rules applied to specific NICs, then list them in +# a comma separated list (e.g "eth1,eth2") +ETH_DEVICE_SKIP = "" + +# This option should be enabled unless the kernel does not support the +# "conntrack" module +# +# To use the deprecated iptables "state" module, change this to 0 +USE_CONNTRACK = "1" + +# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+) +# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper +# This will also remove the RELATED target from the global state iptables rule +# +# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or +# the raw tables do not exist. The USE_CONNTRACK option should be enabled +# +# To enable this option, set it to your FTP server listening port number +# (normally 21), do NOT set it to "1" +USE_FTPHELPER = "21" + +# Check whether syslog is running. Many of the lfd checks require syslog to be +# running correctly. This test will send a coded message to syslog every +# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded +# message. If it fails to do so within SYSLOG_CHECK seconds an alert using +# syslogalert.txt is sent +# +# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable +SYSLOG_CHECK = "3600" + +# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses +# listed in csf.allow in addition to csf.ignore (the default). This option +# should be used with caution as it would mean that IP's allowed through the +# firewall from infected PC's could launch attacks on the server that lfd +# would ignore +IGNORE_ALLOW = "1" + +# Enable the following option if you want to apply strict iptables rules to DNS +# traffic (i.e. relying on iptables connection tracking). Enabling this option +# could cause DNS resolution issues both to and from the server but could help +# prevent abuse of the local DNS server +DNS_STRICT = "0" + +# Enable the following option if you want to apply strict iptables rules to DNS +# traffic between the server and the nameservers listed in /etc/resolv.conf +# Enabling this option could cause DNS resolution issues both to and from the +# server but could help prevent abuse of the local DNS server +DNS_STRICT_NS = "0" + +# Limit the number of IP's kept in the /etc/csf/csf.deny file +# +# Care should be taken when increasing this value on servers with low memory +# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the +# thousands) can sometimes cause network slowdown +# +# The value set here is the maximum number of IPs/CIDRs allowed +# if the limit is reached, the entries will be rotated so that the oldest +# entries (i.e. the ones at the top) will be removed and the latest is added. +# The limit is only checked when using csf -d (which is what lfd also uses) +# Set to 0 to disable limiting +# +# For implementations wishing to set this value significantly higher, we +# recommend using the IPSET option +DENY_IP_LIMIT = "999" + +# Limit the number of IP's kept in the temprary IP ban list. If the limit is +# reached the oldest IP's in the ban list will be removed and allowed +# regardless of the amount of time remaining for the block +# Set to 0 to disable limiting +DENY_TEMP_IP_LIMIT = "999" + +# Enable login failure detection daemon (lfd). If set to 0 none of the +# following settings will have any effect as the daemon won't start. +LF_DAEMON = "1" + +# Check whether csf appears to have been stopped and restart if necessary, +# unless TESTING is enabled above. The check is done every 300 seconds +LF_CSF = "1" + +# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE, +# IP6TABLES_RESTORE in two ways: +# +# 1. On a clean server reboot the entire csf iptables configuration is saved +# and then restored where possible to provide a near instant firewall +# startup[*] +# +# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD, +# BOGON, TOR are loaded using this method in a fraction of the time than if +# this setting is disabled +# +# [*]Not supported on all OS platforms +# +# Set to "0" to disable this functionality +FASTSTART = "1" + +# This option allows you to use ipset v6+ for the following csf options: +# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny, +# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER +# +# ipset will only be used with the above options when listing IPs and CIDRs. +# Advanced Allow Filters and temporary blocks use traditional iptables +# +# Using ipset moves the onus of ip matching against large lists away from +# iptables rules and to a purpose built and optimised database matching +# utility. It also simplifies the switching in of updated lists +# +# To use this option you must have a fully functioning installation of ipset +# installed either via rpm or source from http://ipset.netfilter.org/ +# +# Note: Using ipset has many advantages, some disadvantages are that you will +# no longer see packet and byte counts against IPs and it makes identifying +# blocked/allowed IPs that little bit harder +# +# Note: If you mainly use IP address only entries in csf.deny, you can increase +# the value of DENY_IP_LIMIT significantly if you wish +# +# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ +# containers even if it has been installed +# +# If you find any problems, please post on forums.configserver.com with full +# details of the issue +LF_IPSET = "1" + +# Versions of iptables greater or equal to v1.4.20 should support the --wait +# option. This forces iptables commands that use the option to wait until a +# lock by any other process using iptables completes, rather than simply +# failing +# +# Enabling this feature will add the --wait option to iptables commands +# +# NOTE: The disadvantage of using this option is that any iptables command that +# uses it will hang until the lock is released. This could cause a cascade of +# hung processes trying to issue iptables commands. To try and avoid this issue +# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger +# a failure if reached +WAITLOCK = "0" +WAITLOCK_TIMEOUT = "300" + +# The following sets the hashsize for ipset sets, which must be a power of 2. +# +# Note: Increasing this value will consume more memory for all sets +# Default: "1024" +LF_IPSET_HASHSIZE = "1024" + +# The following sets the maxelem for ipset sets. +# +# Note: Increasing this value will consume more memory for all sets +# Default: "65536" +LF_IPSET_MAXELEM = "99999" + +# If you enable this option then whenever a CLI request to restart csf is used +# lfd will restart csf instead within LF_PARSE seconds +# +# This feature can be helpful for restarting configurations that cannot use +# FASTSTART +LFDSTART = "0" + +# Enable verbose output of iptables commands +VERBOSE = "0" + +# Drop out of order packets and packets in an INVALID state in iptables +# connection tracking +PACKET_FILTER = "1" + +# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS) +LF_LOOKUPS = "1" + +# Custom styling is possible in the csf UI. See the readme.txt for more +# information under "UI skinning and Mobile View" +# +# This option enables the use of custom styling. If the styling fails to work +# correctly, e.g. custom styling does not take into account a change in the +# standard csf UI, then disabling this option will return the standard UI +STYLE_CUSTOM = "1" + +# This option disables the presence of the Mobile View in the csf UI +STYLE_MOBILE = "1" + +############################################################################### +# SECTION:SMTP Settings +############################################################################### +# Block outgoing SMTP except for root, exim and mailman (forces scripts/users +# to use the exim/sendmail binary instead of sockets access). This replaces the +# protection as WHM > Tweak Settings > SMTP Tweaks +# +# This option uses the iptables ipt_owner/xt_owner module and must be loaded +# for it to work. It may not be available on some VPS platforms +# +# Note: Run /etc/csf/csftest.pl to check whether this option will function on +# this server +SMTP_BLOCK = "1" + +# If SMTP_BLOCK is enabled but you want to allow local connections to port 25 +# on the server (e.g. for webmail or web scripts) then enable this option to +# allow outgoing SMTP connections to the loopback device +SMTP_ALLOWLOCAL = "1" + +# This option redirects outgoing SMTP connections destined for remote servers +# for non-bypass users to the local SMTP server to force local relaying of +# email. Such email may require authentication (SMTP AUTH) +SMTP_REDIRECT = "0" + +# This is a comma separated list of the ports to block. You should list all +# ports that exim is configured to listen on +SMTP_PORTS = "25,465,587" + +# Always allow the following comma separated users and groups to bypass +# SMTP_BLOCK +# +# Note: root (UID:0) is always allowed +SMTP_ALLOWUSER = "postfix,vmail,nobody" +SMTP_ALLOWGROUP = "mail,nobody" + +# This option will only allow SMTP AUTH to be advertised to the IP addresses +# listed in /etc/csf/csf.smtpauth on EXIM mail servers +# +# The additional option CC_ALLOW_SMTPAUTH can be used with this option to +# additionally restrict access to specific countries +# +# This is to help limit attempts at distributed attacks against SMTP AUTH which +# are difficult to achive since port 25 needs to be open to relay email +# +# The reason why this works is that if EXIM does not advertise SMTP AUTH on a +# connection, then SMTP AUTH will not accept logins, defeating the attacks +# without restricting mail relaying +# +# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so +# that the lookup file in /etc/exim.smtpauth is regenerated from the +# information from /etc/csf/csf.smtpauth plus any countries listed in +# CC_ALLOW_SMTPAUTH +# +# NOTE: To make this option work you MUST make the modifications to exim.conf +# as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt +# after enabling the option here, otherwise this option will not work +# +# To enable this option, set to 1 and make the exim configuration changes +# To disable this option, set to 0 and undo the exim configuration changes +SMTPAUTH_RESTRICT = "0" + +############################################################################### +# SECTION:Port Flood Settings +############################################################################### +# Enable SYN Flood Protection. This option configures iptables to offer some +# protection from tcp SYN packet DOS attempts. You should set the RATE so that +# false-positives are kept to a minimum otherwise visitors may see connection +# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables +# man page for the correct --limit rate syntax +# +# Note: This option should ONLY be enabled if you know you are under a SYN +# flood attack as it will slow down all new connections from any IP address to +# the server if triggered +SYNFLOOD = "0" +SYNFLOOD_RATE = "50/s" +SYNFLOOD_BURST = "150" + +# Connection Limit Protection. This option configures iptables to offer more +# protection from DOS attacks against specific ports. It can also be used as a +# way to simply limit resource usage by IP address to specific server services. +# This option limits the number of concurrent new connections per IP address +# that can be made to specific ports +# +# This feature does not work on servers that do not have the iptables module +# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS +# server admins should check with their VPS host provider that the iptables +# module is included +# +# For further information and syntax refer to the Connection Limit Protection +# section of the csf readme.txt +# +# Note: Run /etc/csf/csftest.pl to check whether this option will function on +# this server +CONNLIMIT = "" + +# Port Flood Protection. This option configures iptables to offer protection +# from DOS attacks against specific ports. This option limits the number of +# new connections per time interval that can be made to specific ports +# +# This feature does not work on servers that do not have the iptables module +# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS +# server admins should check with their VPS host provider that the iptables +# module is included +# +# For further information and syntax refer to the Port Flood Protection +# section of the csf readme.txt +# +# Note: Run /etc/csf/csftest.pl to check whether this option will function on +# this server +PORTFLOOD = "25;tcp;15;5" + +# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods. +# These typically originate from exploit scripts uploaded through vulnerable +# web scripts. Care should be taken on servers that use services that utilise +# high levels of UDP outbound traffic, such as SNMP, so you may need to alter +# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment +# +# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature +UDPFLOOD = "0" +UDPFLOOD_LIMIT = "100/s" +UDPFLOOD_BURST = "500" + +# This is a list of usernames that should not be rate limited, such as "named" +# to prevent bind traffic from being limited. +# +# Note: root (UID:0) is always allowed +UDPFLOOD_ALLOWUSER = "named" + +############################################################################### +# SECTION:Logging Settings +############################################################################### +# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the +# perl module Sys::Syslog installed to use this feature +SYSLOG = "1" + +# Drop target for incoming iptables rules. This can be set to either DROP or +# REJECT. REJECT will send back an error packet, DROP will not respond at all. +# REJECT is more polite, however it does provide extra information to a hacker +# and lets them know that a firewall is blocking their attempts. DROP hangs +# their connection, thereby frustrating attempts to port scan the server +DROP = "DROP" + +# Drop target for outgoing iptables rules. This can be set to either DROP or +# REJECT as with DROP, however as such connections are from this server it is +# better to REJECT connections to closed ports rather than to DROP them. This +# helps to immediately free up server resources rather than tying them up until +# a connection times out. It also tells the process making the connection that +# it has immediately failed +# +# It is possible that some monolithic kernels may not support the REJECT +# target. If this is the case, csf checks before using REJECT and falls back to +# using DROP, issuing a warning to set this to DROP instead +DROP_OUT = "REJECT" + +# Enable logging of dropped connections to blocked ports to syslog, usually +# /var/log/messages. This option needs to be enabled to use Port Scan Tracking +DROP_LOGGING = "1" + +# Enable logging of dropped incoming connections from blocked IP addresses +# +# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL) +DROP_IP_LOGGING = "0" + +# Enable logging of dropped outgoing connections +# +# Note: Only outgoing SYN packets for TCP connections are logged, other +# protocols log all packets +# +# We recommend that you enable this option +DROP_OUT_LOGGING = "1" + +# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting +# out (where available) which can help track abuse +DROP_UID_LOGGING = "1" + +# Only log incoming reserved port dropped connections (0:1023). This can reduce +# the amount of log noise from dropped connections, but will affect options +# such as Port Scan Tracking (PS_INTERVAL) +DROP_ONLYRES = "0" + +# Commonly blocked ports that you do not want logging as they tend to just fill +# up the log file. These ports are specifically blocked (applied to TCP and UDP +# protocols) for incoming connections +DROP_NOLOG = "67,68,111,113,135:139,445,500,513,520" + +# Log packets dropped by the packet filtering option PACKET_FILTER +DROP_PF_LOGGING = "1" + +# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If +# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP +# addresses breaking the Connection Limit Protection will be blocked +CONNLIMIT_LOGGING = "1" + +# Enable logging of UDP floods. This should be enabled, especially with User ID +# Tracking enabled +UDPFLOOD_LOGGING = "1" + +# Send an alert if log file flooding is detected which causes lfd to skip log +# lines to prevent lfd from looping. If this alert is sent you should check the +# reported log file for the reason for the flooding +LOGFLOOD_ALERT = "0" + +############################################################################### +# SECTION:Reporting Settings +############################################################################### +# By default, lfd will send alert emails using the relevant alert template to +# the To: address configured within that template. Setting the following +# option will override the configured To: field in all lfd alert emails +# +# Leave this option empty to use the To: field setting in each alert template +LF_ALERT_TO = "" + +# By default, lfd will send alert emails using the relevant alert template from +# the From: address configured within that template. Setting the following +# option will override the configured From: field in all lfd alert emails +# +# Leave this option empty to use the From: field setting in each alert template +LF_ALERT_FROM = "" + +# By default, lfd will send all alerts using the SENDMAIL binary. To send using +# SMTP directly, you can set the following to a relaying SMTP server, e.g. +# "127.0.0.1". Leave this setting blank to use SENDMAIL +LF_ALERT_SMTP = "" + +# Block Reporting. lfd can run an external script when it performs and IP +# address block following for example a login failure. The following setting +# is to the full path of the external script which must be executable. See +# readme.txt for format details +# +# Leave this setting blank to disable +BLOCK_REPORT = "" + +# To also run an external script when a temporary block is unblocked. The +# following setting can be the full path of the external script which must be +# executable. See readme.txt for format details +# +# Leave this setting blank to disable +UNBLOCK_REPORT = "" + +# In addition to the standard lfd email alerts, you can additionally enable the +# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only +# block alert messages will be sent. The reports use our schema at: +# https://download.configserver.com/abuse_login-attack_0.2.json +# +# These reports are in a format accepted by many Netblock owners and should +# help them investigate abuse. This option is not designed to automatically +# forward these reports to the Netblock owners and should be checked for +# false-positive blocks before reporting +# +# If available, the report will also include the abuse contact for the IP from +# the Abusix Contact DB: https://abusix.com/contactdb.html +# +# Note: The following block types are not reported through this feature: +# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT +X_ARF = "0" + +# By default, lfd will send emails from the root forwarder. Setting the +# following option will override this +X_ARF_FROM = "" + +# By default, lfd will send emails to the root forwarder. Setting the following +# option will override this +X_ARF_TO = "" + +# If you want to automatically send reports to the abuse contact where found, +# you can enable the following option +# +# Note: You MUST set X_ARF_FROM to a valid email address for this option to +# work. This is so that the abuse contact can reply to the report +# +# However, you should be aware that without manual checking you could be +# reporting innocent IP addresses, including your own clients, yourself and +# your own servers +# +# Additionally, just because a contact address is found, does not mean that +# there is anyone on the end of it reading, processing or acting on such +# reports and you could conceivably reported for sending spam +# +# We do not recommend enabling this option. Abuse reports should be checked and +# verified before being forwarded to the abuse contact +X_ARF_ABUSE = "0" + +############################################################################### +# SECTION:Temp to Perm/Netblock Settings +############################################################################### +# Temporary to Permanent IP blocking. The following enables this feature to +# permanently block IP addresses that have been temporarily blocked more than +# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set +# LF_PERMBLOCK to "1" to enable this feature +# +# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be +# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting +# (TTL) for blocked IPs, to be effective +# +# Set LF_PERMBLOCK to "0" to disable this feature +LF_PERMBLOCK = "1" +LF_PERMBLOCK_INTERVAL = "86400" +LF_PERMBLOCK_COUNT = "2" +LF_PERMBLOCK_ALERT = "0" + +# Permanently block IPs by network class. The following enables this feature +# to permanently block classes of IP address where individual IP addresses +# within the same class LF_NETBLOCK_CLASS have already been blocked more than +# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set +# LF_NETBLOCK to "1" to enable this feature +# +# This can be an affective way of blocking DDOS attacks launched from within +# the same network class +# +# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and +# consideration is required when blocking network classes A or B +# +# Set LF_NETBLOCK to "0" to disable this feature +LF_NETBLOCK = "1" +LF_NETBLOCK_INTERVAL = "86400" +LF_NETBLOCK_COUNT = "2" +LF_NETBLOCK_CLASS = "C" +LF_NETBLOCK_ALERT = "0" + +# Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24" +# Great care should be taken with IPV6 netblock ranges due to the large number +# of addresses involved +# +# To disable IPv6 netblocks set to "" +LF_NETBLOCK_IPV6 = "" + +############################################################################### +# SECTION:Global Lists/DYNDNS/Blocklists +############################################################################### +# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*, +# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new +# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT +# chain, then flush and delete the old dynamic chain and rename the new chain. +# +# This prevents a small window of opportunity opening when an update occurs and +# the dynamic chain is flushed for the new rules. +# +# This option should not be enabled on servers with long dynamic chains (e.g. +# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on +# Virtuozzo VPS servers with a restricted numiptent value. This is because each +# chain will effectively be duplicated while the update occurs, doubling the +# number of iptables rules +SAFECHAINUPDATE = "1" + +# If you wish to allow access from dynamic DNS records (for example if your IP +# address changes whenever you connect to the internet but you have a dedicated +# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN +# records in csf.dyndns and then set the following to the number of seconds to +# poll for a change in the IP address. If the IP address has changed iptables +# will be updated. +# +# If the FQDN has multiple A records then all of the IP addresses will be +# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will +# also be allowed. +# +# A setting of 600 would check for IP updates every 10 minutes. Set the value +# to 0 to disable the feature +DYNDNS = "0" + +# To always ignore DYNDNS IP addresses in lfd blocking, set the following +# option to 1 +DYNDNS_IGNORE = "0" + +# The follow Global options allow you to specify a URL where csf can grab a +# centralised copy of an IP allow or deny block list of your own. You need to +# specify the full URL in the following options, i.e.: +# http://www.somelocation.com/allow.txt +# +# The actual retrieval of these IP's is controlled by lfd, so you need to set +# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd +# will perform the retrieval when it runs and then again at the specified +# interval. A sensible interval would probably be every 3600 seconds (1 hour). +# A minimum value of 300 is enforced for LF_GLOBAL if enabled +# +# You do not have to specify both an allow and a deny file +# +# You can also configure a global ignore file for IP's that lfd should ignore +LF_GLOBAL = "86400" + +GLOBAL_ALLOW = "" +GLOBAL_DENY = "" +GLOBAL_IGNORE = "" + +# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set +# this to the URL of the file containing DYNDNS entries +GLOBAL_DYNDNS = "" + +# Set the following to the number of seconds to poll for a change in the IP +# address resoved from GLOBAL_DYNDNS +GLOBAL_DYNDNS_INTERVAL = "600" + +# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following +# option to 1 +GLOBAL_DYNDNS_IGNORE = "0" + +# Blocklists are controlled by modifying /etc/csf/csf.blocklists +# +# If you don't want BOGON rules applied to specific NICs, then list them in +# a comma separated list (e.g "eth1,eth2") +LF_BOGON_SKIP = "" + +# The following option can be used to select the method csf will use to +# retrieve URL data and files +# +# This can be set to use: +# +# 1. Perl module HTTP::Tiny +# 2. Perl module LWP::UserAgent +# 3. CURL/WGET (set location at the bottom of csf.conf if installed) +# +# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf +# distribution. LWP::UserAgent may have to be installed manually, but it can +# better support https:// URL's which also needs the LWP::Protocol::https perl +# module +# +# CURL/WGET uses the system binaries if installed but does not always provide +# good feedback when it fails. The script will first look for CURL, if that +# does not exist at the configured location it will then look for WGET +# +# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or +# WGET are available, an additional attempt will be using CURL/WGET. This is +# useful if the perl distribution has outdated modules that do not support +# modern SSL/TLS implementations +# +# To install the LWP perl modules required: +# +# On rpm based systems: +# +# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch +# +# On APT based systems: +# +# apt-get install libwww-perl liblwp-protocol-https-perl +# +# Via cpan: +# +# perl -MCPAN -eshell +# cpan> install LWP LWP::Protocol::https +# +# We recommend setting this set to "2" or "3" as upgrades to csf will be +# performed over SSL as well as other URLs used when retrieving external data +# +# "1" = HTTP::Tiny +# "2" = LWP::UserAgent +# "3" = CURL/WGET (set location at the bottom of csf.conf) +URLGET = "2" + +# If you need csf/lfd to use a proxy, then you can set this option to the URL +# of the proxy. The proxy provided will be used for both HTTP and HTTPS +# connections +URLPROXY = "" + +############################################################################### +# SECTION:Country Code Lists and Settings +############################################################################### +# Country Code to CIDR allow/deny. In the following options you can allow or +# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected +# source below. They also display Country Code Country and City for reported IP +# addresses and lookups +# +# There are a number of sources for these databases, before utilising them you +# need to visit each site and ensure you abide by their license provisions +# where stated: + +# 1. MaxMind +# +# MaxMind GeoLite2 Country/City and ASN databases at: +# https://dev.MaxMind.com/geoip/geoip2/geolite2/ +# This feature relies entirely on that service being available +# +# Advantages: This is a one stop shop for all of the databases required for +# these features. They provide a consistent dataset for blocking and reporting +# purposes +# +# Disadvantages: MaxMind require a license key to download their databases. +# This is free of charge, but requires the user to create an account on their +# website to generate the required key: +# +# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their +# site and to generate a license key to use their databases. See: +# https://www.maxmind.com/en/geolite2/signup +# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/ +# +# You MUST set the following to continue using the IP lookup features of csf, +# otherwise an error will be generated and the features will not work. +# Alternatively set CC_SRC below to a different provider +# +# MaxMind License Key: +MM_LICENSE_KEY = "2JB4mfoq2dRJEc8p" + +# 2. DB-IP, ipdeny.com, iptoasn.com +# +# Advantages: The ipdeny.com databases form CC blocking are better optimised +# and so are quicker to process and create fewer iptables entries. All of these +# databases are free to download without requiring login or key +# +# Disadvantages: Multiple sources mean that any one of the three could +# interrupt the provision of these features. It may also mean that there are +# inconsistences between them +# +# https://db-ip.com/db/lite.php +# http://ipdeny.com/ +# https://iptoasn.com/ +# http://download.geonames.org/export/dump/readme.txt + +# Set the following to your preferred source: +# +# "1" - MaxMind +# "2" - db-ip, ipdeny, iptoasn +# +# The default is "2" on new installations of csf, or set to "1" to use the +# MaxMind databases after obtaining a license key +CC_SRC = "1" + +# In the following options, specify the the two-letter ISO Country Code(s). +# The iptables rules are for incoming connections only +# +# Additionally, ASN numbers can also be added to the comma separated lists +# below that also list Country Codes. The same WARNINGS for Country Codes apply +# to the use of ASNs. More about Autonomous System Numbers (ASN): +# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml +# ASNs must be listed as ASnnnn (where nnnn is the ASN number) +# +# You should consider using LF_IPSET when using any of the following options +# +# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use +# non-geographic IP address designations for their clients +# +# WARNING: Some of the CIDR lists are huge and each one requires a rule within +# the incoming iptables chain. This can result in significant performance +# overheads and could render the server inaccessible in some circumstances. For +# this reason (amongst others) we do not recommend using these options +# +# WARNING: Due to the resource constraints on VPS servers this feature should +# not be used on such systems unless you choose very small CC zones +# +# WARNING: CC_ALLOW allows access through all ports in the firewall. For this +# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is +# preferred +# +# Each option is a comma separated list of CC's, e.g. "US,GB,DE" +CC_DENY = "" +CC_ALLOW = "" + +# An alternative to CC_ALLOW is to only allow access from the following +# countries but still filter based on the port and packets rules. All other +# connections are dropped +CC_ALLOW_FILTER = "" + +# This option allows access from the following countries to specific ports +# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP +# +# Note: The rules for this feature are inserted after the allow and deny +# rules to still allow blocking of IP addresses +# +# Each option is a comma separated list of CC's, e.g. "US,GB,DE" +CC_ALLOW_PORTS = "" + +# All listed ports should be removed from TCP_IN/UDP_IN to block access from +# elsewhere. This option uses the same format as TCP_IN/UDP_IN +# +# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN +# then only countries listed in CC_ALLOW_PORTS can access FTP +CC_ALLOW_PORTS_TCP = "" +CC_ALLOW_PORTS_UDP = "" + +# This option denies access from the following countries to specific ports +# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP +# +# Note: The rules for this feature are inserted after the allow and deny +# rules to still allow allowing of IP addresses +# +# Each option is a comma separated list of CC's, e.g. "US,GB,DE" +CC_DENY_PORTS = "" + +# This option uses the same format as TCP_IN/UDP_IN. The ports listed should +# NOT be removed from TCP_IN/UDP_IN +# +# An example would be to list port 21 here then countries listed in +# CC_DENY_PORTS cannot access FTP +CC_DENY_PORTS_TCP = "" +CC_DENY_PORTS_UDP = "" + +# This Country Code list will prevent lfd from blocking IP address hits for the +# listed CC's +# +# CC_LOOKUPS must be enabled to use this option +CC_IGNORE = "" + +# This Country Code list will only allow SMTP AUTH to be advertised to the +# listed countries in EXIM. This is to help limit attempts at distributed +# attacks against SMTP AUTH which are difficult to achive since port 25 needs +# to be open to relay email +# +# The reason why this works is that if EXIM does not advertise SMTP AUTH on a +# connection, then SMTP AUTH will not accept logins, defeating the attacks +# without restricting mail relaying +# +# This option can generate a very large list of IP addresses that could easily +# severely impact on SMTP (mail) performance, so care must be taken when +# selecting countries and if performance issues ensue +# +# The option SMTPAUTH_RESTRICT must be enabled to use this option +CC_ALLOW_SMTPAUTH = "" + +# These options can control which IP blocks are redirected to the MESSENGER +# service, if it is enabled +# +# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP +# that resolves to one of those Country Codes will be redirected to the +# MESSENGER service +# +# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that +# resolves to one of those Country Codes will NOT be redirected to the +# MESSENGER service +# +CC_MESSENGER_ALLOW = "" +CC_MESSENGER_DENY = "" + +# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller +# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can +# help reduce the number of CC entries and may improve iptables throughput. +# Obviously, this will deny/allow fewer IP addresses depending on how small you +# configure the option +# +# For example, to ignore all CIDR (and single IP) entries small than a /16, set +# this option to "16". Set to "" to block all CC IP addresses +CC_DROP_CIDR = "" + +# Display Country Code and Country for reported IP addresses. This option can +# be configured to use the databases enabled at the top of this section. An +# additional option is also available if you cannot use those databases: +# +# "0" - disable +# "1" - Reports: Country Code and Country +# "2" - Reports: Country Code and Country and Region and City +# "3" - Reports: Country Code and Country and Region and City and ASN +# "4" - Reports: Country Code and Country and Region and City (db-ip.com) +# +# Note: "4" does not use the databases enabled at the top of this section +# directly for lookups. Instead it uses a URL-based lookup from +# https://db-ip.com and so avoids having to download and process the large +# databases. Please visit the https://db-ip.com and read their limitations and +# understand that this option will either cease to function or be removed by us +# if that site is abused or overloaded. ONLY use this option if you have +# difficulties using the databases enabled at the top of this section. This +# option is ONLY for IP lookups, NOT when using the CC_* options above, which +# will continue to use the databases enabled at the top of this section +# +CC_LOOKUPS = "2" + +# Display Country Code and Country for reported IPv6 addresses using the +# databases enabled at the top of this section +# +# "0" - disable +# "1" - enable and report the detail level as specified in CC_LOOKUPS +# +# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and +# PORTFLOOD +CC6_LOOKUPS = "0" + +# This option tells lfd how often to retrieve the databases for CC_ALLOW, +# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days) +CC_INTERVAL = "7" + +############################################################################### +# SECTION:Login Failure Blocking and Alerts +############################################################################### +# The following[*] triggers are application specific. If you set LF_TRIGGER to +# "0" the value of each trigger is the number of failures against that +# application that will trigger lfd to block the IP address +# +# If you set LF_TRIGGER to a value greater than "0" then the following[*] +# application triggers are simply on or off ("0" or "1") and the value of +# LF_TRIGGER is the total cumulative number of failures that will trigger lfd +# to block the IP address +# +# Setting the application trigger to "0" disables it +LF_TRIGGER = "0" + +# If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently +# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than +# "1" and the IP address will be blocked temporarily for that value in seconds. +# For example: +# LF_TRIGGER_PERM = "1" => the IP is blocked permanently +# LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour +# +# If LF_TRIGGER is "0", then the application LF_[application]_PERM value works +# in the same way as above and LF_TRIGGER_PERM serves no function +LF_TRIGGER_PERM = "1" + +# To only block access to the failed application instead of a complete block +# for an ip address, you can set the following to "1", but LF_TRIGGER must be +# set to "0" with specific application[*] trigger levels also set appropriately +# +# The ports that are blocked can be configured by changing the PORTS_* options +LF_SELECT = "1" + +# Send an email alert if an IP address is blocked by one of the [*] triggers +LF_EMAIL_ALERT = "0" + +# Send an email alert if an IP address is only temporarily blocked by one of +# the [*] triggers +# +# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails +LF_TEMP_EMAIL_ALERT = "1" + +# [*]Enable login failure detection of sshd connections +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_SSHD = "5" +LF_SSHD_PERM = "300" + +# [*]Enable login failure detection of ftp connections +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_FTPD = "5" +LF_FTPD_PERM = "300" + +# [*]Enable login failure detection of SMTP AUTH connections +LF_SMTPAUTH = "1" +LF_SMTPAUTH_PERM = "3600" + +# [*]Enable syntax failure detection of Exim connections +LF_EXIMSYNTAX = "5" +LF_EXIMSYNTAX_PERM = "1" + +# [*]Enable login failure detection of pop3 connections +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_POP3D = "10" +LF_POP3D_PERM = "300" + +# [*]Enable login failure detection of imap connections +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_IMAPD = "10" +LF_IMAPD_PERM = "300" + +# [*]Enable login failure detection of Apache .htpasswd connections +# Due to the often high logging rate in the Apache error log, you might want to +# enable this option only if you know you are suffering from attacks against +# password protected directories +LF_HTACCESS = "5" +LF_HTACCESS_PERM = "300" + +# [*]Enable failure detection of repeated Apache mod_security rule triggers +LF_MODSEC = "10" +LF_MODSEC_PERM = "900" + +# [*]Enable detection of repeated BIND denied requests +# This option should be enabled with care as it will prevent blocked IPs from +# resolving any domains on the server. You might want to set the trigger value +# reasonably high to avoid this +# Example: LF_BIND = "100" +LF_BIND = "100" +LF_BIND_PERM = "1" + +# [*]Enable detection of repeated suhosin ALERTs +# Example: LF_SUHOSIN = "5" +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_SUHOSIN = "10" +LF_SUHOSIN_PERM = "300" + +# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers +# This option will block IP addresses if cxs detects a hits from the +# ModSecurity rule associated with it +# +# Note: This option takes precedence over LF_MODSEC and removes any hits +# counted towards LF_MODSEC for the cxs rule +# +# This setting should probably set very low, perhaps to 1, if you want to +# effectively block IP addresses for this trigger option +LF_CXS = "1" +LF_CXS_PERM = "1" + +# [*]Enable detection of repeated Apache mod_qos rule triggers +LF_QOS = "1" +LF_QOS_PERM = "1" + +# [*]Enable detection of repeated Apache symlink race condition triggers from +# the Apache patch provided by: +# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html +# This patch has also been included by cPanel via the easyapache option: +# "Symlink Race Condition Protection" +LF_SYMLINK = "1" +LF_SYMLINK_PERM = "1" + +# [*]Enable login failure detection of webmin connections +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_WEBMIN = "1" +LF_WEBMIN_PERM = "1" + +# Send an email alert if anyone logs in successfully using SSH +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_SSH_EMAIL_ALERT = "1" + +# Send an email alert if anyone uses su to access another account. This will +# send an email alert whether the attempt to use su was successful or not +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_SU_EMAIL_ALERT = "1" + +# Send an email alert if anyone uses sudo to access another account. This will +# send an email alert whether the attempt to use sudo was successful or not +# +# NOTE: This option could become onerous if sudo is used extensively for root +# access by administrators or control panels. It is provided for those where +# this is not the case +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_SUDO_EMAIL_ALERT = "1" + +# Send an email alert if anyone accesses webmin +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_WEBMIN_EMAIL_ALERT = "0" + +# Send an email alert if anyone logs in successfully to root on the console +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_CONSOLE_EMAIL_ALERT = "1" + +# This option will keep track of the number of "File does not exist" errors in +# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL +# seconds then the IP address will be blocked +# +# Care should be used with this option as it could generate many +# false-positives, especially Search Bots (use csf.rignore to ignore such bots) +# so only use this option if you know you are under this type of attack +# +# A sensible setting for this would be quite high, perhaps 200 +# +# To disable set to "0" +LF_APACHE_404 = "0" + +# If this option is set to 1 the blocks will be permanent +# If this option is > 1, the blocks will be temporary for the specified number +# of seconds +LF_APACHE_404_PERM = "0" + +# This option will keep track of the number of "client denied by server +# configuration" errors in HTACCESS_LOG. If the number of hits is more than +# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked +# +# Care should be used with this option as it could generate many +# false-positives, especially Search Bots (use csf.rignore to ignore such bots) +# so only use this option if you know you are under this type of attack +# +# A sensible setting for this would be quite high, perhaps 200 +# +# To disable set to "0" +LF_APACHE_403 = "0" + +# If this option is set to 1 the blocks will be permanent +# If this option is > 1, the blocks will be temporary for the specified number +# of seconds +LF_APACHE_403_PERM = "0" + +# This option will keep track of the number of 401 failures in HTACCESS_LOG. +# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then +# the IP address will be blocked +# +# To disable set to "0" +LF_APACHE_401 = "0" + +# This option is used to determine if the Apache error_log format contains the +# client port after the client IP. In Apache prior to v2.4, this was not the +# case. In Apache v2.4+ the error_log format can be configured using +# ErrorLogFormat, making the port directive optional +# +# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next +# to the client IP by default. This makes determining client IPv6 addresses +# difficult unless we know whether the port is being appended or not +# +# lfd will attempt to autodetect the correct value if this option is set to "0" +# from the httpd binary found in common locations. If it fails to find a binary +# it will be set to "2", unless specified here +# +# The value can be set here explicitly if the autodetection does not work: +# 0 - autodetect +# 1 - no port directive after client IP +# 2 - port directive after client IP +LF_APACHE_ERRPORT = "0" + +# If this option is set to 1 the blocks will be permanent +# If this option is > 1, the blocks will be temporary for the specified number +# of seconds +LF_APACHE_401_PERM = "3600" + +# This option will send an alert if the ModSecurity IP persistent storage grows +# excessively large: https://goo.gl/rGh5sF +# +# More information on cPanel servers here: https://goo.gl/vo6xTE +# +# LF_MODSECIPDB_FILE must be set to the correct location of the database file +# +# The check is performed at lfd startup and then once per hour, the template +# used is modsecipdbalert.txt +# +# Set to "0" to disable this option, otherwise it is the threshold size of the +# file to report in gigabytes, e.g. set to 5 for 5GB +LF_MODSECIPDB_ALERT = "0" + +# This is the location of the persistent IP storage file on the server, e.g.: +# /var/run/modsecurity/data/ip.pag +# /var/cpanel/secdatadir/ip.pag +# /var/cache/modsecurity/ip.pag +# /usr/local/apache/conf/modsec/data/msa/ip.pag +# /var/tmp/ip.pag +# /tmp/ip.pag +LF_MODSECIPDB_FILE = "/var/run/modsecurity/data/ip.pag" + +# System Exploit Checking. This option is designed to perform a series of tests +# to send an alert in case a possible server compromise is detected +# +# To enable this feature set the following to the checking interval in seconds +# (a value of 300 would seem sensible). +# +# To disable set to "0" +LF_EXPLOIT = "300" + +# This comma separated list allows you to ignore tests LF_EXPLOIT performs +# +# For the SUPERUSER check, you can list usernames in csf.suignore to have them +# ignored for that test +# +# Valid tests are: +# SUPERUSER +# +# If you want to ignore a test add it to this as a comma separated list, e.g. +# "SUPERUSER" +LF_EXPLOIT_IGNORE = "" + +# Set the time interval to track login and other LF_ failures within (seconds), +# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds +LF_INTERVAL = "300" + +# This is how long the lfd process sleeps (in seconds) before processing the +# log file entries and checking whether other events need to be triggered +LF_PARSE = "5" + +# This is the interval that is used to flush reports of usernames, files and +# pids so that persistent problems continue to be reported, in seconds. +# A value of 3600 seems sensible +LF_FLUSH = "3600" + +# Under some circumstances iptables can fail to include a rule instruction, +# especially if more than one request is made concurrently. In this event, a +# permanent block entry may exist in csf.deny, but not in iptables. +# +# This option instructs csf to deny an already blocked IP address the number +# of times set. The downside, is that there will be multiple entries for an IP +# address in csf.deny and possibly multiple rules for the same IP address in +# iptables. This needs to be taken into consideration when unblocking such IP +# addresses. +# +# Set to "0" to disable this feature. Do not set this too high for the reasons +# detailed above (e.g. "5" should be more than enough) +LF_REPEATBLOCK = "0" + +# By default csf will create both an inbound and outbound blocks from/to an IP +# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most +# effective way to block IP traffic. This option instructs csf to only block +# inbound traffic from those IP's and so reduces the number of iptables rules, +# but at the expense of less effectiveness. For this reason we recommend +# leaving this option disabled +# +# Set to "0" to disable this feature - the default +LF_BLOCKINONLY = "0" + +############################################################################### +# SECTION:CloudFlare +############################################################################### +# This features provides interaction with the CloudFlare Firewall +# +# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as +# iptables is concerned) come from the CloudFlare IP's. To counter this, an +# Apache module (mod_cloudflare) is available that obtains the true attackers +# IP from a custom HTTP header record (similar functionality is available +# for other HTTP daemons +# +# However, despite now knowing the true attacking IP address, iptables cannot +# be used to block that IP as the traffic is still coming from the CloudFlare +# servers +# +# CloudFlare have provided a Firewall feature within the user account where +# rules can be added to block, challenge or whitelist IP addresses +# +# Using the CloudFlare API, this feature adds and removes attacking IPs from +# that firewall and provides CLI (and via the UI) additional commands +# +# See /etc/csf/readme.txt for more information about this feature and the +# restrictions for its use BEFORE enabling this feature +CF_ENABLE = "0" + +# This can be set to either "block" or "challenge" (see CloudFlare docs) +CF_BLOCK = "block" + +# This setting determines how long the temporary block will apply within csf +# and CloudFlare, keeping them in sync +# +# Block duration in seconds - overrides perm block or time of individual blocks +# in lfd for block triggers +CF_TEMP = "3600" + +############################################################################### +# SECTION:Directory Watching & Integrity +############################################################################### +# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm +# directories for suspicious files, i.e. script exploits. If a suspicious +# file is found an email alert is sent. One alert per file per LF_FLUSH +# interval is sent +# +# To enable this feature set the following to the checking interval in seconds. +# To disable set to "0" +LF_DIRWATCH = "300" + +# To remove any suspicious files found during directory watching, enable the +# following. These files will be appended to a tarball in +# /var/lib/csf/suspicious.tar +LF_DIRWATCH_DISABLE = "1" + +# This option allows you to have lfd watch a particular file or directory for +# changes and should they change and email alert using watchalert.txt is sent +# +# To enable this feature set the following to the checking interval in seconds +# (a value of 60 would seem sensible) and add your entries to csf.dirwatch +# +# Set to disable set to "0" +LF_DIRWATCH_FILE = "0" + +# System Integrity Checking. This enables lfd to compare md5sums of the +# servers OS binary application files from the time when lfd starts. If the +# md5sum of a monitored file changes an alert is sent. This option is intended +# as an IDS (Intrusion Detection System) and is the last line of detection for +# a possible root compromise. +# +# There will be constant false-positives as the servers OS is updated or +# monitored application binaries are updated. However, unexpected changes +# should be carefully inspected. +# +# Modified files will only be reported via email once. +# +# To enable this feature set the following to the checking interval in seconds +# (a value of 3600 would seem sensible). This option may increase server I/O +# load onto the server as it checks system binaries. +# +# To disable set to "0" +LF_INTEGRITY = "3600" + +############################################################################### +# SECTION:Distributed Attacks +############################################################################### +# Distributed Account Attack. This option will keep track of login failures +# from distributed IP addresses to a specific application account. If the +# number of failures matches the trigger value above, ALL of the IP addresses +# involved in the attack will be blocked according to the temp/perm rules above +# +# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, +# LF_HTACCESS +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_DISTATTACK = "1" + +# Set the following to the minimum number of unique IP addresses that trigger +# LF_DISTATTACK +LF_DISTATTACK_UNIQ = "2" + +# Distributed FTP Logins. This option will keep track of successful FTP logins. +# If the number of successful logins to an individual account is at least +# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses, +# then all of the IP addresses will be blocked +# +# This option can help mitigate the common FTP account compromise attacks that +# use a distributed network of zombies to deface websites +# +# A sensible setting for this might be 5, depending on how many different +# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL +# +# To disable set to "0" +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_DISTFTP = "5" + +# Set the following to the minimum number of unique IP addresses that trigger +# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work +LF_DISTFTP_UNIQ = "3" + +# If this option is set to 1 the blocks will be permanent +# If this option is > 1, the blocks will be temporary for the specified number +# of seconds +LF_DISTFTP_PERM = "1" + +# Send an email alert if LF_DISTFTP is triggered +LF_DISTFTP_ALERT = "1" + +# Distributed SMTP Logins. This option will keep track of successful SMTP +# logins. If the number of successful logins to an individual account is at +# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP +# addresses, then all of the IP addresses will be blocked. These options only +# apply to the exim MTA +# +# This option can help mitigate the common SMTP account compromise attacks that +# use a distributed network of zombies to send spam +# +# A sensible setting for this might be 5, depending on how many different +# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL +# +# To disable set to "0" +LF_DISTSMTP = "5" + +# Set the following to the minimum number of unique IP addresses that trigger +# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work +LF_DISTSMTP_UNIQ = "3" + +# If this option is set to 1 the blocks will be permanent +# If this option is > 1, the blocks will be temporary for the specified number +# of seconds +LF_DISTSMTP_PERM = "1" + +# Send an email alert if LF_DISTSMTP is triggered +LF_DISTSMTP_ALERT = "1" + +# This is the interval during which a distributed FTP or SMTP attack is +# measured +LF_DIST_INTERVAL = "300" + +# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the +# path to a script, it will run the script and pass the following as arguments: +# +# LF_DISTFTP/LF_DISTSMTP +# account name +# log file text +# +# The action script must have the execute bit and interpreter (shebang) set +LF_DIST_ACTION = "" + +############################################################################### +# SECTION:Login Tracking +############################################################################### +# Block POP3 logins if greater than LT_POP3D times per hour per account per IP +# address (0=disabled) +# +# This is a temporary block for the rest of the hour, afterwhich the IP is +# unblocked +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LT_POP3D = "0" + +# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP +# address (0=disabled) - not recommended for IMAP logins due to the ethos +# within which IMAP works. If you want to use this, setting it quite high is +# probably a good idea +# +# This is a temporary block for the rest of the hour, afterwhich the IP is +# unblocked +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LT_IMAPD = "0" + +# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour +# per IP +LT_EMAIL_ALERT = "1" + +# If LF_PERMBLOCK is enabled but you do not want this to apply to +# LT_POP3D/LT_IMAPD, then enable this option +LT_SKIPPERMBLOCK = "1" + +############################################################################### +# SECTION:Connection Tracking +############################################################################### +# Connection Tracking. This option enables tracking of all connections from IP +# addresses to the server. If the total number of connections is greater than +# this value then the offending IP address is blocked. This can be used to help +# prevent some types of DOS attack. +# +# Care should be taken with this option. It's entirely possible that you will +# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD +# and HTTP so it could be quite easy to trigger, especially with a lot of +# closed connections in TIME_WAIT. However, for a server that is prone to DOS +# attacks this may be very useful. A reasonable setting for this option might +# be around 300. +# +# To disable this feature, set this to 0 +CT_LIMIT = "15" + +# Connection Tracking interval. Set this to the the number of seconds between +# connection tracking scans +CT_INTERVAL = "60" + +# Send an email alert if an IP address is blocked due to connection tracking +CT_EMAIL_ALERT = "1" + +# If you want to make IP blocks permanent then set this to 1, otherwise blocks +# will be temporary and will be cleared after CT_BLOCK_TIME seconds +CT_PERMANENT = "0" + +# If you opt for temporary IP blocks for CT, then the following is the interval +# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins) +CT_BLOCK_TIME = "3600" + +# If you don't want to count the TIME_WAIT state against the connection count +# then set the following to "1" +CT_SKIP_TIME_WAIT = "1" + +# If you only want to count specific states (e.g. SYN_RECV) then add the states +# to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT" +# +# Leave this option empty to count all states against CT_LIMIT +CT_STATES = "" + +# If you only want to count specific ports (e.g. 80,443) then add the ports +# to the following as a comma separated list. E.g. "80,443" +# +# Leave this option empty to count all ports against CT_LIMIT +CT_PORTS = "25,26,465,587" + +# If the total number of connections from a class C subnet is greater than this +# value then the offending subnet is blocked according to the other CT_* +# settings +# +# This option can be used to help prevent some types of DOS attack where a +# range of IP's between x.y.z.1-255 has connected to the server +# +# If you use a reverse proxy service such as Cloudflare you should not enable +# this option, or should exclude the ports that you have proxied in CT_PORTS +# +# To disable this feature, set this to 0 +CT_SUBNET_LIMIT = "0" + +############################################################################### +# SECTION:Process Tracking +############################################################################### +# Process Tracking. This option enables tracking of user and nobody processes +# and examines them for suspicious executables or open network ports. Its +# purpose is to identify potential exploit processes that are running on the +# server, even if they are obfuscated to appear as system services. If a +# suspicious process is found an alert email is sent with relevant information. +# It is then the responsibility of the recipient to investigate the process +# further as the script takes no further action +# +# The following is the number of seconds a process has to be active before it +# is inspected. If you set this time too low, then you will likely trigger +# false-positives with CGI or PHP scripts. +# Set the value to 0 to disable this feature +PT_LIMIT = "60" + +# How frequently processes are checked in seconds +PT_INTERVAL = "60" + +# If you want process tracking to highlight php or perl scripts that are run +# through apache then disable the following, +# i.e. set it to 0 +# +# While enabling this setting will reduce false-positives, having it set to 0 +# does provide better checking for exploits running on the server +PT_SKIP_HTTP = "0" + +# lfd will report processes, even if they're listed in csf.pignore, if they're +# tagged as (deleted) by Linux. This information is provided in Linux under +# /proc/PID/exe. A (deleted) process is one that is running a binary that has +# the inode for the file removed from the file system directory. This usually +# happens when the binary has been replaced due to an upgrade for it by the OS +# vendor or another third party (e.g. cPanel). You need to investigate whether +# this is indeed the case to be sure that the original binary has not been +# replaced by a rootkit or is running an exploit. +# +# Note: If a deleted executable process is detected and reported then lfd will +# not report children of the parent (or the parent itself if a child triggered +# the report) if the parent is also a deleted executable process +# +# To stop lfd reporting such process you need to restart the daemon to which it +# belongs and therefore run the process using the replacement binary (presuming +# one exists). This will normally mean running the associated startup script in +# /etc/init.d/ +# +# If you do want lfd to report deleted binary processes, set to 1 +PT_DELETED = "1" + +# If a PT_DELETED event is triggered, then if the following contains the path to +# a script, it will be run in a child process and passed the executable, pid, +# account for the process, and parent pid +# +# The action script must have the execute bit and interpreter (shebang) set. An +# example is provided in /usr/local/csf/bin/pt_deleted_action.pl +# +# WARNING: Make sure you read and understand the potential security +# implications of such processes in PT_DELETED above before simply restarting +# such processes with a script +PT_DELETED_ACTION = "" + +# User Process Tracking. This option enables the tracking of the number of +# process any given account is running at one time. If the number of processes +# exceeds the value of the following setting an email alert is sent with +# details of those processes. If you specify a user in csf.pignore it will be +# ignored +# +# Set to 0 to disable this feature +PT_USERPROC = "0" + +# This User Process Tracking option sends an alert if any user process exceeds +# the virtual memory usage set (MB). To ignore specific processes or users use +# csf.pignore +# +# Set to 0 to disable this feature +PT_USERMEM = "0" + +# This User Process Tracking option sends an alert if any user process exceeds +# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific +# processes or users use csf.pignore +# +# Set to 0 to disable this feature +PT_USERRSS = "0" + +# This User Process Tracking option sends an alert if any linux user process +# exceeds the time usage set (seconds). To ignore specific processes or users +# use csf.pignore +# +# Set to 0 to disable this feature +PT_USERTIME = "0" + +# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or +# PT_USERPROC are killed +# +# Warning: We don't recommend enabling this option unless absolutely necessary +# as it can cause unexpected problems when processes are suddenly terminated. +# It can also lead to system processes being terminated which could cause +# stability issues. It is much better to leave this option disabled and to +# investigate each case as it is reported when the triggers above are breached +# +# Note: Processes that are running deleted excecutables (see PT_DELETED) will +# not be killed by lfd +PT_USERKILL = "0" + +# If you want to disable email alerts if PT_USERKILL is triggered, then set +# this option to 0 +PT_USERKILL_ALERT = "1" + +# If a PT_* event is triggered, then if the following contains the path to +# a script, it will be run in a child process and passed the PID(s) of the +# process(es) in a comma separated list. +# +# The action script must have the execute bit and interpreter (shebang) set +PT_USER_ACTION = "" + +# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and +# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the +# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is +# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP +# seconds has passed to prevent email floods. +# +# Set PT_LOAD to "0" to disable this feature +PT_LOAD = "30" +PT_LOAD_AVG = "5" +PT_LOAD_LEVEL = "6" +PT_LOAD_SKIP = "1800" + +# This is the Apache Server Status URL used in the email alert. Requires the +# Apache mod_status module to be installed and configured correctly +PT_APACHESTATUS = "" + +# If a PT_LOAD event is triggered, then if the following contains the path to +# a script, it will be run in a child process. For example, the script could +# contain commands to terminate and restart httpd, php, exim, etc incase of +# looping processes. The action script must have the execute bit an +# interpreter (shebang) set +PT_LOAD_ACTION = "" + +# Fork Bomb Protection. This option checks the number of processes with the +# same session id and if greater than the value set, the whole session tree is +# terminated and an alert sent +# +# You can see an example of common session id processes on most Linux systems +# using: "ps axf -O sid" +# +# On cPanel servers, PT_ALL_USERS should be enabled to use this option +# effectively +# +# This option will check root owned processes. Session id 0 and 1 will always +# be ignored as they represent kernel and init processes. csf.pignore will be +# honoured, but bear in mind that a session tree can contain a variety of users +# and executables +# +# Care needs to be taken to ensure that this option only detects runaway fork +# bombs, so should be set higher than any session tree is likely to get (e.g. +# httpd could have 100s of legitimate children on very busy systems). A +# sensible starting point on most servers might be 250 +PT_FORKBOMB = "250" + +# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes +# are often left hanging after their connecting IP addresses have been blocked +# +# This option will terminate the SSH processes created by the blocked IP. This +# option is preferred over PT_SSHDHUNG +PT_SSHDKILL = "1" + +# This option will terminate all processes with the cmdline of "sshd: unknown +# [net]" or "sshd: unknown [priv]" if they have been running for more than 60 +# seconds +PT_SSHDHUNG = "0" + +############################################################################### +# SECTION:Port Scan Tracking +############################################################################### +# Port Scan Tracking. This feature tracks port blocks logged by iptables to +# syslog. If an IP address generates a port block that is logged more than +# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked. +# +# This feature could, for example, be useful for blocking hackers attempting +# to access the standard SSH port if you have moved it to a port other than 22 +# and have removed 22 from the TCP_IN list so that connection attempts to the +# old port are being logged +# +# This feature blocks all iptables blocks from the iptables logs, including +# repeated attempts to one port or SYN flood blocks, etc +# +# Note: This feature will only track iptables blocks from the log file set in +# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will +# cause redundant blocking with DROP_IP_LOGGING enabled +# +# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's) +# could very quickly fill the iptables rule chains and cause a DOS in itself. +# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks +# and the DENY_TEMP_IP_LIMIT with temporary blocks +# +# Set PS_INTERVAL to "0" to disable this feature. A value of between 60 and 300 +# would be sensible to enable this feature +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +PS_INTERVAL = "60" +PS_LIMIT = "15" + +# You can specify the ports and/or port ranges that should be tracked by the +# Port Scan Tracking feature. The following setting is a comma separated list +# of those ports and uses the same format as TCP_IN. The setting of +# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports +# +# Special values are: +# ICMP - include ICMP blocks (see ICMP_*) +# INVALID - include INVALID blocks (see PACKET_FILTER) +# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked* +# BRD - include UDP Broadcast IPs, otherwise they are ignored +PS_PORTS = "0:65535,ICMP" + +# To specify how many different ports qualifies as a Port Scan you can increase +# the following from the default value of 1. The risk in doing so will mean +# that persistent attempts to attack a specific closed port will not be +# detected and blocked +PS_DIVERSITY = "1" + +# You can select whether IP blocks for Port Scan Tracking should be temporary +# or permanent. Set PS_PERMANENT to "0" for temporary and "1" for permanent +# blocking. If set to "0" PS_BLOCK_TIME is the amount of time in seconds to +# temporarily block the IP address for +PS_PERMANENT = "0" +PS_BLOCK_TIME = "1800" + +# Set the following to "1" to enable Port Scan Tracking email alerts, set to +# "0" to disable them +PS_EMAIL_ALERT = "1" + +############################################################################### +# SECTION:User ID Tracking +############################################################################### +# User ID Tracking. This feature tracks UID blocks logged by iptables to +# syslog. If a UID generates a port block that is logged more than UID_LIMIT +# times within UID_INTERVAL seconds, an alert will be sent +# +# Note: This feature will only track iptables blocks from the log file set in +# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled. +# +# To ignore specific UIDs list them in csf.uidignore and then restart lfd +# +# Set UID_INTERVAL to "0" to disable this feature. A value of between 60 and 300 +# would be sensible to enable this feature +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +UID_INTERVAL = "0" +UID_LIMIT = "10" + +# You can specify the ports and/or port ranges that should be tracked by the +# User ID Tracking feature. The following setting is a comma separated list +# of those ports and uses the same format as TCP_OUT. The default setting of +# 0:65535,ICMP covers all ports +UID_PORTS = "0:65535,ICMP" + +############################################################################### +# SECTION:Account Tracking +############################################################################### +# Account Tracking. The following options enable the tracking of modifications +# to the accounts on a server. If any of the enabled options are triggered by +# a modifications to an account, an alert email is sent. Only the modification +# is reported. The cause of the modification will have to be investigated +# manually +# +# You can set AT_ALERT to the following: +# 0 = disable this feature +# 1 = enable this feature for all accounts +# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc) +# 3 = enable this feature only for the root account +AT_ALERT = "1" + +# This options is the interval between checks in seconds +AT_INTERVAL = "60" + +# Send alert if a new account is created +AT_NEW = "1" + +# Send alert if an existing account is deleted +AT_OLD = "1" + +# Send alert if an account password has changed +AT_PASSWD = "1" + +# Send alert if an account uid has changed +AT_UID = "1" + +# Send alert if an account gid has changed +AT_GID = "1" + +# Send alert if an account login directory has changed +AT_DIR = "1" + +# Send alert if an account login shell has changed +AT_SHELL = "1" + +############################################################################### +# SECTION:Integrated User Interface +############################################################################### +# Integrated User Interface. This feature provides a HTML UI to csf and lfd, +# without requiring a control panel or web server. The UI runs as a sub process +# to the lfd daemon +# +# As it runs under the root account and successful login provides root access +# to the server, great care should be taken when configuring and using this +# feature. There are additional restrictions to enhance secure access to the UI +# +# See readme.txt for more information about using this feature BEFORE enabling +# it for security and access reasons +# +# 1 to enable, 0 to disable +UI = "1" + +# Set this to the port that want to bind this service to. You should configure +# this port to be >1023 and different from any other port already being used +# +# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's +# to the port using Advanced Allow Filters (see readme.txt) +UI_PORT = "1908" + +# Optionally set the IP address to bind to. Normally this should be left blank +# to bind to all IP addresses on the server. +# +# If the server is configured for IPv6 but the IP to bind to is IPv4, then the +# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use +# ::ffff:1.2.3.4 +# +# Leave blank to bind to all IP addresses on the server +UI_IP = "" + +# This should be a secure, hard to guess username +# +# This must be changed from the default +UI_USER = "csfadmin" + +# This should be a secure, hard to guess password. That is, at least 8 +# characters long with a mixture of upper and lowercase characters plus +# numbers and non-alphanumeric characters +# +# This must be changed from the default +UI_PASS = "d8z4a80" + +# This is the login session timeout. If there is no activity for a logged in +# session within this number of seconds, the session will timeout and a new +# login will be required +# +# For security reasons, you should always keep this option low (i.e 60-300) +UI_TIMEOUT = "300" + +# This is the maximum concurrent connections allowed to the server. The default +# value should be sufficient +UI_CHILDREN = "3" + +# The number of login retries allowed within a 24 hour period. A successful +# login from the IP address will clear the failures +# +# For security reasons, you should always keep this option low (i.e 0-10) +UI_RETRY = "5" + +# If enabled, this option will add the connecting IP address to the file +# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be +# able to login to the UI while it is listed in this file. The UI_BAN setting +# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow, +# csf.ignore, etc. +# +# For security reasons, you should always enable this option +UI_BAN = "1" + +# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will +# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of +# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc. +# +# For security reasons, you should always enable this option and use ui.allow +UI_ALLOW = "1" + +# If enabled, this option will trigger an iptables block through csf after +# UI_RETRY login failures +# +# 0 = no block;1 = perm block;nn=temp block for nn secs +UI_BLOCK = "1" + +# This controls what email alerts are sent with regards to logins to the UI. It +# uses the uialert.txt template +# +# 4 = login success + login failure/ban/block + login attempts +# 3 = login success + login failure/ban/block +# 2 = login failure/ban/block +# 1 = login ban/block +# 0 = disabled +UI_ALERT = "4" + +# This is the SSL cipher list that the Integrated UI will negotiate from +UI_CIPHER = "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH" + +# This is the SSL protocol version used. See IO::Socket::SSL if you wish to +# change this and to understand the implications of changing it +UI_SSL_VERSION = "SSLv23:!SSLv2" + +# If cxs is installed then enabling this option will provide a dropdown box to +# switch between applications +UI_CXS = "1" + +# There is a modified installation of ConfigServer Explorer (cse) provided with +# the csf distribution. If this option is enabled it will provide a dropdown +# box to switch between applications +UI_CSE = "1" + +############################################################################### +# SECTION:Messenger service +############################################################################### +# Messenger service. This feature allows the display of a message to a blocked +# connecting IP address to inform the user that they are blocked in the +# firewall. This can help when users get themselves blocked, e.g. due to +# multiple login failures. The service is provided by two daemons running on +# ports providing either an HTML or TEXT message +# +# This feature does not work on servers that do not have the iptables module +# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS +# server admins should check with their VPS host provider that the iptables +# module is included +# +# IPv6 will need the IO::Socket::INET6 perl module +# +# For further information on features and limitations refer to the csf +# readme.txt +# +# Note: Run /etc/csf/csftest.pl to check whether this option will function on +# this server +# +# 1 to enable, 0 to disable +MESSENGER = "1" + +# Provide this service to temporary IP address blocks +MESSENGER_TEMP = "1" + +# Provide this service to permanent IP address blocks +MESSENGER_PERM = "1" + +# User account to run the service servers under. We recommend creating a +# specific non-priv, non-shell account for this purpose +# +# Note: When using MESSENGERV2, this account must NOT be a valid control panel +# account, it must be created manually as explained in the csf readme.txt +MESSENGER_USER = "csf" + +# This option points to the file(s) containing the Apache VirtualHost SSL +# definitions. This can be a file glob if there are multiple files to search. +# Only Apache v2 SSL VirtualHost definitions are supported +# +# This is used by MESSENGERV1 and MESSENGERV2 only +MESSENGER_HTTPS_CONF = "/etc/httpd/conf.d/ssl.conf" + +# The following options can be specified to provide a default fallback +# certificate to be used if either SNI is not supported or a hosted domain does +# not have an SSL certificate. If a fallback is not provided, one of the certs +# obtained from MESSENGER_HTTPS_CONF will be used +# +# This is used by MESSENGERV1 and MESSENGERV2 only +MESSENGER_HTTPS_KEY = "/etc/pki/tls/private/localhost.key" +MESSENGER_HTTPS_CRT = "/etc/pki/tls/certs/localhost.crt" + +# Set this to the port that will receive the HTTPS HTML message. You should +# configure this port to be >1023 and different from the TEXT and HTML port. Do +# NOT enable access to this port in TCP_IN. This option requires the perl +# module IO::Socket::SSL at a version level that supports SNI (1.83+). +# Additionally the version of openssl on the server must also support SNI +# +# The option uses existing SSL certificates on the server for each domain to +# maintain a secure connection without browser warnings. It uses SNI to choose +# the correct certificate to use for each client connection +# +# Warning: On some servers the amount of memory used by the HTTPS MESSENGER +# service can become significant depending on various factors associated with +# the use of IO::Socket::SSL including the number of domains and certificates +# served. This is normally only an issue if using MESSENGERV1 +MESSENGER_HTTPS = "8887" + +# This comma separated list are the HTTPS HTML ports that will be redirected +# for the blocked IP address. If you are using per application blocking +# (LF_TRIGGER) then only the relevant block port will be redirected to the +# messenger port +# +# Recommended setting "443" plus any end-user control panel SSL ports. So, for +# cPanel: "443,2083,2096" +MESSENGER_HTTPS_IN = "" + +# Set this to the port that will receive the HTML message. You should configure +# this port to be >1023 and different from the TEXT port. Do NOT enable access +# to this port in TCP_IN +MESSENGER_HTML = "8888" + +# This comma separated list are the HTML ports that will be redirected for the +# blocked IP address. If you are using per application blocking (LF_TRIGGER) +# then only the relevant block port will be redirected to the messenger port +MESSENGER_HTML_IN = "80,2082,2093,2095" + +# Set this to the port that will receive the TEXT message. You should configure +# this port to be >1023 and different from the HTML port. Do NOT enable access +# to this port in TCP_IN +MESSENGER_TEXT = "8889" + +# This comma separated list are the TEXT ports that will be redirected for the +# blocked IP address. If you are using per application blocking (LF_TRIGGER) +# then only the relevant block port will be redirected to the messenger port +MESSENGER_TEXT_IN = "21" + +# These settings limit the rate at which connections can be made to the +# messenger service servers. Its intention is to provide protection from +# attacks or excessive connections to the servers. If the rate is exceeded then +# iptables will revert for the duration to the normal blocking activity +# +# See the iptables man page for the correct --limit rate syntax +MESSENGER_RATE = "15/m" +MESSENGER_BURST = "150" + +# MESSENGERV1 only: +#------------------------------------------------------------------------------ +# This is the maximum concurrent connections allowed to each service server +# +# Note: This number should be increased to cater for the number of local images +# served by this page, including one for favicon.ico. This is because each +# image displayed counts as an additional connection +MESSENGER_CHILDREN = "5" + +# This options ignores ServerAlias definitions that begin with "mail.". This +# can help reduce memory usage on systems that do not require the use of +# MESSENGER_HTTPS on those subdomains +# +# Set to 0 to include these ServerAlias definitions +MESSENGER_HTTPS_SKIPMAIL = "1" + +# MESSENGERV2 only: +#------------------------------------------------------------------------------ +# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+ +# under EA4. +# +# This uses the Apache http daemon to provide the web server functionality for +# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources +# that the lfd inbuilt service uses and overcomes the memory overhead of using +# the MESSENGER HTTPS service +# +# For more information consult readme.txt before enabling this option +#MESSENGERV2 = "0" + +# MESSENGERV3 only: +#------------------------------------------------------------------------------ +# MESSENGERV3. This option is available on any server running Apache v2.4+, +# Litespeed or Openlitespeed +# +# This uses the web server http daemon to provide the web server functionality +# for the MESSENGER HTML and HTTPS services. It uses a fraction of the +# resources that the lfd inbuilt service uses and overcomes the memory overhead +# of using the MESSENGER HTTPS service +# +# For more information consult readme.txt before enabling this option +MESSENGERV3 = "0" + +# This is the file or directory where the additional web server configuration +# file should be included +MESSENGERV3LOCATION = "/etc/httpd/conf.d/" + +# This is the command to restart the web server +MESSENGERV3RESTART = "service httpd restart" + +# This is the command to test the validity of the web server configuration. If +# using Litespeed, set to "" +MESSENGERV3TEST = "/usr/sbin/apachectl -t" + +# This must be set to the main httpd.conf file for either Apache or Litespeed +MESSENGERV3HTTPS_CONF = "/etc/httpd/conf/httpd.conf" + +# This can be set to either: +# "apache" - for servers running Apache v2.4+ or Litespeed using Apache +# configuration +# "litespeed" - for Litespeed or Openlitespeed +MESSENGERV3WEBSERVER = "apache" + +# On creation, set the MESSENGER_USER public_html directory permissions to +# Note: If you precreate this directory the following setting will be ignored +MESSENGERV3PERMS = "711" + +# On creation, set the MESSENGER_USER public_html directory group user to +# Note: If you precreate this directory the following setting will be ignored +MESSENGERV3GROUP = "apache" + +# This is the web server configuration to allow PHP scripts to run. If left +# empty, the MESSENGER service will try to configure this. If this does not +# work, this should be set as an "Include /path/to/csf_php.conf" or similar +# file which must contain appropriate web server configuration to allow PHP +# scripts to run. This line will be included within each MESSENGER VirtualHost +# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf +# webserver template files +MESSENGERV3PHPHANDLER = "" + +# RECAPTCHA: +#------------------------------------------------------------------------------ +# The RECAPTCHA options provide a way for end-users that have blocked +# themselves in the firewall to unblock themselves. +# +# A valid Google ReCAPTCHA (v2) key set is required for this feature from: +# https://www.google.com/recaptcha/intro/index.html +# +# When configuring a new reCAPTCHA API key set you must ensure that the option +# for "Domain Name Validation" is unticked so that the same reCAPTCHA can be +# used for all domains hosted on the server. lfd then checks that the hostname +# of the request resolves to an IP on this server +# +# This feature requires the installation of the LWP::UserAgent perl module (see +# option URLGET for more details) +# +# The template used for this feature is /etc/csf/messenger/index.recaptcha.html +# +# Note: An unblock will fail if the end-users IP is located in a netblock, +# blocklist or CC_* deny entry +RECAPTCHA_SITEKEY = "" +RECAPTCHA_SECRET = "" + +# Send an email when an IP address successfully attempts to unblock themselves. +# This does not necessarily mean the IP was unblocked, only that the +# post-recaptcha unblock request was attempted +# +# Set to "0" to disable +RECAPTCHA_ALERT = "1" + +# If the server uses NAT then resolving the hostname to hosted IPs will likely +# not succeed. In that case, the external IP addresses must be listed as comma +# separated list here +RECAPTCHA_NAT = "" + +############################################################################### +# SECTION:lfd Clustering +############################################################################### +# lfd Clustering. This allows the configuration of an lfd cluster environment +# where a group of servers can share blocks and configuration option changes. +# Included are CLI and UI options to send requests to the cluster. +# +# See the readme.txt file for more information and details on setup and +# security risks. +# +# Set this to a comma separated list of cluster member IP addresses to send +# requests to. Alternatively, it can be set to the full path of a file that +# will read in one IP per line, e.g.: +# "/etc/csf/cluster_sendto.txt" +CLUSTER_SENDTO = "" + +# Set this to a comma separated list of cluster member IP addresses to receive +# requests from. Alternatively, it can be set to the full path of a file that +# will read in one IP per line, e.g.: +# "/etc/csf/cluster_recvfrom.txt" +CLUSTER_RECVFROM = "" + +# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG +# changes +CLUSTER_MASTER = "" + +# If this is a NAT server, set this to the public IP address of this server +CLUSTER_NAT = "" + +# If a cluster member should send requests on an IP other than the default IP, +# set it here +CLUSTER_LOCALADDR = "" + +# Cluster communication port (must be the same on all member servers). There +# is no need to open this port in the firewall as csf will automatically add +# in and out bound rules to allow communication between cluster members +CLUSTER_PORT = "7777" + +# This is a secret key used to encrypt cluster communications using the +# Blowfish algorithm. It should be between 8 and 56 characters long, +# preferably > 20 random characters +# 56 chars: 01234567890123456789012345678901234567890123456789012345 +CLUSTER_KEY = "" + +# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those +# servers must have this servers IP address listed in their CLUSTER_RECVFROM +# +# Set to 0 to disable this feature +CLUSTER_BLOCK = "1" + +# This option allows the enabling and disabling of the Cluster configuration +# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the +# CLUSTER_MASTER server +# +# Set this option to 1 to allow Cluster configurations to be received +CLUSTER_CONFIG = "0" + +# Maximum number of child processes to listen on. High blocking rates or large +# clusters may need to increase this +CLUSTER_CHILDREN = "10" + +############################################################################### +# SECTION:Port Knocking +############################################################################### +# Port Knocking. This feature allows port knocking to be enabled on multiple +# ports with a variable number of knocked ports and a timeout. There must be a +# minimum of 3 ports to knock for an entry to be valid +# +# See the following for information regarding Port Knocking: +# http://www.portknocking.org/ +# +# This feature does not work on servers that do not have the iptables module +# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS +# server admins should check with their VPS host provider that the iptables +# module is included +# +# For further information and syntax refer to the Port Knocking section of the +# csf readme.txt +# +# Note: Run /etc/csf/csftest.pl to check whether this option will function on +# this server +# +# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],... +# e.g.: 22;TCP;20;100;200;300;400 +PORTKNOCKING = "" + +# Enable PORTKNOCKING logging by iptables +PORTKNOCKING_LOG = "1" + +# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must +# also be enabled to use this option +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +PORTKNOCKING_ALERT = "1" + +############################################################################### +# SECTION:Log Scanner +############################################################################### +# Log Scanner. This feature will send out an email summary of the log lines of +# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless +# they match a regular expression in /etc/csf/csf.logignore +# +# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However, +# be aware that the more files lfd has to track, the greater the performance +# hit. Note: File globs are only evaluated when lfd is started +# +# Note: lfd builds the report continuously from lines logged after lfd has +# started, so any lines logged when lfd is not running will not be reported +# (e.g. during reboot). If lfd is restarted, then the report will include any +# lines logged during the previous lfd logging period that weren't reported +# +# 1 to enable, 0 to disable +LOGSCANNER = "1" + +# This is the interval each report will be sent based on the logalert.txt +# template +# +# The interval can be set to: +# "hourly" - sent on the hour +# "daily" - sent at midnight (00:00) +# "manual" - sent whenever "csf --logrun" is run. This allows for scheduling +# via cron job +LOGSCANNER_INTERVAL = "manual" + +# Report Style +# 1 = Separate chronological log lines per log file +# 2 = Simply chronological log of all lines +LOGSCANNER_STYLE = "1" + +# Send the report email even if no log lines reported +# 1 to enable, 0 to disable +LOGSCANNER_EMPTY = "1" + +# Maximum number of lines in the report before it is truncated. This is to +# prevent log lines flooding resulting in an excessively large report. This +# might need to be increased if you choose a daily report +LOGSCANNER_LINES = "10000" + +############################################################################### +# SECTION:Statistics Settings +############################################################################### +# Statistics +# +# Some of the Statistics output requires the gd graphics library and the +# GD::Graph perl module with all dependent modules to be installed for the UI +# for them to be displayed +# +# This option enabled statistical data gathering +ST_ENABLE = "1" + +# This option determines how many iptables log lines to store for reports +ST_IPTABLES = "150" + +# This option indicates whether rDNS and CC lookups are performed at the time +# the log line is recorded (this is not performed when viewing the reports) +# +# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits, +# then enabling this setting could cause serious performance problems +ST_LOOKUP = "1" + +# This option will gather basic system statstics. Through the UI it displays +# various graphs for disk, cpu, memory, network, etc usage over 4 intervals: +# . Hourly (per minute) +# . 24 hours (per minute) +# . 7 days (per minute averaged over an hour) +# . 30 days (per minute averaged over an hour) - user definable +# The data is stored in /var/lib/csf/stats/system and the option requires the +# perl GD::Graph module +# +# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on +# those systems do not store the required information in /proc/diskstats +# On new installations or when enabling this option it will take time for these +# graphs to be populated +ST_SYSTEM = "1" + +# Set the maximum days to collect statistics for. The default is 30 days, the +# more data that is collected the longer it will take for each of the graphs to +# be generated +ST_SYSTEM_MAXDAYS = "30" + +# If ST_SYSTEM is enabled, then these options can collect MySQL statistical +# data. To use this option the server must have the perl modules DBI and +# DBD::mysql installed. +# +# Set this option to "0" to disable MySQL data collection +ST_MYSQL = "1" + +# The following options are for authentication for MySQL data collection. If +# the password is left blank and the user set to "root" then the procedure will +# look for authentication data in /root/.my.cnf. Otherwise, you will need to +# provide a MySQL username and password to collect the data. Any MySQL user +# account can be used +ST_MYSQL_USER = "root" +ST_MYSQL_PASS = "d8z4a80" +ST_MYSQL_HOST = "localhost" + +# If ST_SYSTEM is enabled, then this option can collect Apache statistical data +# The value for PT_APACHESTATUS must be correctly set +ST_APACHE = "0" + +# The following options measure disk write performance using dd (location set +# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and +# the statistics will plot the MB/s response time of the disk. As this is an IO +# intensive operation, it may not be prudent to run this test too often, so by +# default it is only run every 5 minutes and the result duplicated for each +# intervening minute for the statistics +# +# This is not necessrily a good measure of disk performance, primarily because +# the measurements are for relatively small amounts of data over a small amount +# of time. To properly test disk performance there are a variety of tools +# available that should be run for extended periods of time to obtain an +# accurate measurement. This metric is provided to give an idea of how the disk +# is performing over time +# +# Note: There is a 15 second timeout performing the check +# +# Set to 0 to disable, 1 to enable +ST_DISKW = "0" + +# The number of minutes that elapse between tests. Default is 5, minimum is 1. +ST_DISKW_FREQ = "15" + +# This is the command line passed to dd. If you are familiar with dd, or wish +# to move the output file (of) to a different disk, then you can alter this +# command. Take great care when making any changes to this command as it is +# very easy to overwrite a disk using dd if you make a mistake +ST_DISKW_DD = "if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync" + +############################################################################### +# SECTION:Docker Settings +############################################################################### +# This section provides the configuration of iptables rules to allow Docker +# containers to communicate through the host. If the generated rules do not +# work with your setup you will have to use a /etc/csf/csfpost.sh file and add +# your own iptables configuration instead +# +# 1 to enable, 0 to disable +DOCKER = "0" + +# The network device on the host +DOCKER_DEVICE = "docker0" + +# Docker container IPv4 range +DOCKER_NETWORK4 = "172.17.0.0/16" + +# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table +# available (see IPv6 section). Leave blank to disable +DOCKER_NETWORK6 = "2001:db8:1::/64" + +############################################################################### +# SECTION:OS Specific Settings +############################################################################### +# Binary locations +IPTABLES = "/sbin/iptables" +IPTABLES_SAVE = "/sbin/iptables-save" +IPTABLES_RESTORE = "/sbin/iptables-restore" +IP6TABLES = "/sbin/ip6tables" +IP6TABLES_SAVE = "/sbin/ip6tables-save" +IP6TABLES_RESTORE = "/sbin/ip6tables-restore" +MODPROBE = "/sbin/modprobe" +IFCONFIG = "/sbin/ifconfig" +SENDMAIL = "/usr/sbin/sendmail" +PS = "/bin/ps" +VMSTAT = "/usr/bin/vmstat" +NETSTAT = "/bin/netstat" +LS = "/bin/ls" +MD5SUM = "/usr/bin/md5sum" +TAR = "/bin/tar" +CHATTR = "/usr/bin/chattr" +UNZIP = "/usr/bin/unzip" +GUNZIP = "/bin/gunzip" +DD = "/bin/dd" +TAIL = "/usr/bin/tail" +GREP = "/bin/grep" +ZGREP = "/usr/bin/zgrep" +IPSET = "/usr/sbin/ipset" +SYSTEMCTL = "/usr/bin/systemctl" +HOST = "/usr/bin/host" +IP = "/sbin/ip" +CURL = "/usr/bin/curl" +WGET = "/usr/bin/wget" + +# Log file locations +# +# File globbing is allowed for the following logs. However, be aware that the +# more files lfd has to track, the greater the performance hit +# +# Note: File globs are only evaluated when lfd is started +# +HTACCESS_LOG = "/var/log/nginx/error.log" +MODSEC_LOG = "" +SSHD_LOG = "/var/log/secure" +SU_LOG = "/var/log/secure" +SUDO_LOG = "/var/log/secure" +FTPD_LOG = "/var/log/messages" +SMTPAUTH_LOG = "/var/log/maillog" +POP3D_LOG = "/var/log/maillog" +IMAPD_LOG = "/var/log/maillog" +IPTABLES_LOG = "/var/log/messages" +SUHOSIN_LOG = "/var/log/messages" +BIND_LOG = "/var/log/named.log" +SYSLOG_LOG = "/var/log/messages" +WEBMIN_LOG = "/var/log/auth.log" + +CUSTOM1_LOG = "/var/log/maillog" +CUSTOM2_LOG = "/var/log/secure" +CUSTOM3_LOG = "/var/log/messages" +CUSTOM4_LOG = "/var/log/messages" +CUSTOM5_LOG = "/var/log/messages" +CUSTOM6_LOG = "/var/log/messages" +CUSTOM7_LOG = "/var/log/messages" +CUSTOM8_LOG = "/var/log/messages" +CUSTOM9_LOG = "/var/log/messages" + +# The following are comma separated lists used if LF_SELECT is enabled, +# otherwise they are not used. They are derived from the application returned +# from a regex match in /usr/local/csf/bin/regex.pm +# +# All ports default to tcp blocks. To specify udp or tcp use the format: +# port;protocol,port;protocol,... For example, "53;udp,53;tcp" +PORTS_pop3d = "110,995" +PORTS_imapd = "143,993" +PORTS_htpasswd = "80,443" +PORTS_mod_security = "80,443" +PORTS_mod_qos = "80,443" +PORTS_symlink = "80,443" +PORTS_suhosin = "80,443" +PORTS_cxs = "80,443" +PORTS_bind = "53" +PORTS_ftpd = "20,21" +PORTS_webmin = "10000" +PORTS_smtpauth = "25,26,465,587" +PORTS_eximsyntax = "25,26,465,587" +# This list is replaced, if present, by "Port" definitions in +# /etc/ssh/sshd_config +PORTS_sshd = "22,1907" + +# This configuration is for use with generic Linux servers, do not change the +# following setting: +GENERIC = "1" + +# For internal use only. You should not enable this option as it could cause +# instability in csf and lfd +DEBUG = "0" +############################################################################### diff --git a/csf/csf.deny b/csf/csf.deny new file mode 100644 index 0000000..7041c35 --- /dev/null +++ b/csf/csf.deny @@ -0,0 +1,53 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following IP addresses will be blocked in iptables +# One IP address per line +# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24) +# Only list IP addresses, not domain names (they will be ignored) +# +# Note: If you add the text "do not delete" to the comments of an entry then +# DENY_IP_LIMIT will ignore those entries and not remove them +# +# Advanced port+ip filtering allowed with the following format +# tcp/udp|in/out|s/d=port,port,...|s/d=ip +# +# See readme.txt for more information regarding advanced port filtering +# +185.244.41.0/24 # lfd: (NETBLOCK) 185.244.41.0/24 (RU/Russia/-/-/-) has had more than 2 blocks in the last 86400 secs - Fri Dec 11 12:00:59 2020 +78.128.113.67 # lfd: (PERMBLOCK) 78.128.113.67 (BG/Bulgaria/-/-/ip-113-67.4vendeta.com) has had more than 2 temp blocks in the last 86400 secs - Fri Dec 18 02:27:48 2020 +212.70.149.54 # lfd: (PERMBLOCK) 212.70.149.54 (BG/Bulgaria/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sat Dec 19 14:14:00 2020 +178.176.174.0/24 # lfd: (NETBLOCK) 178.176.174.0/24 (RU/Russia/Tatarstan Republic/Kazan’/-) has had more than 2 blocks in the last 86400 secs - Thu Dec 24 05:43:47 2020 +77.40.3.116 # lfd: (PERMBLOCK) 77.40.3.116 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/116.3.dialup.mari-el.ru) has had more than 2 temp blocks in the last 86400 secs - Thu Dec 24 15:37:37 2020 +193.56.28.214 # lfd: (PERMBLOCK) 193.56.28.214 (GB/United Kingdom/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Dec 28 19:32:33 2020 +78.128.113.66 # lfd: (PERMBLOCK) 78.128.113.66 (BG/Bulgaria/-/-/ip-113-66.4vendeta.com) has had more than 2 temp blocks in the last 86400 secs - Mon Jan 11 18:33:10 2021 +216.118.251.2 # lfd: (PERMBLOCK) 216.118.251.2 (HK/Hong Kong/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Fri Jan 15 18:55:23 2021 +212.70.149.85 # lfd: (PERMBLOCK) 212.70.149.85 (BG/Bulgaria/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Jan 18 23:35:05 2021 +87.246.7.0/24 # lfd: (NETBLOCK) 87.246.7.0/24 (BG/Bulgaria/-/-/-) has had more than 2 blocks in the last 86400 secs - Sun Jan 24 11:52:11 2021 +141.98.80.102 # lfd: (PERMBLOCK) 141.98.80.102 (PA/Panama/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sun Jan 24 19:36:50 2021 +186.216.69.0/24 # lfd: (NETBLOCK) 186.216.69.0/24 (BR/Brazil/Minas Gerais/Unai/-) has had more than 2 blocks in the last 86400 secs - Sun Jan 24 23:23:15 2021 +177.21.213.0/24 # lfd: (NETBLOCK) 177.21.213.0/24 (BR/Brazil/Rio Grande do Sul/Veranopolis/-) has had more than 2 blocks in the last 86400 secs - Mon Jan 25 13:29:27 2021 +177.87.68.0/24 # lfd: (NETBLOCK) 177.87.68.0/24 (BR/Brazil/Parana/Tres Barras do Parana/-) has had more than 2 blocks in the last 86400 secs - Mon Jan 25 20:14:03 2021 +91.243.45.40 # lfd: (PERMBLOCK) 91.243.45.40 (RU/Russia/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Jan 25 21:37:29 2021 +177.129.206.0/24 # lfd: (NETBLOCK) 177.129.206.0/24 (BR/Brazil/Minas Gerais/Itapagipe/-) has had more than 2 blocks in the last 86400 secs - Tue Jan 26 16:24:41 2021 +77.40.3.0/24 # lfd: (NETBLOCK) 77.40.3.0/24 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/-) has had more than 2 blocks in the last 86400 secs - Sat Jan 30 09:20:59 2021 +77.40.2.37 # lfd: (PERMBLOCK) 77.40.2.37 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/37.2.dialup.mari-el.ru) has had more than 2 temp blocks in the last 86400 secs - Sun Jan 31 15:19:42 2021 +187.87.2.0/24 # lfd: (NETBLOCK) 187.87.2.0/24 (BR/Brazil/Rio Grande do Norte/Caico/-) has had more than 2 blocks in the last 86400 secs - Wed Feb 3 22:16:42 2021 +186.250.205.0/24 # lfd: (NETBLOCK) 186.250.205.0/24 (BR/Brazil/Sao Paulo/Guaratingueta/-) has had more than 2 blocks in the last 86400 secs - Thu Feb 4 02:23:00 2021 +45.167.8.0/24 # lfd: (NETBLOCK) 45.167.8.0/24 (BR/Brazil/-/-/-) has had more than 2 blocks in the last 86400 secs - Fri Feb 5 08:32:05 2021 +141.98.80.130 # lfd: (PERMBLOCK) 141.98.80.130 (PA/Panama/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sun Feb 7 08:09:42 2021 +77.40.13.142 # lfd: (PERMBLOCK) 77.40.13.142 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/142.13.pppoe.mari-el.ru) has had more than 2 temp blocks in the last 86400 secs - Mon Feb 8 02:34:44 2021 +77.40.2.22 # lfd: (PERMBLOCK) 77.40.2.22 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/-) has had more than 2 temp blocks in the last 86400 secs - Mon Feb 8 20:13:38 2021 +77.40.40.20 # lfd: (PERMBLOCK) 77.40.40.20 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/20.40.pppoe.mari-el.ru) has had more than 2 temp blocks in the last 86400 secs - Tue Feb 9 02:16:44 2021 +77.40.23.10 # lfd: (PERMBLOCK) 77.40.23.10 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/10.23.pppoe.mari-el.ru) has had more than 2 temp blocks in the last 86400 secs - Wed Feb 10 12:01:31 2021 +77.247.110.130 # lfd: (PERMBLOCK) 77.247.110.130 (BZ/Belize/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sun Feb 14 01:02:38 2021 +77.247.110.132 # lfd: (PERMBLOCK) 77.247.110.132 (BZ/Belize/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Feb 15 03:26:39 2021 +77.40.80.168 # lfd: (PERMBLOCK) 77.40.80.168 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/-) has had more than 2 temp blocks in the last 86400 secs - Wed Feb 17 08:24:55 2021 +5.188.206.234 # lfd: (PERMBLOCK) 5.188.206.234 (US/United States/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Thu Feb 18 11:13:03 2021 +141.98.80.133 # lfd: (PERMBLOCK) 141.98.80.133 (PA/Panama/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sat Feb 20 09:26:44 2021 +2.57.122.32 # lfd: (PERMBLOCK) 2.57.122.32 (RO/Romania/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sun Feb 21 20:57:17 2021 +168.61.18.166 # lfd: (PERMBLOCK) 168.61.18.166 (US/United States/California/San Jose/-) has had more than 2 temp blocks in the last 86400 secs - Mon Feb 22 02:07:08 2021 +77.40.62.96 # lfd: (PERMBLOCK) 77.40.62.96 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/96.62.pppoe.mari-el.ru) has had more than 2 temp blocks in the last 86400 secs - Wed Feb 24 13:05:28 2021 +77.40.2.171 # lfd: (PERMBLOCK) 77.40.2.171 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/171.2.dialup.mari-el.ru) has had more than 2 temp blocks in the last 86400 secs - Thu Feb 25 15:43:13 2021 diff --git a/csf/csf.dirwatch b/csf/csf.dirwatch new file mode 100644 index 0000000..c6fd09d --- /dev/null +++ b/csf/csf.dirwatch @@ -0,0 +1,14 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following should be a list of directories and files that you want to be +# alerted when they change. You must specify full paths for each entry. +# +# lfd uses a simple md5sum match from the output of: +# ls --full-time -lARt [dir] +# on the entry and so will traverse directories if specified. +# +# An example where you might want to use this is /var/spool/cron +# \ No newline at end of file diff --git a/csf/csf.dyndns b/csf/csf.dyndns new file mode 100644 index 0000000..b97a3c3 --- /dev/null +++ b/csf/csf.dyndns @@ -0,0 +1,18 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following FQDN's will be allowed through the firewall. This is controlled +# by lfd which checks the DNS resolution of the FQDN and adds the ip address +# into the ALLOWDYNIN and ALLOWDYNOUT iptables chains. lfd will check for IP +# updates every DYNDNS seconds if set. +# +# If the FQDN has multiple A records then all of the IP addresses will be +# processed. If IPV6 is enabled and the perl module Socket6 from cpan.org is +# installed, then all IPv6 AAAA IP address records will also be allowed. +# +# Only list fully qualified domain names (FQDN's) in this file, either on their +# own to allow full access, or using Advanced Allow/Deny Filters (see +# readme.txt) +# diff --git a/csf/csf.fignore b/csf/csf.fignore new file mode 100644 index 0000000..3e73b3e --- /dev/null +++ b/csf/csf.fignore @@ -0,0 +1,27 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following is a list of files that lfd directory watching will ignore. You +# must specify the full path to the file +# +# You can also use perl regular expression pattern matching, for example: +# /tmp/clamav.* +# /tmp/.*\.wrk +# +# Remember that you will need to escape special characters (precede them with a +# backslash) such as \. \? +# +# Pattern matching will only occur with strings containing an asterix (*), +# otherwise full file path matching will be applied +# +# You can also add entries to ignore files owner by a particular user by +# preceding it with user:, for example: +# user:bob +# +# Note: files owned by root are ignored + +/tmp/\.horde +/tmp/\.horde/.* +/tmp/logcheck.* diff --git a/csf/csf.ignore b/csf/csf.ignore new file mode 100644 index 0000000..21afa85 --- /dev/null +++ b/csf/csf.ignore @@ -0,0 +1,20 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following IP addresses will be ignored by all lfd checks +# One IP address per line +# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24) +# Only list IP addresses, not domain names (they will be ignored) +# + +127.0.0.1 +89.121.131.74 +86.104.210.218 +192.168.1.0/24 + +# RDS +188.26.137.124 +86.120.251.198 +86.126.25.34 diff --git a/csf/csf.logfiles b/csf/csf.logfiles new file mode 100644 index 0000000..58bc48b --- /dev/null +++ b/csf/csf.logfiles @@ -0,0 +1,27 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following is a list of log files for the LOGSCANNER feature + +# All: +/var/log/messages +/var/log/lfd.log +/var/log/cxswatch.log + +# RedHat: +/var/log/secure + +# Debian/Ubuntu: +/var/log/auth.log +/var/log/daemon.log + +# cPanel: +/usr/local/cpanel/logs/error_log +/var/log/exim_paniclog + +# DirectAdmin: +/var/log/directadmin/error.log +/var/log/directadmin/security.log +/var/log/exim/paniclog diff --git a/csf/csf.logignore b/csf/csf.logignore new file mode 100644 index 0000000..48b4d02 --- /dev/null +++ b/csf/csf.logignore @@ -0,0 +1,67 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following is a list of regular expressions for the LOGSCANNER feature. +# If a log line matches it will be ignored, otherwise it will be reported + + +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ kernel:\s(\[[^\]]+\]\s)?Firewall: + +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ suhosin\[\d+\]: ALERT - script tried to increase memory_limit + +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: client .* view internal +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: client .* view external +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: client .* view localhost_resolver +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: connection refused resolving +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: lame server resolving +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: network unreachable resolving +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: unexpected RCODE +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: zone .* loaded serial +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: zone .* sending notifies +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: FORMERR resolving +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: checkhints: view localhost_resolver: + +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: error \(unexpected RCODE REFUSED\) +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: error \(unexpected RCODE SERVFAIL\) +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: error \(host unreachable\) +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: error \(network unreachable\) +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: error \(connection refused \) resolving +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: error \(FORMERR\) resolving + +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ pure-ftpd: \([\w\?\@\+\%\.]+\@\d+\.\d+\.\d+\.\d+\) \[(INFO|NOTICE)\] + +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ Cp-Wrap\[\d+\]: +^\[\S+\s\S+\s\S+\] info + +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ gconfd + +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ systemd: Started Session +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ systemd: Starting Session +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ systemd: Failed to mark scope +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ systemd-logind: New session +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ systemd-logind: Removed session +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ systemd: Created slice +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ systemd: Removed slice user +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ systemd: Starting user +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ systemd: Stopping user +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ systemd: Reloading +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ systemd: Starting User Slice +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ systemd: Stopping User Slice +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ systemd: Removed slice User + +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ nscd: \d+\ monitor + +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ dbus-daemon: dbus\[\d+\]: \[system\] Activating via systemd +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ dbus-daemon: dbus\[\d+\]: \[system\] Successfully activated +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ dbus\[\d+\]: \[system\] Activating via systemd +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ dbus\[\d+\]: \[system\] Successfully activated +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ systemd: Starting Time +^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ systemd: Started Time + +==> cpsrvd \S+ started +==> cpsrvd: loading security policy....Done +==> cpsrvd: Setting up SSL support ... Done +==> cpsrvd: transferred port bindings +==> cpsrvd: bound to ports diff --git a/csf/csf.mignore b/csf/csf.mignore new file mode 100644 index 0000000..0cc26e8 --- /dev/null +++ b/csf/csf.mignore @@ -0,0 +1,9 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following is a list of usernames and local IP addresses that +# RT_LOCALRELAY_ALERT will ignore +# +# Add only one username per line diff --git a/csf/csf.pignore b/csf/csf.pignore new file mode 100644 index 0000000..b752ab1 --- /dev/null +++ b/csf/csf.pignore @@ -0,0 +1,169 @@ +############################################################################### +# Copyright 2006-2015, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following is a list of executables (exe) command lines (cmd) and +# usernames (user) that lfd process tracking will ignore. +# +# You must use the following format: +# +# exe:/full/path/to/file +# user:username +# cmd:command line +# +# Or, perl regular expression matching (regex): +# +# pexe:/full/path/to/file as a perl regex[*] +# puser:username as a perl regex[*] +# pcmd:command line as a perl regex[*] +# +# [*]You must remember to escape characters correctly when using regex's, e.g.: +# pexe:/home/.*/public_html/cgi-bin/script\.cgi +# puser:bob\d.* +# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.* +# +# It is strongly recommended that you use command line ignores very carefully +# as any process can change what is reported to the OS. +# +# For more information see readme.txt + +#users +user:dovecot +user:dovenull +user:amavis +user:mysql +user:postfix +user:opendkim +user:nobody +user:backuppc +user:sonykss +user:ntp +user:filter +user:munin +user:samba +user:apache +user:named +user:mailnull +user:nginx +user:nagios +user:quagga +user:clamsmtp +user:memcached +user:sslh +user:grafana +user:greensql +user:icinga +user:chrony +user:nrpe +user:onem +user:redis +user:postgrey +user:prosody +user:vampi +user:otrs +user:alex +user:redis +user:rspamd +user:_rspamd +user:netdata +user:postgres +user:sqlgrey +user:polkitd + +#executables +exe:/usr/lib/polkit-1/polkitd +exe:/usr/pgsql-11/bin/postgres +exe:/home/madalin/psybnc/psybnc +exe:/usr/bin/rspamd +exe:/usr/sbin/redis-server +exe:/usr/sbin/chronyd +exe:/usr/sbin/greensql-fw +exe:/usr/sbin/sslh +exe:/usr/bin/memcached +exe:/usr/sbin/clamsmtpd +exe:/usr/sbin/zebra +exe:/usr/sbin/nagios +exe:/usr/sbin/nginx +exe:/usr/sbin/exim +exe:/usr/sbin/named +exe:/usr/sbin/httpd +exe:/usr/sbin/munin-node +exe:/usr/sbin/xinetd +exe:/usr/bin/talk +exe:/usr/sbin/in.ntalkd +exe:/usr/sbin/in.talkd +exe:/usr/sbin/pure-ftpd +exe:/usr/sbin/httpd +exe:/usr/sbin/sshd +exe:/usr/sbin/named +exe:/usr/sbin/exim +exe:/usr/sbin/opendkim +exe:/usr/sbin/amavisd +exe:/usr/share/BackupPC/bin/BackupPC +exe:/usr/share/BackupPC/bin/BackupPC_trashClean +exe:/usr/share/BackupPC/bin/BackupPC_zipCreate +exe:/usr/lib/courier-imap/bin/pop3d +exe:/usr/lib/courier-imap/bin/imapd +exe:/usr/sbin/pure-ftpd +exe:/usr/local/apache/bin/httpd +exe:/usr/sbin/sshd +exe:/usr/sbin/proftpd +exe:/usr/libexec/dovecot/imap +exe:/usr/libexec/dovecot/pop3 +exe:/usr/sbin/named +exe:/usr/sbin/ntpd +exe:/usr/bin/dbus-daemon +exe:/usr/sbin/ntpd +exe:/usr/sbin/exim4 +exe:/sbin/ntpd +exe:/usr/libexec/dovecot/pop3 +exe:/usr/libexec/dovecot/imap +exe:/usr/local/libexec/dovecot/pop3 +exe:/usr/local/libexec/dovecot/pop3-login +exe:/usr/local/libexec/dovecot/imap +exe:/usr/local/libexec/dovecot/imap-login +exe:/root/srelay-0.4.8b5/srelay +exe:/usr/sbin/grafana-server +exe:/usr/sbin/postgrey +exe:/usr/bin/ncat +exe:/usr/bin/perl +exe:/usr/sbin/darkstat +exe:/usr/sbin/vsftpd +exe:/usr/bin/monitorix +exe:/opt/gitlab/embedded/postgresql/10/bin/postgres +exe:/usr/bin/newrelic-infra-service +exe:/usr/bin/terraform + +# ipsec +exe:/usr/sbin/xl2tpd +exe:/usr/libexec/ipsec/pluto + +# madalin +exe:/usr/bin/scr-bx +exe:/usr/local/bin/muh +exe:/usr/bin/miau +exe:/usr/bin/BitchX-1.2.1 + +# users +user:dbus + +# vampi +user:vampi +user:opendmarc + +# wazuh +user:ossec +user:ossece +user:ossecr +user:ossecm +user:wazuh +exe:/var/ossec/bin/ossec-agentd +exe:/var/ossec/bin/ossec-analysisd +exe:/var/ossec/bin/ossec-monitord +exe:/var/ossec/bin/ossec-remoted +exe:/var/ossec/bin/ossec-syscheckd +exe:/var/ossec/bin/ossec-logcollector +exe:/var/ossec/bin/wazuh-modulesd +exe:/var/ossec/bin/ossec-execd + diff --git a/csf/csf.pl b/csf/csf.pl new file mode 120000 index 0000000..dfef4ed --- /dev/null +++ b/csf/csf.pl @@ -0,0 +1 @@ +/usr/sbin/csf \ No newline at end of file diff --git a/csf/csf.rblconf b/csf/csf.rblconf new file mode 100644 index 0000000..1056dec --- /dev/null +++ b/csf/csf.rblconf @@ -0,0 +1,22 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# This file configures optional entries for the IP checking against RBLs within +# csf +# +# There are 4 options available to enable/disable RBLs and IPs: +# +# To disable inbuilt RBLs or to enable other RBLs, e.g.: +# +# enablerbl:my.dnsrbl.net +# disablerbl:bl.spamcop.net +# +# To disable local IPs or to enable other IPs, e.g.: +# +# enableip:11.22.33.44 +# disableip:10.10.10.10 +# +# There should be no spaces on any of the configuration lines. Lines beginning +# with # are comments diff --git a/csf/csf.redirect b/csf/csf.redirect new file mode 100644 index 0000000..a77b991 --- /dev/null +++ b/csf/csf.redirect @@ -0,0 +1,34 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following is a list of port and/or IP address assignments to direct +# traffic to alternative ports/IP addresses +# +# Requirements: +# nat tables +# ipt_DNAT iptables module +# ipt_SNAT iptables module +# ipt_REDIRECT iptables module +# +# The following are the allowed redirection formats +# +# DNAT (redirect from one IP address to a different one): +# IPx|*|IPy|*|tcp/udp - To IPx redirects to IPy +# IPx|portA|IPy|portB|tcp/udp - To IPx to portA redirects to IPy portB +# +# DNAT examples: +# 192.168.254.62|*|10.0.0.1|*|tcp +# 192.168.254.62|666|10.0.0.1|25|tcp +# +# REDIRECT (redirect from port to a different one): +# IPx|portA|*|portB|tcp/udp - To IPx to portA redirects to portB +# *|portA|*|portB|tcp/udp - To portA redirects to portB +# +# REDIRECT examples: +# 192.168.254.60|666|*|25|tcp +# *|666|*|25|tcp +# +# See readme.txt for more information +# diff --git a/csf/csf.resellers b/csf/csf.resellers new file mode 100644 index 0000000..6375328 --- /dev/null +++ b/csf/csf.resellers @@ -0,0 +1,47 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following is a list of Reseller accounts that you want to allow access to +# limited csf functionality. +# +# WARNING: You should only ever provide access to this facility to people you +# trust as it could easily render your server inaccessible or open to attack. +# For security reasons, resellers cannot list blocked IP addresses or the whole +# iptables configuration. They must know what IP address they want to use with +# this facility. +# +# You should list each account, one per line, followed by a colon, then a 0 or +# 1 depending on whether you want an email alert sent using the email template +# reselleralter.txt whenever an ALLOW/DENY or UNBLOCK is performed, then a +# colon, then a comma separated list of the feature codes that you want each +# reseller to have access to. +# +# As of writing, the following is a list of the available feature codes. More +# may be added in the feature, in which case they will be listed in the main +# csf readme.txt: +# +# USE - The reseller can use this facility through WHM (required) +# UNBLOCK - The reseller can use the Quick Unblock feature +# GREP - The reseller can use the Search IP feature +# ALLOW - The reseller can use the Quick Allow feature +# DENY - The reseller can use the Quick Deny feature +# +# For example, to allow reseller "someuser" to unblock IP addresses and have an +# alert email sent to root, use: +# +#someuser:1:USE,UNBLOCK +# +# For example, to allow reseller "someuser" to allow, deny and unblock IP +# addresses, but no alert sent, use: +# +#someuser:0:USE,ALLOW,DENY,UNBLOCK +# +# RECOMMEND: For security reasons, we recommend only allowing resellers USE, +# UNBLOCK and GREP +# +# NOTE: As of version cPanel v11.8.1 you must additionally grant resellers +# access via "WHM > Edit Reseller Nameservers and Privileges > Third Party +# Services > ConfigServer Security & Firewall (Reseller UI)". +# \ No newline at end of file diff --git a/csf/csf.rignore b/csf/csf.rignore new file mode 100644 index 0000000..d8e9171 --- /dev/null +++ b/csf/csf.rignore @@ -0,0 +1,40 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following is a list of domains and partial domain that lfd process +# tracking will ignore based on reverse and forward DNS lookups. An example of +# its use is to prevent web crawlers from being blocked by lfd, e.g. +# .googlebot.com and .crawl.yahoo.net +# +# You must use either a Fully Qualified Domain Name (FQDN) or a unique ending +# subset of the domain name which must begin with a dot (wildcards are NOT +# otherwise permitted) +# +# For example, the following are all valid entries: +# www.configserver.com +# .configserver.com +# .configserver.co.uk +# .googlebot.com +# .crawl.yahoo.net +# .search.msn.com +# +# The following are NOT valid entries: +# *.configserver.com +# *google.com +# google.com (unless the lookup is EXACTLY google.com with no subdomain +# +# When a candidate IP address is inspected a reverse DNS lookup is performed on +# the IP address. A forward DNS lookup is then performed on the result from the +# reverse DNS lookup. The IP address will only be ignored if: +# +# 1. The results of the final lookup matches the original IP address +# AND +# 2a. The results of the rDNS lookup matches the FQDN +# OR +# 2b. The results of the rDNS lookup matches the partial subset of the domain +# +# Note: If the DNS lookups are too slow or do not return the expected results +# the IP address will be counted towards the blocking trigger as normal +# diff --git a/csf/csf.signore b/csf/csf.signore new file mode 100644 index 0000000..780051c --- /dev/null +++ b/csf/csf.signore @@ -0,0 +1,7 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following is a list of files that LF_SCRIPT_ALERT will ignore. You must +# specify the full path to the directory containing the script diff --git a/csf/csf.sips b/csf/csf.sips new file mode 100644 index 0000000..b8370b7 --- /dev/null +++ b/csf/csf.sips @@ -0,0 +1,9 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The purpose of this file is to list any server configured IP addresses for +# which you don't want to allow any incoming or outgoing traffic. This is +# useful if you have IP addresses setup but do not yet wish to allow traffic +# on them diff --git a/csf/csf.smtpauth b/csf/csf.smtpauth new file mode 100644 index 0000000..4914d4e --- /dev/null +++ b/csf/csf.smtpauth @@ -0,0 +1,12 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following IP addresses will allow EXIM to advertise SMTP AUTH +# One IP address per line. +# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24). +# Only list IP addresses, not domain names (they will be ignored) +# +# You need to enable SMTPAUTH_RESTRICT and modify the exim configuration to use +# this file. CC_ALLOW_SMTPAUTH can also be used to allow whole Country Codes diff --git a/csf/csf.suignore b/csf/csf.suignore new file mode 100644 index 0000000..9d32cff --- /dev/null +++ b/csf/csf.suignore @@ -0,0 +1,7 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following is a list of usernames that are ignored during the LF_EXPLOIT +# SUPERUSER check diff --git a/csf/csf.syslogs b/csf/csf.syslogs new file mode 100644 index 0000000..8400dfa --- /dev/null +++ b/csf/csf.syslogs @@ -0,0 +1,71 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following is a list of log files for the UI System Log Watch and Search +# features. IF they exists they will apear in the drop-down lists +# +# File globbing is supported for logs listed below + +# All: +/var/log/cron +/var/log/cxswatch.log +/var/log/lfd.log +/var/log/maillog +/var/log/messages +/var/log/rkhunter.log +/var/log/secure + +# Apache: +/usr/local/apache/logs/apache_log +/usr/local/apache/logs/error_log +/usr/local/apache/logs/suexec +/usr/local/apache/logs/suphp_log +/usr/local/apache/logs/modsec_audit.log +/var/log/httpd/access_log +/var/log/httpd/error_log +/var/log/httpd/suexec +/var/log/httpd/suphp_log +/var/log/httpd/modsec_audit.log + +# Nginx: +/var/log/nginx/error_log + +# Webmin: +/var/webmin/miniserv.error +/var/webmin/miniserv.log +/var/webmin/webmin.log + +# Exim: +/var/log/exim/mainlog +/var/log/exim/paniclog +/var/log/exim/rejectlog +/var/log/exim4/mainlog +/var/log/exim4/paniclog +/var/log/exim4/rejectlog +/var/log/exim_mainlog +/var/log/exim_paniclog +/var/log/exim_rejectlog + +# Debian/Ubuntu: +/var/log/auth.log +/var/log/daemon.log +/var/log/debug +/var/log/kern.log +/var/log/mysql.err +/var/log/mysql.log +/var/log/syslog +/var/log/user.log + +# cPanel: +/usr/local/cpanel/logs/access_log +/usr/local/cpanel/logs/error_log +/usr/local/cpanel/logs/stats_log +/var/log/chkservd.log + +# DirectAdmin: +/var/log/directadmin/error.log +/var/log/directadmin/errortaskq.log +/var/log/directadmin/security.log +/var/log/directadmin/system.log diff --git a/csf/csf.syslogusers b/csf/csf.syslogusers new file mode 100644 index 0000000..ab3dcb4 --- /dev/null +++ b/csf/csf.syslogusers @@ -0,0 +1,50 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# This file contains the usernames which should be allowed to log via +# syslog/rsyslog. All the users that exist on the server that are listed in +# this file will be added to the system group defined in /etc/csf/csf.conf for +# the option RESTRICT_SYSLOG_GROUP if RESTRICT_SYSLOG is set to "3" +# +# This WILL break user cron job logging in /var/log/cron for non-listed user +# accounts +# +# Remove any accounts that do not apply to your server +# +# Add any accounts that log through syslog that are not listed that you need +# +# You should only add user accounts and/or the default apache account if +# absolutely necessary, otherwise you are compromising the effectiveness of +# this feature + +# OS application users: +daemon +dbus +haldaemon +messagebus +mysql +named +nfsnobody +ntp +polkitd +root +rpc +rpcuser +smmsp +statd + +# cPanel application users: +cpanel +cpses +dovecot +dovenull +mailman +mailnull + +# DirectAdmin application users: +dovecot +mail + +# Other users: diff --git a/csf/csf.uidignore b/csf/csf.uidignore new file mode 100644 index 0000000..957ef69 --- /dev/null +++ b/csf/csf.uidignore @@ -0,0 +1,9 @@ +############################################################################### +# Copyright 2006-2017, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following is a list of user ID's (UID) that are ignored by the User ID +# Tracking feature - UID_INTERVAL +# +# For example, to ignore all root connections add 0 on a line by itself diff --git a/csf/csfpost.sh b/csf/csfpost.sh new file mode 100755 index 0000000..49002b0 --- /dev/null +++ b/csf/csfpost.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +echo "[DOCKER] Setting up FW rules." + +iptables -N DOCKER + +# Masquerade outbound connections from containers +iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE + +# Accept established connections to the docker containers +iptables -t filter -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# Allow docker containers to communicate with themselves & outside world +iptables -t filter -A FORWARD -i docker0 ! -o docker0 -j ACCEPT +iptables -t filter -A FORWARD -i docker0 -o docker0 -j ACCEPT + +echo "[DOCKER] Done." + +# restart fail2ban after CSF update (otherwise fail2ban rules won't work) +systemctl restart fail2ban >/dev/null 2>&1 diff --git a/csf/csfpre.sh b/csf/csfpre.sh new file mode 100755 index 0000000..9e7f57a --- /dev/null +++ b/csf/csfpre.sh @@ -0,0 +1,5 @@ +#!/bin/bash +#iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +#iptables -A INPUT -i lo -j ACCEPT +#iptables -A OUTPUT -o lo -j ACCEPT +#iptables -A INPUT -s 127.0.0.0/8 -j DROP diff --git a/csf/csftest.pl b/csf/csftest.pl new file mode 120000 index 0000000..a7770d9 --- /dev/null +++ b/csf/csftest.pl @@ -0,0 +1 @@ +/usr/local/csf/bin/csftest.pl \ No newline at end of file diff --git a/csf/csfwebmin.tgz b/csf/csfwebmin.tgz new file mode 120000 index 0000000..6820ed9 --- /dev/null +++ b/csf/csfwebmin.tgz @@ -0,0 +1 @@ +/usr/local/csf/csfwebmin.tgz \ No newline at end of file diff --git a/csf/disabled/csfpost.sh b/csf/disabled/csfpost.sh new file mode 100644 index 0000000..4cf4ce3 --- /dev/null +++ b/csf/disabled/csfpost.sh @@ -0,0 +1,32 @@ +# enable kernel ppp modules +service pptpd stop +modprobe ppp_generic +modprobe ppp_deflate +modprobe ppp_async +modprobe ppp_mppe +modprobe ppp_synctty +service pptpd start + +# iptables rules for redirect to external ip from localnet when request sent to external ip +/sbin/iptables -t nat -A PREROUTING -p tcp -d 89.121.131.74 --dport 80 -j DNAT --to 192.168.1.2:80 +/sbin/iptables -t nat -A PREROUTING -p tcp -d 89.121.131.74 --dport 443 -j DNAT --to 192.168.1.2:443 + +# NAT reflection +/sbin/iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -d 89.121.131.74/32 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.2 +/sbin/iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -d 89.121.131.74/32 -p tcp -m tcp --dport 465 -j DNAT --to-destination 192.168.1.2 +/sbin/iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -d 89.121.131.74/32 -p tcp -m tcp --dport 587 -j DNAT --to-destination 192.168.1.2 +/sbin/iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -d 89.121.131.74/32 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.1.2 +/sbin/iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -d 89.121.131.74/32 -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.1.2 +/sbin/iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -d 89.121.131.74/32 -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.1.2 +/sbin/iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -d 89.121.131.74/32 -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.1.2 + +# drop SMTP connections based on connection rate +#iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP +#iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --set + +# ipset +#ipset flush +#ipset -X smtpdrop +#ipset -N smtpdrop hash:net +#for i in `cat /etc/csf/ipuri-blocate.txt `; do ipset -A smtpdrop $i; done +#iptables -A INPUT -p all -m set --match-set smtpdrop src -j DROP diff --git a/csf/disabled/csfpre.sh b/csf/disabled/csfpre.sh new file mode 100644 index 0000000..edea5cb --- /dev/null +++ b/csf/disabled/csfpre.sh @@ -0,0 +1,25 @@ +# accept pptp traffic +iptables -A INPUT -i eth0 -p gre -j ACCEPT +iptables -A INPUT -i eth0 -p 50 -j ACCEPT +iptables -A INPUT -i eth0 -p 51 -j ACCEPT +iptables -A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT +iptables -A INPUT -p udp --dport 1701 -j DROP + +#iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP +iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT +iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT +iptables -I FORWARD 5 -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -I FORWARD 6 -s 192.168.43.0/24 -o eth+ -j ACCEPT + +# Uncomment to DROP traffic between VPN clients themselves +# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP +# iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP +iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source 192.168.1.2 +iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source 192.168.1.2 + +### +iptables -A OUTPUT -p gre -j ACCEPT +iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT +iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT +iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE diff --git a/csf/downloadservers b/csf/downloadservers new file mode 100644 index 0000000..ef8376d --- /dev/null +++ b/csf/downloadservers @@ -0,0 +1,2 @@ +download.configserver.com +download2.configserver.com diff --git a/csf/install.txt b/csf/install.txt new file mode 100644 index 0000000..adb0e12 --- /dev/null +++ b/csf/install.txt @@ -0,0 +1,93 @@ +############################################################################### +# Copyright 2006-2018, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### + + +Installation +============ +Installation is quite straightforward: + +cd /usr/src +rm -fv csf.tgz +wget https://download.configserver.com/csf.tgz +tar -xzf csf.tgz +cd csf +sh install.sh + +Next, test whether you have the required iptables modules: + +perl /usr/local/csf/bin/csftest.pl + +Don't worry if you cannot run all the features, so long as the script doesn't +report any FATAL errors + +You should not run any other iptables firewall configuration script. For +example, if you previously used APF+BFD you can remove the combination (which +you will need to do if you have them installed otherwise they will conflict): + +sh /usr/local/csf/bin/remove_apf_bfd.sh + +That's it. You can then configure csf and lfd by reading the documentation and +configuration files in /etc/csf/csf.conf and /etc/csf/readme.txt directly or +through the csf User Interface. + +csf installation for cPanel and DirectAdmin is preconfigured to work on those +servers with all the standard ports open. + +csf auto-configures your SSH port on installation where it's running on a non- +standard port. + +csf auto-whitelists your connected IP address where possible on installation. + +You should ensure that kernel logging daemon (klogd) is enabled. Typically, VPS +servers running RedHat/CentOS v5 have this disabled and you should check +/etc/init.d/syslog and make sure that any klogd lines are not commented out. If +you change the file, remember to restart syslog. + +See the csf.conf and readme.txt files for more information. + +Perl Modules +============ + +While most should be installed on a standard perl installation the following +may need to be installed manually: + +# On rpm based systems: +yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph + +# On APT based systems: +apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl + +# Via cpan: +perl -MCPAN -eshell +cpan> install LWP LWP::Protocol::https GD::Graph + + + +InterWorx +========= + +1. Enable csf in InterWorx > NodeWorx > Plugins > csf + +2. See the InterWorx section in /etc/csf/readme.txt + + +Webmin Module Installation/Upgrade +================================== + +To install or upgrade the csf webmin module: + +Install csf as above +Install the csf webmin module in: + Webmin > Webmin Configuration > Webmin Modules > + From local file > /usr/local/csf/csfwebmin.tgz > Install Module + + +Uninstallation +============== +Removing csf and lfd is even more simple: + +cd /etc/csf +sh uninstall.sh diff --git a/csf/lfd.pl b/csf/lfd.pl new file mode 120000 index 0000000..710881d --- /dev/null +++ b/csf/lfd.pl @@ -0,0 +1 @@ +/usr/sbin/lfd \ No newline at end of file diff --git a/csf/license.txt b/csf/license.txt new file mode 100644 index 0000000..e1f22c2 --- /dev/null +++ b/csf/license.txt @@ -0,0 +1,234 @@ +Way to the Web Product License + +LICENCE TERMS AND CONDITIONS + +1. LICENCE + + 1.1 Way to the Web Limited of 73, Donaldson Way, Woodley, + Reading, Berkshire, RG5 4XL ("Way to the Web") hereby grants + you a non-exclusive, non-transferable licence to download and + use (the "Product") and the accompanying documentation (the + "Documentation") on the following terms. + + 1.2 The copyright and all other rights in the Product and the + Documentation remain with Way to the Web. + +2. ACCEPTANCE + + You are deemed to have accepted the terms and conditions of this + Licence by downloading the Product. + +3. SCOPE OF LICENCE + + 3.1 You shall not: + + 3.1.1 modify, adapt, merge, translate, decompile, + disassemble, or reverse engineer the Product, except as + permitted by law; or + + 3.1.2 sell, assign, rent, sub-license, loan, mortgage, + charge or otherwise deal in any way in the Product or + Documentation or any interest in them except as expressly + provided in this Licence. + +4. DURATION OF LICENCE + + 4.1 This Licence shall commence on the date hereof and, subject + to other terms of this Licence, shall continue thereafter for as + long as you continue to use the Product. + + 4.2 This Licence shall terminate automatically if you fail to + abide by any of its terms. + + 4.3 Upon termination of this Licence you shall destroy the + Product and the Documentation and shall erase all copies of the + Product under your control and stored on any medium. + +5. WARRANTIES AND REMEDIES + + 5.1 Way to the Web warrants that for a period of 90 days from the + date that the Product is downloaded, it will provide the facilities + and functions set out in the Documentation when properly used and + further, that the Documentation will provide adequate instruction to + enable you to make proper use of such facilities and functions. + + 5.2 The said warranty shall be subject to you complying with + your obligations hereunder and to there having been made no + alterations to the Product by any person other than Way to the Web. + When notifying a defect or error you shall (so far as you are able) + provide Way to the Web with a documented example of such defect or + error. + + 5. 3 Way to the Web shall have no liability or obligations under + the said warranty other than to remedy breaches thereof by the + provision of materials and services within a reasonable time and + without charge to you. If Way to the Web shall fail to comply with + such obligations its liability for such failure shall be limited as + specified in Clause 6. The foregoing states the entire liability of + Way to the Web, whether in contract or tort, for defects and errors + in the Products and the Documentation. + + 5.4 You acknowledge that the Products have not been prepared to + meet your individual requirements and that it is therefore your + responsibility to ensure that the facilities and functions described + in the Documentation meet your requirements. Way to the Web shall not + be liable for any failure of the Products to provide any facility or + function not specified in the Documentation + + 5.5 Way to the Web does not warrant that the operation of the + Products will be uninterrupted or error free or that all errors will + be remedied. + + 5.6 Except as expressly provided in this Licence, no warranty, + condition, undertaking or term, express or implied, statutory or + otherwise, as to the condition, quality, performance or fitness for + purpose of the Products or the Documentation is given or assumed by + Way to the Web and all such warranties, conditions, undertakings and + terms are hereby excluded to the fullest extent permitted by law. + +6. LIABILITY + + 6.1 Way to the Web will indemnify you and keep you fully and + effectively indemnified against any loss of or damage to any property + or injury to or death of any person caused by any negligent act or + omission or wilful misconduct of Way to the Web, its employees, + agents or sub-contractors or by any breach of its contractual + obligations arising out of this Licence. + + 6.2 Except in respect of injury to or death of any person caused + by negligence (for which no limit applies) Way to the Web's + liability to you under sub-clause 6.1 above in respect of each event + or series of connected events shall not exceed one and a half times + the price you paid to licence the Product. + + 6.3 Notwithstanding anything else contained in this Licence, Way + to the Web shall not be liable to you for loss of profits or + contracts or indirect or consequential loss or damage whether arising + from negligence, breach of contract or howsoever caused + + 6.4 Way to the Web shall not be liable to you for any loss + arising out of your failure to keep full and up-to-date security + copies of the computer programs and data you use. + +7. CONFIDENTIAL INFORMATION + + 7.1 You undertake to treat as confidential and keep secret all + information contained or embodied in the Products and the + Documentation which, by its nature has the necessary quality of + confidence about it ("Confidential Information"), provided that this + clause shall not extend to any information which is already public + knowledge or becomes so at a future date (otherwise than as a result + of a breach of this clause). + + 7.2 You shall not without the prior written consent of Way to the + Web divulge any part of the Confidential Information to any person + except to: + + 7.2.1 your own employees and then only to those employees + who need to know the same; + + 7.2.2 your auditors and any other persons or bodies having + a right duty or obligation to know your business and then + only in pursuance of such right duty or obligation; + + 7.2.3 any person who is from time to time appointed by you + to maintain your network, website or the equipment upon + which the Product is being used (in accordance with the terms + of the Licence) and then only to the extent necessary to + enable such person properly to maintain such network, website + or equipment. + + 7.3 You undertake to ensure that the persons and bodies mentioned + in paragraphs 7.2.1, 7.2.2 and 7.2.3 are made aware prior to the + disclosure of any part of the Confidential Information that the same + is confidential and that they owe a duty of confidence to Way to the + Web. You shall indemnify Way to the Web against any loss or damage + which Way to the Web may sustain or incur as a result of your + failing to comply with such undertaking + + 7.4 You shall promptly notify Way to the Web if you become aware + of any breach of confidence by any person to whom you divulge all or + any part of the Confidential Information and shall give Way to the + Web all reasonable assistance in connection with any proceedings + which Way to the Web may institute against such person for breach of + confidence. + + 7.5 The foregoing obligations as to confidentiality shall remain + in full force and effect notwithstanding any termination of this + Licence. + +8. INDEMNITIES + + 8.1 Way to the Web shall indemnify you against any claim that the + normal use or possession of the Products and/or Documentation + infringes the intellectual property rights of any third party + provided that Way to the Web is given immediate and complete control + of such claim, that you do not prejudice Way to the Web's defence + of such claim, that you give Way to the Web all reasonable + assistance with such claim and that the claim does not arise as a + result of the use of the Products and/or Documentation in combination + with any equipment or programs not supplied or approved by Way to + the Web. Way to the Web shall have the right to replace or change all + or any part of the Products and/or Documentation in order to avoid + any infringement. The foregoing states the entire liability of Way to + the Web to you in respect of the infringement of the intellectual + property rights of any third party + + 8.2 Except to the extent caused by Way to the Web's breach of + its obligations hereunder, or its negligent or wilful misconduct in + connection with this Licence, and without limiting Way to the Web's + obligations in sub-clause 8.1 above, you shall indemnify and hold + Way to the Web harmless from any and all liability, loss and damage + Way to the Web may suffer as a result of claims demands or judgments + by any third party arising out of your use or operation of the + Products, the Documentation and related output. You shall, at your + expense, defend any such action, suit or claim against Way to the + Web. + +9. SUPPORT + + Way to the Web's technical support staff will, between the hours of + 9.00 and 17.30 UK time Monday to Friday inclusive (except on bank and + public holidays), endeavour to answer on-line or by email any queries + you may have about the Product. For support please either use the + on-line support desk or the on-line support forum given on our + Website or in the Documentation. Any Product updates that may be + made available by Way to the Web from time to time will be supplied + at Way to the Web's then prevailing charges and subject to Way to the + Web's then prevailing terms and conditions. Way to the Web does not + guarantee backward compatibility with previous versions of the + Product as it retains the right to add, remove or modify any feature + or function in previous versions, at its sole discretion. + +10. OTHER SERVICES + + Way to the Web may also provide you with, at its option and subject + to its then prevailing charges and terms and conditions, other + services in relation to the Product, such as installation and + consultancy services. Please contact Way to the Web at the number + given on our Website or in the Documentation for more information + about such services. + +11. CONSUMERS + + If you deal as a consumer as defined in the Unfair Contract Terms Act + 1977, your statutory rights remain unaffected. + +12. PERSONAL INFORMATION CONTROL + + You agree to comply with all applicable laws, regulations, rulings and + orders of the EU, US and other countries (including but not limited to + the EU's GDPR) in which you have operations relating to the protection, + use, and distribution of personal information of your users or + visitors on any devices which have the Program installed or stored. + Further, you shall indemnify Way to the Web for any and all claims + resulting from your violation of any such laws, regulations, rulings, + or orders. + +13. LAW + + This Licence constitutes the entire agreement between you and Way to + the Web relating to the Product and the Documentation and is governed + by and construed in accordance with the laws of England. The courts + of England shall have exclusive jurisdiction. + diff --git a/csf/messenger/en.php b/csf/messenger/en.php new file mode 100644 index 0000000..b6ed244 --- /dev/null +++ b/csf/messenger/en.php @@ -0,0 +1,15 @@ + "The firewall on this server is blocking your connection.", + "contact" => "You need to contact the server owner or hosting provider for further information.", + "blocked ip" => "Your blocked IP address is:", + "hostname" => "The hostname of this server is:", + "recaptcha title" => "You can try to unblock yourself using ReCAPTCHA:", + "recaptcha note" => "Please note: Not all unblock requests will be successful as it is dependent on how your IP address is being blocked. If the unblock fails you will need to contact the server owner or hosting provider for further information.", + "recaptcha success" => "Passed human test. Please wait a few seconds and your IP address should be unblocked and you can return to the website:", + "recaptcha failure" => "Failed to pass ReCAPTCHA test. Please try again.", + "recaptcha hostfail" => "There has been a problem verifying the hostname:", + "recaptcha error" => "There has been a problem. Please click on the reCAPTCHA box.", + "unblock submit" => "Unblock", + ); +?> diff --git a/csf/messenger/index.html b/csf/messenger/index.html new file mode 100644 index 0000000..22809c6 --- /dev/null +++ b/csf/messenger/index.html @@ -0,0 +1,194 @@ + + + + Unauthorized Access + + + + +

    The firewall on this server is blocking your connection.

    +

    You need to contact the server owner or hosting provider for further information.

    +

    Your blocked IP address is: [IPADDRESS]

    +

    This server's hostname is: [HOSTNAME]

    + + diff --git a/csf/messenger/index.php b/csf/messenger/index.php new file mode 100644 index 0000000..4b2c1ba --- /dev/null +++ b/csf/messenger/index.php @@ -0,0 +1,212 @@ + + + + Unauthorized Access + + + + + + + + + +
    + +

    +

    +

    +

    +
    + + diff --git a/csf/messenger/index.recaptcha.html b/csf/messenger/index.recaptcha.html new file mode 100644 index 0000000..ac3bfb3 --- /dev/null +++ b/csf/messenger/index.recaptcha.html @@ -0,0 +1,228 @@ + + + + Unauthorized Access + + + + + +

    The firewall on this server is blocking your connection.

    +

    You need to contact the server owner or hosting provider for further information.

    +

    Your blocked IP address is: [IPADDRESS]

    +

    This server's hostname is: [HOSTNAME]

    + +
    +

    If you are a human you can unblock yourself using ReCAPTCHA:

    +

    Please note: Not all unblock requests will be successful as it is dependent on how your IP address is being blocked. If the unblock fails you will need to contact the server owner or hosting provider for further information.

    + + +
    + + +
    + +
    +

    + + [RECAPTCHA_SUCCESS="Passed human test. Please wait a few seconds and your IP address should be unblocked."] + [RECAPTCHA_FAILURE="Failed to pass human test. Please try again."] + [RECAPTCHA_ERROR="There has been a problem:"] +

    + + + + diff --git a/csf/messenger/index.recaptcha.php b/csf/messenger/index.recaptcha.php new file mode 100644 index 0000000..63a7ece --- /dev/null +++ b/csf/messenger/index.recaptcha.php @@ -0,0 +1,273 @@ + + + + Unauthorized Access + + + + + + + + + +
    + +

    +

    +

    +

    + +
    +

    + +
    +
    +
    +
    +
    +
    +
    +
    + +
    +
    +
    +
    +
    + +
    + $secret,'response' => $_POST['g-recaptcha-response']); + $verify = curl_init(); + curl_setopt($verify, CURLOPT_URL, "https://www.google.com/recaptcha/api/siteverify"); + curl_setopt($verify, CURLOPT_POST, true); + curl_setopt($verify, CURLOPT_POSTFIELDS, http_build_query($data)); + curl_setopt($verify, CURLOPT_SSL_VERIFYPEER, false); + curl_setopt($verify, CURLOPT_RETURNTRANSFER, true); + $verifyResponse = curl_exec($verify); + $responseData = json_decode($verifyResponse); + if($responseData->success) { + if ($responseData->hostname == $_SERVER['SERVER_NAME']) { + $alert = 'success'; + $message = $lang["recaptcha success"] . "
    " . $_SERVER['REQUEST_URI'] . ""; + file_put_contents($unblockfile, $_SERVER['REMOTE_ADDR'].";".$_SERVER['SERVER_NAME'].";".$_SERVER['SERVER_ADDR']."\n", FILE_APPEND | LOCK_EX); + file_put_contents($logfile,$date . "*Success*, ReCaptcha (" . $_SERVER['REMOTE_ADDR'].": [".$_SERVER['SERVER_NAME']." (".$_SERVER['SERVER_ADDR'].")] requested unblock\n", FILE_APPEND | LOCK_EX); + } else { + $alert = "danger"; + $message = $lang["recaptcha hostfail"] . ' ['.$responseData->hostname.' != '.$_SERVER['SERVER_NAME'].']'; + file_put_contents($logfile,$date . "*Failed*, ReCaptcha (" . $_SERVER['REMOTE_ADDR'].": [".$_SERVER['SERVER_NAME']." (".$_SERVER['SERVER_ADDR'].")] does not appear to be hosted on this server\n", FILE_APPEND | LOCK_EX); + } + } else { + $alert = "danger"; + $message = $lang["recaptcha failure"]; + file_put_contents($logfile,$date . "*Error*, ReCaptcha (" . $_SERVER['REMOTE_ADDR'].": $responseData\n", FILE_APPEND | LOCK_EX); + } + } else { + $alert = "danger"; + $message = $lang["recaptcha error"]; + } + echo '

    ' . $message . '

    '; + } + ?> + +
    +
    + + diff --git a/csf/messenger/index.text b/csf/messenger/index.text new file mode 100644 index 0000000..5fa42b9 --- /dev/null +++ b/csf/messenger/index.text @@ -0,0 +1,4 @@ +The firewall on this server is blocking your connection. +You need to contact the server owner or hosting provider for further information. +Your blocked IP address is: [IPADDRESS] +This server's hostname is: [HOSTNAME] diff --git a/csf/pt_deleted_action.pl b/csf/pt_deleted_action.pl new file mode 120000 index 0000000..892287d --- /dev/null +++ b/csf/pt_deleted_action.pl @@ -0,0 +1 @@ +/usr/local/csf/bin/pt_deleted_action.pl \ No newline at end of file diff --git a/csf/readme.txt b/csf/readme.txt new file mode 100644 index 0000000..68f1096 --- /dev/null +++ b/csf/readme.txt @@ -0,0 +1,1734 @@ +############################################################################### +# Copyright 2006-2018, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### + + +ConfigServer Security & Firewall +################################ + +This suite of scripts provides: + + 1. A straight-forward SPI iptables firewall script + 2. A daemon process that checks for Login Authentication + 3. A Control Panel configuration interface + 4. ... and much more! + +The reason we have developed this suite is that we have found over the years of +providing server management services that many of the tools available for the +task are either over-complex, not very friendly, or simply aren't as effective +as they could or should be. + + +This document contains: + +1. Introduction + +2. csf Principles + +3. lfd Principles + +4. csf Command Line Options + +5. lfd Command Line Options + +6. Login Tracking + +7. Script Email Alerts + +8. Process Tracking + +9. Directory Watching + +10. Advanced Allow/Deny Filters + +11. Multiple Ethernet Devices + +12. Installation on a Generic Linux Server + +13. A note about FTP Connection Issues + +14. Messenger Service (v1, v2 and v3) + +15. Block Reporting + +16. Port Flood Protection + +17. External Pre- and Post- Scripts + +18. lfd Clustering + +19. Port Knocking + +20. Connection Limit Protection + +21. Port/IP address Redirection + +22. Integrated User Interface Feature + +23. IP Block Lists + +24. Mitigating issues with syslog/rsyslog logs (RESTRICT_SYSLOG) + +25. Exim SMTP AUTH Restriction + +26. UI Skinning and Mobile View + +27. CloudFlare + +28. InterWorx + +29. CentOS Web Panel (CWP) + + +1. Introduction +############### + + +ConfigServer Firewall (csf) +=========================== + +We have developed an SPI iptables firewall that is straight-forward, easy and +flexible to configure and secure with extra checks to ensure smooth operation. + +csf can be used on any (supported - see the website) generic Linux OS. + +The csf installation includes preconfigured configurations and control panel +UI's for cPanel, DirectAdmin and Webmin + +Directory structure: + +/etc/csf/ - configuration files +/var/lib/csf/ - temporary data files +/usr/local/csf/bin/ - scripts +/usr/local/csf/lib/ - perl modules and static data +/usr/local/csf/tpl/ - email alert templates + + +Login Failure Daemon (lfd) +========================== + +To complement the ConfigServer Firewall, we have developed a daemon process +that runs all the time and periodically (every X seconds) scans the latest log +file entries for login attempts against your server that continually fail +within a short period of time. Such attempts are often called "Brute-force +attacks" and the daemon process responds very quickly to such patterns and +blocks offending IP's quickly. Other similar products run every x minutes via +cron and as such often miss break-in attempts until after they've finished, our +daemon eliminates such long waits and makes it much more effective at +performing its task. + +There are an array of extensive checks that lfd can perform to help alert the +server administrator of changes to the server, potential problems and possible +compromises. + +On cPanel servers, lfd is integrated into the WHM > Service Manager, which will +restart lfd if it fails for any reason. + +Control Panel Interface +======================= + +To help with the ease and flexibility of the suite we have developed a +front-end to both csf and lfd for cPanel, DirectAdmin and Webmin. From there +you can modify the configuration files and stop, start and restart the +applications and check their status. This makes configuring and managing the +firewall very simple indeed. + +There is, of course, a comprehensive Command Line Interface (CLI) for csf. + + +2. csf Principles +################# + +The idea with csf, as with most iptables firewall configurations, is to block +everything and then allow through only those connections that you want. This is +done in iptables by DROPPING all connections in and out of the server on all +protocols. Then allow traffic in and out from existing connections. Then open +ports up in and outgoing for both TCP and UDP individually. + +This way we can control exactly what traffic is allowed in and out of the +server and helps protect the server from malicious attack. + +In particular it prevents unauthorised access to network daemons that we want +to restrict access by IP address, and also should a service suffer a +compromise, it can help prevent access to compromise networks daemons, a +typical example being a hackers sshd daemon running on a random open port. +Perhaps the greatest of reasons is to help mitigate the effects of suffering a +root compromise where often they only way to take advantage of such a failure +is to open a daemon for the hacker to access the server on. While this won't +prevent root compromises, it can help slow them down enough for you to notice +and react. + +Another way that a port filtering firewall can help is when a user level +compromise occurs and a hacker installs DOS tools to effect other servers. A +firewall configured to block outgoing connections except on specific ports can +help prevent DOS attacks from working and make it immediately apparent to you +from the system logs. + +csf has been designed to keep this configuration simple, but still flexible +enough to give you options to suit your server environment. Often firewall +scripts can become cumbersome of complex making it impossible to identify where +problems lie and to easily fix them. + +To take advantage of kernel logging of iptables dropped connections you should +ensure that kernel logging daemon (klogd) is enabled. Typically, VPS servers +have this disabled and you should check /etc/init.d/syslog and make sure that +any klogd lines are not commented out. If you change the file, remember to +restart syslog. + + +3. lfd Principles +################# + +One of the best ways to protect the server from inbound attack against network +daemons is to monitor their authentication logs. Invalid login attempts which +happen in a short space of time from the same source can often mean someone is +attempting to brute-force their way into the server, usually by guessing +usernames and passwords and therefore generating authentication and login +failures. + +lfd can monitor the most commonly abused protocols, SSHD, POP3, IMAP, FTP and +HTTP password protection. Unlike other applications, lfd is a daemon process +that monitors logs continuously and so can react within seconds of detecting +such attempts. It also monitors across protocols, so if attempts are made on +different protocols in a short space of time, all those attempts will be +counted against the threshold. + +Once the number of failed login attempts is reached, lfd immediately forks a +sub-process and uses csf to block the offending IP address from both in and +outgoing connections. Stopping the attack in its tracks in a quick and timely +manner. Other applications that use cron job timings to run usually completely +miss brute force attacks as they run usually every 5 minutes or by which time +the attack could be over, or simply biding its time. In the meantime lfd will +have block the offenders IP address. + +By running the block and alert email actions in a sub-process, the main daemon +can continue monitoring the logs without delay. + +If you want to know when lfd blocks an IP address you can enable the email +alert (which is on by default) and you should watch the log file in +/var/log/lfd.log. + + +4. csf Command Line Options +########################### + +Before configuring and starting csf for the first time, it is a good idea to +run the script /etc/csf/csftest.pl using: + +perl /etc/csf/csftest.pl + +This script will test whether the required iptables modules are functioning on +the server. Don't worry if it cannot run all the features, so long as the +script doesn't report any FATAL errors. + + +You can view the csf command line options by using either: + +# man csf + +or + +# csf -h + +These options allow you to easily and quickly control and view csf. All the +configuration files for csf are in /etc/csf and include: + +csf.conf - the main configuration file, it has helpful comments explaining + what each option does +csf.allow - a list of IP's and CIDR addresses that should always be allowed + through the firewall +csf.deny - a list of IP's and CIDR addresses that should never be allowed + through the firewall +csf.ignore - a list of IP's and CIDR addresses that lfd should ignore and not + not block if detected +csf.*ignore - various ignore files that list files, users, IP's that lfd + should ignore. See each file for their specific purpose and + tax + +If you modify any of the files listed above, you will need to restart csf and +then lfd to have them take effect. If you use the command line options to add +or deny IP addresses, then csf automatically does this for you. + +Both csf.allow and csf.deny can have comments after the IP address listed. The +comments must be on the same line as the IP address otherwise the IP rotation +of csf.deny will remove them. + +If editing the csf.allow or csf.deny files directly, either from shell or the +WHM UI, you should put a # between the IP address and the comment +like this: + +11.22.33.44 # Added because I don't like them + +You can also include comments when using the csf -a or csf -d commands, but in +those cases you must not use a # like this: + +csf -d 11.22.33.44 Added because I don't like them + +If you use the shell commands then each comment line will be timestamped. You +will also find that if lfd blocks an IP address it will add a descriptive +comment plus timestamp. + +If you don't want csf to rotate a particular IP in csf.deny if the line limit +is reach you can do so by adding "do not delete" within the comment field, +e.g.: + +11.22.33.44 # Added because I don't like them. do not delete + +Include statement in configuration files +======================================== + +You can use an Include statement in the following files that conform to the +format of the originating file: + +/etc/csf/csf.allow +/etc/csf/csf.blocklists +/etc/csf/csf.cloudflare +/etc/csf/csf.deny +/etc/csf/csf.dirwatch +/etc/csf/csf.dyndns +/etc/csf/csf.fignore +/etc/csf/csf.ignore +/etc/csf/csf.logfiles +/etc/csf/csf.logignore +/etc/csf/csf.mignore +/etc/csf/csf.pignore +/etc/csf/csf.rblconf +/etc/csf/csf.redirect +/etc/csf/csf.rignore +/etc/csf/csf.signore +/etc/csf/csf.sips +/etc/csf/csf.smtpauth +/etc/csf/csf.suignore +/etc/csf/csf.syslogs +/etc/csf/csf.syslogusers +/etc/csf/csf.uidignore + +You must specify the full path to the included file, e.g. in +/etc/csf/csf.allow: + +Include /etc/csf/csf.alsoallow + +Do NOT put a comment after the Include filename as this will not work and will +invalidate the Include line. + +Note: None of the csf commands for adding or removing entries from the +originating file will be performed on Include files. They are treated as +read-only. + + +5. lfd Command Line Options +########################### + +lfd does not have any command line options of its own but is controlled through +init or systemd which stops and starts the daemon. It is configured using the +/etc/csf/csf.conf file. + +The best way to see what lfd is up to is to take a look in /var/log/lfd.log +where its activities are logged. + +The various email alert templates follow, care should be taken if you +modify that file to maintain the correct format: + +/usr/local/csf/tpl/accounttracking.txt - for account tracking alert emails +/usr/local/csf/tpl/alert.txt - for port blocking emails +/usr/local/csf/tpl/connectiontracking.txt - for connection tracking emails +/usr/local/csf/tpl/consolealert.txt - for console root login alert emails +/usr/local/csf/tpl/cpanelalert.txt - for WHM/cPanel account access emails +/usr/local/csf/tpl/exploitalert.txt - for system exploit alert emails +/usr/local/csf/tpl/filealert.txt - for suspicious file alert emails +/usr/local/csf/tpl/forkbombalert.txt - for fork bomb alert emails +/usr/local/csf/tpl/integrityalert.txt - for system integrity alert emails +/usr/local/csf/tpl/loadalert.txt - for high load average alert emails +/usr/local/csf/tpl/logalert.txt - for log scanner report emails +/usr/local/csf/tpl/logfloodalert.txt - for log file flooding alert emails +/usr/local/csf/tpl/modsecipdbcheck.txt - for ModSecurity IP DB size alert emails +/usr/local/csf/tpl/netblock.txt - for netblock alert emails +/usr/local/csf/tpl/permblock.txt - for temporary to permanent block alert emails +/usr/local/csf/tpl/portknocking.txt - for Port Knocking alert emails +/usr/local/csf/tpl/portscan.txt - for port scan tracking alert emails +/usr/local/csf/tpl/processtracking.txt - for process tracking alert emails +/usr/local/csf/tpl/queuealert.txt - for email queue alert emails +/usr/local/csf/tpl/relayalert.txt - for email relay alert emails +/usr/local/csf/tpl/resalert.txt - for process resource alert emails +/usr/local/csf/tpl/scriptalert.txt - for script alert emails +/usr/local/csf/tpl/sshalert.txt - for SSH login emails +/usr/local/csf/tpl/sualert.txt - for SU alert emails +/usr/local/csf/tpl/tracking.txt - for POP3/IMAP blocking emails +/usr/local/csf/tpl/uialert.txt - for UI alert emails +/usr/local/csf/tpl/usertracking.txt - for user process tracking alert emails +/usr/local/csf/tpl/watchalert.txt - for watched file and directory change alert emails +/usr/local/csf/tpl/webminalert.txt - for Webmin login emails + +6. Login Tracking +################# + +Login tracking is an extension of lfd, it keeps track of POP3 and IMAP logins +and limits them to X connections per hour per account per IP address. It uses +iptables to block offenders to the appropriate protocol port only and flushes +them every hour and starts counting logins afresh. All of these blocks are +temporary and can be cleared manually by restarting csf. + +There are two settings, one of POP3 and one for IMAP logins. It's generally +not a good idea to track IMAP logins as many clients login each time to perform +a protocol transaction (there's no need for them to repeatedly login, but you +can't avoid bad client programming!). So, if you do have a need to have some +limit to IMAP logins, it is probably best to set the login limit quite high. + +If you want to know when lfd temporarily blocks an IP address you can enable +the email tracking alerts option (which is on by default) + +You can also add your own login failure tracking using regular expression +matching. Please read /usr/local/csf/bin/regex.custom.pm for more information + +Important Note: To enable successful SSHD login tracking you should ensure that +UseDNS in /etc/ssh/sshd_config is disabled by using: + +UseDNS no + +and that sshd has then been restarted. + +7. Script Email Alerts +###################### + +(cPanel installations of csf only) + +lfd can scan for emails being sent through exim from scripts on the server. + +To use this feature you must add an extended email logging line to WHM > +Exim Configuration Manager > Advanced Editor. Search for log_selector and +ensure that the following are included: + +log_selector = +arguments +subject +received_recipients + +This setting will then send an alert email if more than LF_SCRIPT_LIMIT lines +appear with the same cwd= path in them within an hour. This can be useful in +identifying spamming scripts on a server, especially PHP scripts running +under the nobody account. The email that is sent includes the exim log lines +and also attempts to find scripts that send email in the path that may be the +culprit. + +This option uses the /usr/local/csf/tpl/scriptalert text file for alert emails. + +If you enable the option LF_SCRIPT_ALERT then lfd will disable the path using +chattr +i and chmod 000 so that the user cannot re-enable it. The alert email +also then includes the commands needed to re-enable the offending path. + +Any false-positives can be added to /etc/csf/csf.signore and lfd will then +ignore those listed scripts. + +8. Process Tracking +################### + +This option enables tracking of user and nobody processes and examines them for +suspicious executables or open network ports. Its purpose is to identify +potential exploit processes that are running on the server, even if they are +obfuscated to appear as system services. If a suspicious process is found an +alert email is sent with relevant information. + +It is then the responsibility of the recipient to investigate the process +further as the script takes no further action. Processes (PIDs) are only +reported once unless lfd is restarted. + +There is an ignore file /etc/csf/csf.pignore which can be used to whitelist +either usernames or full paths to binaries. Care should be taken with ignoring +users or files so that you don't force false-negatives. + +You must use the following format: + +exe:/full/path/to/file +user:username +cmd:command line + +The command line as reported in /proc has the trailing null character removed +and all other occurrences replaced with a space. So, the line you specify in +the file should have space separators for the command line arguments, not null +characters. + +It is strongly recommended that you use command line ignores very carefully +as any process can change what is reported to the OS. + +Don't list the paths to perl or php as this will prevent detection of +suspicious web scripts. + +For more information on the difference between executable and command line, you +should read and understand how the linux /proc pseudo-filesystem works: + +man proc +man lsof + +It is beyond the scope of this application to explain how to investigate +processes in the linux /proc architecture. + +The email alerts are sent using the processtracking.txt email template. + +It should be noted that this feature will not pickup a root compromise as root +processes are ignored - you should use established IDS tools for such security +considerations. + +*** NOTE *** You _will_ get false-positives with this particular feature. The +reason for the feature is to bring to your attention processes that have either +been running for a long time under a user account, or that have ports open +outside of your server. You should satisfy yourself that they are indeed false- +positives before either ignoring them or trapping them in the csf.pignore file. + +We've done our best to minimise false-positives, but there's a balance between +being cautious and the sensitivity needed to pick up exploits. + +The script itself cannot distinguish between malicious intent and intended +script function - that's your job as the server administrator ;-) + +The setting PT_SKIP_HTTP does reduce the number of false-positives by not +checking scripts running directly or through CGI in Apache. However, disabling +this setting will make a more thorough job of detecting active exploits of all +varieties. + +Another alternative might be to disable PT_SKIP_HTTP and increase PT_LIMIT to +avoid picking up web scripts, however this means that real exploits will run +for longer before they're picked up. + +You can, of course, turn the feature off too - if you really want to. + + +9. Directory Watching +##################### + +Directory Watching enables lfd to check /tmp and /dev/shm and other pertinent +directories for suspicious files, i.e. script exploits. + +If a suspicious file is found an email alert is sent using the template +filealert.txt. + +NOTE: Only one alert per file is sent until lfd is restarted, so if you remove +a suspicious file, remember to restart lfd + +To remove any suspicious files found during directory watching, enable +corresponding setting the suspicious files will be appended to a tarball in +/var/lib/csf/suspicious.tar and deleted from their original location. Symlinks +are simply removed. + +If you want to extract the tarball to your current location, use: + +tar -xpf /var/lib/csf/suspicious.tar + +This will preserver the path and permissions of the original file. + +Any false-positives can be added to /etc/csf/csf.fignore and lfd will then +ignore those listed files and directories. + +Within csf.fignore is a list of files that lfd directory watching will ignore. +You must specify the full path to the file + +You can also use perl regular expression pattern matching, for example: +/tmp/clamav.* +/tmp/.*\.wrk + +Remember that you will need to escape special characters (precede them with a +backslash) such as \. \? + +Pattern matching will only occur with strings containing an asterisk (*), +otherwise full file path matching will be applied + +You can also add entries to ignore files owner by a particular user by +preceding it with user:, for example: +user:bob + + +Note: files owned by root are ignored + +For information on perl regular expressions: +http://www.perl.com/doc/manual/html/pod/perlre.html + +The second aspect of Directory Watching is enabled with LF_DIRWATCH_FILE. This +option allows you to have lfd watch a particular file or directory for changes +and should they change and email alert using watchalert.txt is sent. It uses a +simple md5sum match from the output of "ls -laAR" on the entry and so will +traverse directories if specified. + + +10. Advanced Allow/Deny Filters +############################### + +In /etc/csf/csf.allow and /etc/csf/csf.deny you can add more complex port and +ip filters using the following format (you must specify a port AND an IP +address): + +tcp/udp|in/out|s/d=port|s/d=ip|u=uid + +Broken down: + +tcp/udp : EITHER tcp OR udp OR icmp protocol +in/out : EITHER incoming OR outgoing connections +s/d=port : EITHER source OR destination port number (or ICMP type) + (use a _ for a port range, e.g. 2000_3000) + (use a , for a multiport list of up to 15 ports, e.g. 22,80,443) +s/d=ip : EITHER source OR destination IP address +u/g=UID : EITHER UID or GID of source packet, implies outgoing connections, + s/d=IP value is ignored + +Note: ICMP filtering uses the "port" for s/d=port to set the ICMP type. +Whether you use s or d is not relevant as either simply uses the iptables +--icmp-type option. Use "iptables -p icmp -h" for a list of valid ICMP types. +Only one type per filter is supported + +Examples: + +# TCP connections inbound to port 3306 from IP 11.22.33.44 +tcp|in|d=3306|s=11.22.33.44 + +# TCP connections outbound to port 22 on IP 11.22.33.44 +tcp|out|d=22|d=11.22.33.44 + +Note| If omitted, the default protocol is set to "tcp", the default connection +direction is set to "in", so| + +# TCP connections inbound to port 22 from IP 44.33.22.11 +d=22|s=44.33.22.11 + +# TCP connections outbound to port 80 from UID 99 +tcp|out|d=80||u=99 + +# ICMP connections inbound for type ping from 44.33.22.11 +icmp|in|d=ping|s=44.33.22.11 + +# TCP connections inbound to port 22 from Dynamic DNS address +# www.configserver.com (for use in csf.dyndns only) +tcp|in|d=22|s=www.configserver.com + +# TCP connections inbound to port 22,80,443 from IP 44.33.22.11 +d=22,80,443|s=44.33.22.11 + + +11. Multiple Ethernet Devices +############################# + +If you have multiple ethernet NICs that you want to apply all rules to, then +you can set ETH_DEVICE to the interface name immediately followed by a plus +sign. For example, eth+ will apply all iptables rules to eth0, eth1, etc. + +That said, if you leave ETH_DEVICE blank all rules will be applied to all +ethernet devices equally. + + +12. Installation on a Generic Linux Server +########################################## + +csf+lfd can be configured to run on a generic Linux server. There are some +changes to the features available: + +1. The default port range is for a typical non-cPanel web server and may need + altering to suit the servers environment + +2. The Process Tracking ignore file may need expanding in /etc/csf/csf.pignore + to suit the server environment + +3. A standard Webmin Module to configure csf is included - see the install.txt + for more information + +The codebase is the same for a all installations, the csf.conf file simply has +the cPanel specific options removed and the GENERIC option added + + +13. A note about FTP Connection Issues +###################################### + +It is important when using an SPI firewall to ensure FTP client applications +are configured to use Passive (PASV) mode connections to the server. + +On servers running Monolithic kernels (e.g. VPS Virtuozzo/OpenVZ and custom +built kernels) ip_conntrack and ip_conntrack_ftp iptables kernel modules may +not be available or fully functional. If this happens, FTP passive mode (PASV) +won't work. In such circumstances you will have to open a hole in your firewall +and configure the FTP server to use that same hole. + +For example, with pure-ftpd you could add the port range 30000:35000 to TCP_IN +and add the following line to /etc/pure-ftpd.conf and then restart pure-ftpd: +PassivePortRange 30000 35000 + +For example, with proftpd you could add the port range 30000:35000 to TCP_IN +and add the following line to /etc/proftpd.conf and then restart proftpd: +PassivePorts 30000 35000 + +FTP over SSL/TLS will usually fail when using an SPI firewall. This is because +of the way the FTP protocol established a connection between client and server. +iptables fails to establish a related connection when using FTP over SSL +because the FTP control connection is encrypted and so cannot track the +relationship between the connection and the allocation of an ephemeral port. + +If you need to use FTP over SSL, you will have to open up a passive port block +in both csf and your FTP server configuration (see above). + +Perversely, this makes your firewall less secure, while trying to make FTP +connections more secure. + + +14. Messenger Service +##################### + +This feature allows the display of a message to a blocked connecting IP address +to inform the user that they are blocked in the firewall. This can help when +users get themselves blocked, e.g. due to multiple login failures. The service +is provided by several daemons running on ports providing HTTPS, HTML or TEXT +message. + +This services uses the iptables nat table and the associated PREROUTING chain. +The ipt_REDIRECT module is used to redirect the incoming port to the relevant +messenger service server port. + +Temporary and/or permanent (csf.deny) IP addresses can be serviced by this +feature. + +It does NOT include redirection of any GLOBAL or BLOCK deny lists. + +It does require the IO::Socket::INET perl module. + +It does NOT work on servers that do not have the iptables module ipt_REDIRECT +loaded. Typically, this will be with Monolithic kernels. VPS server admins +should check with their VPS host provider that the iptables module is included. + +If you change any of the files in /etc/csf/messenger/ you must restart lfd as +they are all cached in memory. + +Use of this feature can be controlled by the Country Code options: +CC_MESSENGER_ALLOW = "" +CC_MESSENGER_DENY = "" +See /etc/csf/csf.conf for an explanation of those options. + + +Messenger User +============== + +You should create a unique user that the messenger services will run under. +This user should be disabled and have no shell access, but should have a home +directory. + +For example, you can create such an account (in this example called "csf") from +the root shell using: + +useradd csf -s /bin/false + +TEXT Messenger Server +===================== + +The TEXT message that is displayed is provided by the file: + +/etc/csf/messenger/index.text + +This file should only contain text. The TEXT server providing this file simply +sends the contents to the connecting port and no protocol exchange takes place. +this means that it may not be suitable for use with protocols such as POP3. + +The server has a built-in function that will replace the text [IPADDRESS] in +index.text with the IP address that is blocked by the firewall. This will help +the blocked user know what their blocked IP address is. You can also use the +text [HOSTAME] which will be replaced by the servers FQDN hostname. + +The TEXT server does not support SSL connections, so redirecting port 995 will +not work. + +The TEXT server port should not be added to the TCP_IN list. + +There is a maximum of 15 port allowed in MESSENGER_TEXT_IN. + +HTML and HTTPS Messenger v1 Server +================================== + +The HTML and HTTPS message that is displayed is provided by the file: + +/etc/csf/messenger/index.html +/etc/csf/messenger/index.recaptcha.html (if using the RECAPTCHA_* feature) + +The HTML server providing this page is very rudimentary but will accept the use +of linked images that are stored in the /etc/csf/messenger/ directory. The +images must be of either jpg, gif or png format. These images are loaded into +memory so you should keep the number and size to a minimum. No other linked +resource files are supported (e.g. .css, .js). + +It is recommeneded to to use inline images (source embedding) to improve page +load speed and reduce lfd overheads. + +As the HTML server requires interaction with the client, there is a timer on +the connection to prevent port hogging. + +The server has a built-in function that will replace the text [IPADDRESS] in +index.html with the IP address that is blocked by the firewall. This will help +the blocked user know what their blocked IP address is. You can also use the +text [HOSTAME] which will be replaced by the servers FQDN hostname. + +The HTTPS service obtains the necessary certificates from MESSENGER_HTTPS_CONF. + +The HTML and HTTPS server ports should not be added to the TCP_IN list. + +There is a maximum of 15 ports allowed in MESSENGER_HTML_IN and +MESSENGER_HTTPS_IN. + +HTML and HTTPS Messenger v2 Server +================================== + +This service is only available to cPanel servers running Apache. It utilises +the existing Apache service to provide the message as well as RECAPTCHA +unblocking. It is enabled through the MESSENGERV2 option. + +The server must be running Apache v2.4 and using cPanel's EasyApache v4. + +HTML and HTTPS Messenger v3 Server +================================== + +This service is available to servers running Apache or Litespeed/Openlitespeed. +It utilises the existing web server service to provide the message as well as +RECAPTCHA unblocking. It is enabled through the MESSENGERV3 option. + +The web server configuration is created in /var/lib/csf/csf.conf using the +following templates in /usr/local/csf/tpl/: + +apache.main.txt +apache.http.txt +apache.https.txt + +litespeed.main.txt +litespeed.http.txt +litespeed.https.txt + +*.main.txt can contain any web server directives required for the service to +function. +*.http.txt contains the configuration to offer the HTTP service +*.https.txt contains the configuration to offer the HTTPS service. In this file +the virtualhost container is created for each domain served with a certificate +on the server. + +These templates are not overwritten during a csf upgrade. + +PHP is needed to display the MESSENGER web files (see following). This is +controlled by the MESSENGERV3PHPHANDLER setting. + +If left empty, the MESSENGER service will try to configure this. If this does +not work, this should be set as an "Include /path/to/csf_php.conf" or similar +file which must contain appropriate web server configuration to allow PHP +scripts to run under the MESSENGER_USER account. This line will be included +within each MESSENGER VirtualHost container. This will replace the +[MESSENGERV3PHPHANDLER] line from the csf webserver template files. + +Messenger v2 and v3 +=================== + +For the service to work, the Messenger User MUST have a specific directory +structure. This will be created by the script if it does not exist so long as +the user has been created with a home directory. The structure needs to mimic +the standard web server setup, e.g. using "csf" as the user: + +/home/csf/ (Owner csf:csf, Permissions 711) +/home/csf/public_html/ (Owner csf:nobody, Permissions 711) + +lfd will populate this structure with the following files: + +/home/csf/public_html/.htaccess +/home/csf/public_html/index.php + +If RECAPTCHA_* is enabled these files will be created if they do not already +exist: + +/home/csf/recaptcha.php +/home/csf/public_html/index.php +/home/csf/en.php + +The HTML and HTTPS index file is created from (respectively): +/etc/csf/messenger/index.php +/etc/csf/messenger/index.recaptcha.php +/etc/csf/messenger/en.php + +You should NOT modify the templates in /etc/csf/messenger/ as they will be +overwritten when csf upgrades. Instead modify the files within /home/csf/. + +Each time lfd is restarted a check is made of the preceding structure and any +missing files are recreated. This process also creates the configuration file +for Apache in /etc/apache2/conf.d/csf.messenger.conf and restarts httpd. + +/etc/apache2/conf.d/csf.messenger.conf contains all the VirtualHost directives +to serve the MESSENGERV2 services. + +Translation of /home/csf/en.php is possible by creating the appropriate +[abbr].php file. + +The HTML and HTTPS server ports should NOT be added to the TCP_IN list. + +As Apache is handling all requests for HTML and HTTPS connections, all +scripting for the service is provided by the files in /home/csf/public_html/ +which allows the use of PHP and CGI scripts. + + +15. Block Reporting +################### + +lfd can run an external script when it performs and IP address block following +for example a login failure. This is done by setting the configuration variable +BLOCK_REPORT to a script that must be executable. The following parameters are +passed the the script as arguments: + +ARG 1 = IP Address # The IP address or CIDR being blocked +ARG 2 = ports # Port, comma separated list or * for all ports +ARG 3 = permanent # 0=temporary block, 1=permanent block +ARG 4 = inout # Direction of block: in, out or inout +ARG 5 = timeout # If a temporary block, TTL in seconds, otherwise 0 +ARG 6 = message # Message containing reason for block +ARG 7 = logs # The logs lines that triggered the block (will contain + # line feeds between each log line) +ARG 8 = trigger # The configuration settings triggered + +lfd launches the BLOCK_REPORT in a forked process which terminates after 10 +seconds if not completed by then. It runs under the root account, so great care +should be exercised with regard to security of the BLOCK_REPORT script. + +To also run an external script when a temporary block is unblocked by lfd. +UNBLOCK_REPORT can be the full path of the external script which must be +executable. The following parameters are passed the the script as arguments: + +ARG 1 = IP Address # The IP address or CIDR being blocked +ARG 2 = port* # Port, there could be multiple unblocks for each IP + +[*] If a port was specified in the initial block. + +16. Port Flood Protection +######################### + +This option configures iptables to offer protection from DOS attacks against +specific ports. This option limits the number of connections per time interval +that new connections can be made to specific ports. + +This feature does not work on servers that do not have the iptables module +ipt_recent loaded. Typically, this will be with Monolithic kernels. VPS server +admins should check with their VPS host provider that the iptables module is +included. + +By default ipt_recent tracks only the last 100 IP addresses. The tracked IP +addresses can be viewed in /proc/net/ipt_recent/* where the port number is the +filename. + +Syntax for the PORTFLOOD setting: + +PORTFLOOD is a comma separated list of: +port;protocol;hit count*;interval seconds + +So, a setting of PORTFLOOD = "22;tcp;5;300,80;tcp;20;5" means: + +1. If more than 5 connections to tcp port 22 within 300 seconds, then block +that IP address from port 22 for at least 300 seconds after the last packet is +seen, i.e. there must be a "quiet" period of 300 seconds before the block is +lifted + +2. If more than 20 connections to tcp port 80 within 5 seconds, then block +that IP address from port 80 for at least 5 seconds after the last packet is +seen, i.e. there must be a "quiet" period of 5 seconds before the block is +lifted + +More information about the ipt_recent module can be found in the iptables man +page and at http://snowman.net/projects/ipt_recent/ + +Note: Blocked IP addresses do not appear in any of the iptables chains when +using this module. You must manipulate the /proc/net/ipt_recent/* files as per +the module documentation to view and remove IP addresses that are currently +blocked if the blocks have not yet expired. + +Restarting csf resets the ipt_recent tables and removes all of its blocks. + +Note: There are some restrictions when using ipt_recent: + +1. By default it only tracks 100 addresses per table (we try and increase this +to 1000 via modprobe) + +2. By default it only counts 20 packets per address remembered + +*This means that you need to keep the hit count to below 20. + + +17. External Pre- and Post- Scripts +################################### + +External commands (e.g. iptables rules not covered by csf) can be run before +and/or after csf sets up the iptables chains and rules. + +1. To run external commands before csf configures iptables create the file: + +/usr/local/csf/bin/csfpre.sh + +Set that file as executable and add an appropriate shebang interpreter line and +then whatever external commands you wish to execute. + +For example: + +#!/bin/sh +/some/path/to/binary -a -b -c etc + +Then chmod +x /usr/local/csf/bin/csfpre.sh + +2. To run external commands after csf configures iptables create the file: + +/usr/local/csf/bin/csfpost.sh + +Set that file as executable and add an appropriate shebang interpreter line and +then whatever external commands you wish to execute. + + +Note: The scripts can alternatively be placed in /etc/csf/. If a script is found in +both locations (/etc/csf/ and /usr/local/csf/bin/) then only the script in +/usr/local/csf/bin/ will be executed. + +csfpre.sh/csfpost.sh are run directly. If present, csf chmods the script 0700 +and checks for a shebang. If the shebang is missing #!/bin/bash is added to the +top. The script is them run. + +Note: While csf runs the script with a preset PATH, you MUST use the full path +to any binaries that you execute within these scripts to ensure they are run +correctly + + +18. lfd Clustering +################## + +This set of options (CLUSTER*) in csf.conf allows the configuration of an +lfd cluster environment where a group of servers can share blocks and, via the +CLI, configuration option changes, allows and removes + +In the configuration there are two comma separated lists of IP addresses: + +CLUSTER_SENDTO = "" +CLUSTER_RECVFROM = "" + +Note: Do not use spaces in these lists + +If you want all members of the lfd cluster to send block notifications to each +other then both settings should be them same. You also need to enable +CLUSTER_BLOCK (enabled by default) for lfd to automatically send blocks to all +members in CLUSTER_SENDTO. + +However, you can also set up a cluster such that some members only provide +notifications to others and do not accept blocks from others. For example, you +may have a cluster of servers that includes one that hosts a support desk that +you do not want to block clients from accessing. In such an example you might +want to exclude the support desk server from the CLUSTER_SENDTO list, but +include it in the CLUSTER_RECVFROM list. + +The option CLUSTER_MASTER is the IP address of the master node in the cluster +allowed to send CLUSTER_CONFIG changes to servers listed in the local +CLUSTER_SENDTO list. Only cluster members that have CLUSTER_MASTER set to this +IP address will accept CLUSTER_CONFIG changes. + +There is another option, CLUSTER_NAT that should be used if the IP address of +the server does not appear in ip/ifconfig, for example if it is a NAT +configuration. If this is the case, add the IP address of the server that this +configuration is on and used in CLUSTER_SENDTO/CLUSTER_RECVFROM to CLUSTER_NAT. + +CLUSTER_LOCALADDR can be set if you do not want to use the servers main IP, +i.e. the first one listed via 0.0.0.0. + +The CLUSTER_PORT must be set to the same port on all servers. The port should +NOT be opened in TCP_IN or TCP_OUT as csf will automatically add appropriate in +and out bound rules to allow communication between cluster members. + +The CLUSTER_KEY is a secret key used to encrypt cluster communications using +the Blowfish algorithm. It should be between 8 and 56 ASCII characters long, +longer is better, and must be the same on all members of the cluster. + +This key must be kept secret! + +When blocks are sent around the cluster they will maintain their originals +parameters, e.g. permanent/temporary, direction (in/out), ports, etc. All +blocks are traded except for LT_POP3D and LT_IMAPD. + +The cluster uses 10 second timeouts in its communications, if the timeout is +reached then that cluster members notification will be lost. + +Note: You must restart csf and then lfd after making any CLUSTER_* changes + +lfd Cluster CLI and UI +====================== + +See csf --help for the list of new CLI commands. Additional options will +automatically become available in the UI once CLUSTER_SENDTO has been +configured. + +Only cluster members listed in CLUSTER_RECVFROM can send out requests to those +members listed in CLUSTER_SENDTO. + +Only the server listed in CLUSTER_MASTER will be accepted as the source of +CLUSTER_CONFIG configuration option requests, such as: +--cconfig, --cfile, --crestart + +The CLI options --cfile and --cfiler allow you to synchronise csf configuration +files throughout a cluster from the CLUSTER_MASTER server. + +There is currently only provision for permanent simple IP denies and allows +from the CLI (i.e. not Allow/Deny Filters). + +The cluster PING sends a ping to each CLUSTER_SENDTO member which will report +the request in their respective lfd.log files. This is intended as a test to +confirm that cluster communications are functioning. + +The options to change the configuration option in csf.conf in cluster members +should be used with caution to ensure that member specific options are not +overwritten. The intention of the two options is that the --cconfig option be +used if multiple changes are required and the final request is a --cconfigr to +restart csf and lfd to effect the requested changes immediately. + + +A Note on lfd Cluster Security +============================== + +The clustering option is undoubtedly powerful in allowing servers to +pre-emptively block access attempts as one server is hit before the attack can +spread to other members of the cluster. + +This communication, however, does introduce a security risk. Since +communications are made over the network, they are open to interception. Also, +there is nothing to stop any local user from accessing the network port and +sending data to it, though it will be discarded unless properly encrypted[*]. + +There are security measures implemented to help mitigate attacks: + +1. csf constructs iptables rules such that only cluster members can communicate +over the cluster port with each other + +2. The clustered servers will only accept data from connections from IPs listed +in CLUSTER_RECVFROM or CLUSTER_MASTER + +3. [*]All communications are encrypted using the Blowfish symmetric block cipher +through a Pure Perl cpan module using the Cipher Block Chaining module and the +configured CLUSTER_KEY + +4. CLUSTER_CONFIG set to 0 prevents the processing of configuration option +requests + +5. Only CLUSTER_MASTER will be accepted as the source of CLUSTER_CONFIG +configuration option requests + +Should the configured secret key (passphrase) be compromised or guessed or a +flaw found in the encryption modules or their implementation in csf, a +malicious connection could reconfigure the csf firewall and then leverage a +local or remote root escalation. This should be considered if you decide to use +this option. + +THERE ARE NO GUARANTEES OR WARRANTIES PROVIDED THAT THIS FACILITY IS SECURE AND +ANY DAMAGE ARISING FROM THE EXPLOITATION OF THIS OPTION IS ENTIRELY AT YOUR OWN +RISK. + + +19. Port Knocking +################# + +This option configures iptables to offer port knocking to open sensitive ports +based on a sequence of knocked ports for the connecting IP address. + +For mor information on the idea of port knocking see: +http://www.portknocking.org/ + +The feature requires that you list a random selection of unused ports (at least +3) with a timeout. The ports you choose must not be in use and not appear in +TCP_IN (UDP_IN for udp packets). The port to be opened must also not appear in +TCP_IN (UDP_IN for udp packets). + +This feature does not work on servers that do not have the iptables module +ipt_recent loaded. Typically, this will be with Monolithic kernels. VPS server +admins should check with their VPS host provider that the iptables module is +included. + +By default ipt_recent tracks only the last 100 IP addresses. The tracked IP +addresses can be viewed in /proc/net/ipt_recent/* + +Syntax for the PORTKNOCKING setting: + +PORTKNOCKING is a comma separated list of: +openport;protocol;timeout;kport1;kport2;kport3[...;kportN] + +So, a setting of PORTKNOCKING = "22;TCP;20;100;200;300;400" means: + +Open Port 22 TCP for 20 seconds to the connecting IP address to new connections +once ports 100, 200, 300 and 400 have been accessed (i.e. knocked with a SYN +packet) each knock being less than 20 seconds apart. + +Access to port 22 remains active after 20 seconds until the connection is +dropped, however new connections will not be allowed. + +More information about the ipt_recent module can be found in the iptables man +page and at http://snowman.net/projects/ipt_recent/ + +Note: IP addresses do not appear in any of the iptables chains when using this +module. You must view the /proc/net/ipt_recent/* files as per the module +documentation to view IP addresses in the various stages of the knock. + +Restarting csf resets the ipt_recent tables and removes all of the knocks. + + +20. Connection Limit Protection +############################### + +This option configures iptables to offer protection from DOS attacks against +specific ports. It can also be used as a way to simply limit resource usage by +IP address to specific server services. This option limits the number of new +concurrent connections per IP address that can be made to specific ports. + +This feature does not work on servers that do not have the iptables module +xt_connlimit loaded. Typically, this will be with Monolithic kernels. VPS +server admins should check with their VPS host provider that the iptables +module is included. + +Also, although included in some older versions or RedHat/CentOS, it was only +actually available from v5.3+ + +The protection can only be applied to the TCP protocol. + +Syntax for the CONNLIMIT setting: + +CONNLIMIT is a comma separated list of: +port;limit + +So, a setting of CONNLIMIT = "22;5,80;20" means: + +1. Only allow up to 5 concurrent new connections to port 22 per IP address + +2. Only allow up to 20 concurrent new connections to port 80 per IP address + +Note: Existing connections are not included in the count, only new SYN packets, +i.e. new connections + +Note: Run /etc/csf/csftest.pl to check whether this option will function on the +server + + +21. Port/IP address Redirection +############################### + +This feature uses the file /etc/csf/csf.redirect which is a list of port and/or +IP address assignments to direct traffic to alternative ports/IP addresses. + +Requirements: + nat tables + ipt_DNAT iptables module + ipt_SNAT iptables module + ipt_REDIRECT iptables module + +The following are the allowed redirection formats + +DNAT (redirect from one IP address to a different one): +IPx|*|IPy|*|tcp/udp - To IPx redirects to IPy +IPx|portA|IPy|portB|tcp/udp - To IPx to portA redirects to IPy portB + +DNAT examples: +192.168.254.62|*|10.0.0.1|*|tcp +192.168.254.62|666|10.0.0.1|25|tcp + +REDIRECT (redirect from port to a different one): +IPx|portA|*|portB|tcp/udp - To IPx to portA redirects to portB +*|portA|*|portB|tcp/udp - To portA redirects to portB + +REDIRECT examples: +*|666|*|25|tcp +192.168.254.60|666|*|25|tcp +192.168.254.4|666|*|25|tcp + +Where a port is specified it cannot be a range, only a single port. + +All redirections to another IP address will always appear on the destination +server with the source of this server, not the originating IP address. + +This feature is not intended to be used for routing, NAT, VPN, etc tasks + +Note: /proc/sys/net/ipv4/ip_forward must be set to 1 for DNAT connections to +work. csf will set this where it can, but if the kernel value cannot be set +then the DNAT redirection many not work. + + +22. Integrated User Interface Feature +##################################### + +Integrated User Interface. This feature provides a HTML UI to the features of +csf and lfd, without requiring a control panel or web server. The UI runs as a +sub process to the lfd daemon. + +As it runs under the root account and successful login provides root access +to the server, great care should be taken when configuring and using this +feature. There are additional restrictions to enhance secure access to the +UI: + + 1. An SSL connection is required + 2. Separate ban and allow files are provided to only allow access to listed + IP addresses + 3. Local IP addresses cannot connect to the UI (i.e. all IP addresses + configured on the server NICs) + 4. Unique sessions, session timeouts, session cookies and browser headers are + used to identify and restrict active sessions + +Requirements: + + 1. openssl + 2. Perl modules: Net::SSLeay, IO::Socket::SSL and dependent modules + 4. SSL keys + 5. Entries in /etc/csf/ui/ui.allow + +The SSL server uses the following files: + + SSL Key goes into /etc/csf/ui/server.key + SSL Certificate goes into /etc/csf/ui/server.crt + +Preferably, real CA signed certificates should be used. You can use an +existing domain and cert for accessing the UI by populating the two files +mentioned. If the cert has a ca bundle, it should be appended to the server.crt +file. lfd must be restarted after making any changes: +http://httpd.apache.org/docs/current/ssl/ssl_faq.html#realcert + +Alternatively, you could generate your own self-signed certificate: +http://httpd.apache.org/docs/current/ssl/ssl_faq.html#selfcert + +Any keys used must have their pass-phrase removed: +http://httpd.apache.org/docs/current/ssl/ssl_faq.html#removepassphrase + +The login URL should use the domain you have listed in the self-signed cert: +https://: + +For example: https://www.somedomain.com:6666 + +Your browser must accept session cookies to gain access. + +UI_ALLOW is enabled by default, so IP addresses (or CIDRs) allowed to use this +UI must be listed in /etc/csf/ui/ui.allow before trying to connect to the UI. + +Only IP addresses can be listed/used in /etc/csf/ui/ui.ban - this file should +only be used by the UI to prevent login. Use csf blocks to prevent access to +the configured port and only use Advanced Allow/Deny Filters for access, i.e. +do not list the port in TCP_IN. + +Logging for UI events are logged to the lfd /var/log/lfd.log file. Check this +file if you are unable to access the UI. + +Required Perl Modules: + + For example, on Debian v6 the perl modules can be installed using: + + apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \ + libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl + + For example, on CentOS v6 the perl modules can be installed using: + + yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \ + perl-IO-Socket-INET6 perl-Socket6 + + +23. IP Block Lists +################## + +This feature allows csf/lfd to periodically download lists of IP addresses and +CIDRs from pubished block or black lists. It is controlled by the file: +/etc/csf/csf.blocklists + +Uncomment the line starting with the rule name to use it, then restart csf and +then lfd. + +Each block list must be listed on per line: as NAME|INTERVAL|MAX|URL + NAME : List name with all uppercase alphabetic characters with no + spaces and a maximum of 25 characters - this will be used as the + iptables chain name + INTERVAL: Refresh interval to download the list, must be a minimum of 3600 + seconds (an hour), but 86400 (a day) should be more than enough + MAX : This is the maximum number of IP addresses to use from the list, + a value of 0 means all IPs + URL : The URL to download the list from + +Note: Some of thsese lists are very long (thousands of IP addresses) and +could cause serious network and/or performance issues, so setting a value for +the MAX field should be considered. + +After making any changes to this file you must restart csf and then lfd. + +If you want to redownload a blocklist you must first delete +/var/lib/csf/csf.block.NAME and then restart csf and then lfd. + +Each URL is scanned for an IP/CIDR address per line and if found is blocked. + + +24. Mitigating issues with syslog/rsyslog logs (RESTRICT_SYSLOG) +############################################## + +Unfortunately, it is trivial for end-users and scripts run by end-users to +spoof log lines that appear identical to any log line reported in logs +maintained by syslog/rsyslog. You can identify these logs by looking in +/etc/syslog.conf or /etc/rsyslog.conf + +This means that anyone on the server can maliciously trigger applications that +monitor these logs, such as lfd does for the following options: + +LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT +LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP +LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT +PORTKNOCKING_ALERT ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG + +A malicious user could use this issue to trigger confusing emails regarding +both successful and failed login attempts, kernel log lines (including iptables +log lines) etc. Unfortunately, there is very little that can be done about this +as syslog/rsyslog has no security framework. Some attempt was made in newer +versions of rsyslog, but this version is not available in the current versions +used by RedHat/CentOS v6. It also has to be enabled and can will have adverse +effects on utilities that expect a certain format for the log lines. + +To mitigate spoofing attempts we recommend the following, if you are willing to +accept the consequences of spoofed log lines: + +1. We recommend setting RESTRICT_SYSLOG to "3" for use with option +RESTRICT_SYSLOG_GROUP to restrict access to the syslog/rsyslog unix socket(s) + +2. Go through the options above ensuring that only those that you need are +enabled + +3. Ensure that DENY_IP_LIMIT and DENY_TEMP_IP_LIMIT are set reasonably low (for +example, 200). This will limit attempts to block large numbers of IP addresses + +4. Ensure that administrator/support IP addresses are listed in +/etc/csf/csf.allow and perhaps /etc/csf/csf.ignore. This will prevent malicious +blocking from denying you access to the server + +5. To confirm successful logins to SSH, use the "last" utility from the root +shell, e.g.: + +last -da + +6. Regularly check the server and user data for exploits, old vulnerable +applications and out of date OS applications + +7. Consider carefully any application that you use that centralises actions and +syslog/rsyslog logs and the implications of spoofed log lines + +8. Consider the implications of this overall issue on applications and scripts +other than csf/lfd that use the affected log files + +9. Do not enable syslog/rsyslog reception via UDP/TCP ports + +10. For CloudLinux clients utilizing CageFS this can be prevented by limiting +access to /dev/log inside CageFS. +For that remove file: /etc/rsyslog.d/schroot.conf +Or remove this line from that file: +$AddUnixListenSocket /usr/share/cagefs-skeleton/dev/log + +That will prevent end user's access to /dev/log, preventing them from spoofing. +However, this does also break cron job logging. + + +25. Exim SMTP AUTH Restriction +############################## + +The option SMTPAUTH_RESTRICT will only allow SMTP AUTH to be advertised to the +IP addresses listed in /etc/csf/csf.smtpauth plus the localhost IP addresses. + +The additional option CC_ALLOW_SMTPAUTH can be used with this option to +additionally restrict access to specific countries. + +This is to help limit attempts at distributed attacks against SMTP AUTH which +are difficult to achive since port 25 needs to be open to relay email. + +The reason why this works is that if EXIM does not advertise SMTP AUTH on a +connection, then SMTP AUTH will not accept logins, defeating the attacks +without restricting mail relaying. + +Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so +that the lookup file in /etc/exim.smtpauth is regenerated from the information +from /etc/csf/csf.smtpauth, the localhost IP addresses, plus any countries +listed in CC_ALLOW_SMTPAUTH + +To make this option work you MUST make the following modifications to your +exim.conf: + + +On cPanel servers you can do this by: +===================================== + +1. Navigate to WHM > Exim Configuration Manager > Advanced Editor + +2. Search within the window and ensure that "auth_advertise_hosts" has not been + set + +3. Scroll down and click "Add additional configuration setting" + +4. From the drop-down box select "auth_advertise_hosts" + +5. In the input box after the = sign add the following on one line: + +${if match_ip{$sender_host_address}{iplsearch;/etc/exim.smtpauth}{*}{}} + +6. Scroll to the bottom and click "Save" + +7. That should be all that is required after having made any necessary changes + within csf.conf and restarting csf and then lfd + +8. Be sure to test extensively to ensure the option works as expected + +To reverse this change: + +1. Navigate to WHM > Exim Configuration Manager > Advanced Editor + +2. Search within the window for "auth_advertise_hosts" + +3. Click the wastebasket icon next to the option (if there is no wastebasket + you should be able to change the setting to * to advertise to all IP's) + +4. Scroll to the bottom and click "Save" + +5. Disable SMTPAUTH_RESTRICT and CC_ALLOW_SMTPAUTH in csf.conf and then restart + csf and then lfd + + +Alternatively, on cPanel: +========================= + +1. Edit /etc/exim.conf.local and add the following line to an @CONFIG@ section + all on one line: + +auth_advertise_hosts = ${if match_ip{$sender_host_address}{iplsearch;/etc/exim.smtpauth}{*}{}} + +2. Rebuild the exim configuration: + +/scripts/buildeximconf +service exim restart + +3. Be sure to test extensively to ensure the option works as expected + + +On non-cPanel platforms: +======================== + +1. Modify your active exim.conf and add the following as a single line near the + top all on one line: + +auth_advertise_hosts = ${if match_ip{$sender_host_address}{iplsearch;/etc/exim.smtpauth}{*}{}} + +2. Restart exim + +3. Be sure to test extensively to ensure the option works as expected + + +26. UI Skinning and Mobile View +############################### + +The csf UI provided through cPanel, DirectAdmin, Webmin and the integrated UI +via lfd, all user the Bootstrap and jQuery frameworks. Additional styling is +added to complement the frameworks and the UI flow. + +If you want to make changes to the styling or add jQuery or JavaScript code you +can create: + +1. A text file /etc/csf/csf.header which will be included in each of +the UI pages before the closing tag + +2. A text file /etc/csf/csf.body which will be included in each of the UI +pages after the opening tag[*] + +3. A text file /etc/csf/csf.footer which will be included in each of the UI +pages before the closing tag + +The html tag will also have a data-post field containing the internal action +being performed by the UI. + +You can also make additions to the and tags by creating +/etc/csf/csf.htmltag and /etc/csf/csf.bodytag respectively[*]. Additions made +in these files MUST all be on a single line at the top of the file, anything +else will be ignored. The text will then be placed within the respective tag, +e.g. if you want you would put the following on a +single line in /etc/csf/csf.bodytag: +data-name='result' + +[*] This functionality is ONLY available on webmin servers + +The Mobile View feature has a breakpoint of 600px which will initiate the full +browser subset of UI features. This may mean breaking out of framesets in some +control panels, so a return to the main control panel window is included. Also +switching back to the Desktop view will remain in the full browser display. + +If you switch to the Mobile View and then switch to main control panel window +further accesses to the UI will always default to the Mobile View. If you +switch back after returning to the Desktop View, subsequent access will default +to that view. This reverts back to the default breakpoint behaviour in new +browser sessions as the system uses session cookies to keep track of the chosen +view which are reset one browser shutdown. + +There are options in csf.conf that control the behaviour of these options under +STYLE_*. Any styling changes MUST respect these options. + +Note: We do NOT recommend reformatting the UI output as any changes in the core +code may not be reflected in the user experience and can break the product. +Only style changes should be made. + + +27. CloudFlare +############## + +This features provides interaction with the CloudFlare Firewall. + +As CloudFlare is a reverse proxy, any attacking IP addresses (so far as +iptables is concerned) come from the CloudFlare IP's. To counter this, an +Apache module (mod_cloudflare) is available that obtains the true attackers +IP from a custom HTTP header record (similar functionality is available +for other HTTP daemons. + +However, despite now knowing the true attacking IP address, iptables cannot +be used to block that IP as the traffic is still coming from the CloudFlare +servers. + +CloudFlare have provided a Firewall feature within the user account where +rules can be added to block, challenge or whitelist IP addresses. + +Using the CloudFlare API, this feature adds and removes attacking IPs from that +firewall and provides CLI (and via the UI) additional commands. + +There are several restrictions to using this feature: + +1. All lfd blocks will be temporary blocks so that csf/lfd can keep blocks in + sync with CloudFlare + +2. Automatic blocks via lfd are limited to LF_MODSEC and LF_CXS triggers as + only through these can the domain name be determined. Any users that own + domains that are involved in the trigger will get a block in their + CloudFlare Firewall. Additionally, any users with the special case "any" + will also get blocks + +3. The temporary/permanent config of the lfd settings are ignored and CF_TEMP + is used instead + +4. LF_TRIGGER must not be used, the feature will not work with it enabled + +5. mod_cloudflare or similar must be used to report real IP in the Apache logs + +6. URLGET must be set to 2 (i.e. LWP) must be used + +7. If PERMBLOCK is used, the last tempblock will remain and never be cleared. + So any CloudFlare Firewall entries must be manually cleared in CloudFlare + or via CLI + +8. There are restrictions imposed by CloudFlare to the number of rules that + can be created depending on the type of account used. See + https://goo.gl/ssGu7v for more information + +9. When restarting csf, any old temporary blocks will still be created for lfd + to clear when it restarts + +10. All interaction with CloudFlare is at User-level, not Zone-level + +11. If using the CloudFlare cPanel user plugin, it must be v7+ + +CF_TEMP should be configured taking into account the maximum number of rules +that the CloudFlare account allows: https://goo.gl/ssGu7v + +All CloudFlare users for the domains that are involved in LF_MODSEC and +LF_CXS triggers will have a CloudFlare rule added. Any CloudFlare account +configured to use the special case "any" field value in csf.cloudflare will +have a CloudFlare rule added regardless of domain. + +NOTE: You should always list the CloudFlare IP addresses in /etc/csf/csf.ignore +to prevent them from being blocked by lfd from https://www.cloudflare.com/ips/ + + +CLI commands +============ + +There are also accompanying csf CLI commands available (see man) to interact +with the Cloudflare firewall. + +Enabling CF_ENABLE enables two CloudFlare buttons in the UI in the "Other" +section that mirror the CLI commands. + +1. Using the CLI commands all, block, challenge or whitelist rules in the +provided users CloudFlare firewall can be listed, e.g.: + +csf --cloudflare list all [user1,user2,...] + +2. Block, challenge and whitelist rules can be added for IPs to the provided +users CloudFlare firewall, e.g.: + +csf --cloudflare add challenge 11.22.33.44 [user1,user2,...] + +Note: These rules are NOT cleared by lfd and do NOT create an equivalent +iptables rule in csf) + +3. Rules can be deleted for IPs to the provided users CloudFlare firewall, +e.g.: + +csf --cloudflare del 11.22.33.44 [domain,domain2,...] + +Note: These rules are NOT cleared in csf if they exist + +4. Domains can also be used instead of users, or a mixture of both e.g.: + +csf --cloudflare list all [user,user2,domain,...] + +5. IPs can be added both the users CloudFlare firewall and to csf as temporary +allow or deny, e.g.: + +csf --cloudflare tempadd deny 11.22.33.44 [user1,user2,...] + +Note: This applies the allow/deny for the IP address in csf for CF_TEMP seconds +as well as the users CloudFlare Firewall. Once the temporary entry expires lfd +removes the IP address from both csf (as normal) as well as the users +CloudFlare Firewall. + +Note: Any CloudFlare account configured to use the special case "any" field +value in csf.cloudflare will also have a CloudFlare rule added. + +Note: In the above IP addresses are used as the target for each rule. However, +the target can be one of: + . An IP address + . 2 letter Country Code + . IP range CIDR +Only Enterprise customers can "block" a Country Code, but all can "allow" and +"challenge". IP range CIDR is limited to /16 and /24. + +6. To manually remove an IP block that was blocked via CF_ENABLE in lfd or by +using "tempadd" use the normal csf temp CLI commands. This will remove the +rules from both iptables and the users CloudFlare firewall, e.g.: + +csf --tr 44.33.22.11 + + +28. InterWorx +############# + +InterWorx integration is available for csf. The installation makes changes to +the underlying InterWorx installation due to its current dependence on APF. To +cater for this, installing csf will replace /etc/apf/apf with a stub script +that redirects commands to csf. The script is then chattr +ia to prevent it +being overwritten. + +Note: None of the apf conf files are used and are ignored by csf. + +The Firewall UI option in NodeWorx should now not be used and any changes made +there will not be reflected in iptables. + +There is a UI option under "ConfigServer Services" for "ConfigServer Firewall & +Security" that should now be used. + +The installation will also replace the Firewall page in NodeWorx with a dummy +page stating that csf should be used instead. lfd will replace the page upon +restart incase of upgrades to InterWorx. If you want to disable this behaviour, +create an empty file as follows: + +touch /etc/cxs/interworx.firewall + +The InterWorx plugin for csf is auto-enabled. Enabling or Disabling the +InterWorx plugin has no effect on csf itself, only the UI plugin presence. + +NOTE: Unless you have configured a root forwarder, you should edit the csf +configuration settings in /etc/csf/csf.conf or via the UI and set LF_ALERT_TO +to a suitable email address. After making any changes, restart csf and then +lfd. + + +28. CentOS Web Panel (CWP) +########################## + +CWP integration is available for csf. Since CWP already has some custom +modifications, these have been taken into account. To access the now inbuilt UI +in CWP, there is a new menu option in CWP > ConfigServer Scripts > ConfigServer +Firewall. + +There is now an option in /etc/csf/csf.conf for LF_CWP for login failure +detection. However, this WILL NOT work with the default CWP installation as +there is a custom entry in /etc/csf/regex.custom.pm. The now official detection +will be ignored while this is in place. + +If you want to use the now inbuilt detection you must edit +/etc/csf/regex.custom.pm and remove the 3 lines that comprise the custom entry +and then restart lfd. diff --git a/csf/regex.custom.pm b/csf/regex.custom.pm new file mode 120000 index 0000000..f3cbde0 --- /dev/null +++ b/csf/regex.custom.pm @@ -0,0 +1 @@ +/usr/local/csf/bin/regex.custom.pm \ No newline at end of file diff --git a/csf/remove_apf_bfd.sh b/csf/remove_apf_bfd.sh new file mode 120000 index 0000000..ca6b106 --- /dev/null +++ b/csf/remove_apf_bfd.sh @@ -0,0 +1 @@ +/usr/local/csf/bin/remove_apf_bfd.sh \ No newline at end of file diff --git a/csf/ui/images/LICENSE.txt b/csf/ui/images/LICENSE.txt new file mode 100644 index 0000000..34da9d9 --- /dev/null +++ b/csf/ui/images/LICENSE.txt @@ -0,0 +1,14 @@ +Fugue Icons + +plus.png +minus.png +perm.png +ip.png +delete.png + +(C) 2013 Yusuke Kamiyamane. All rights reserved. +These icons are licensed under a Creative Commons +Attribution 3.0 License. + + + diff --git a/csf/ui/images/admin_icon.svg b/csf/ui/images/admin_icon.svg new file mode 100644 index 0000000..8a9afa9 --- /dev/null +++ b/csf/ui/images/admin_icon.svg @@ -0,0 +1,25 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/csf/ui/images/bootstrap-chosen.css b/csf/ui/images/bootstrap-chosen.css new file mode 100644 index 0000000..54e6a13 --- /dev/null +++ b/csf/ui/images/bootstrap-chosen.css @@ -0,0 +1,346 @@ +.chosen-select { + width: 100%; } + +.chosen-select-deselect { + width: 100%; } + +.chosen-container { + display: inline-block; + font-size: 14px; + position: relative; + vertical-align: middle; } + .chosen-container .chosen-drop { + background: #fff; + border: 1px solid #ccc; + border-bottom-right-radius: 4px; + border-bottom-left-radius: 4px; + -webkit-box-shadow: 0 8px 8px rgba(0, 0, 0, 0.25); + box-shadow: 0 8px 8px rgba(0, 0, 0, 0.25); + margin-top: -1px; + position: absolute; + top: 100%; + left: -9000px; + z-index: 1060; } + .chosen-container.chosen-with-drop .chosen-drop { + left: 0; + right: 0; } + .chosen-container .chosen-results { + color: #555555; + margin: 0 4px 4px 0; + max-height: 240px; + padding: 0 0 0 4px; + position: relative; + overflow-x: hidden; + overflow-y: auto; + -webkit-overflow-scrolling: touch; } + .chosen-container .chosen-results li { + display: none; + line-height: 1.42857; + list-style: none; + margin: 0; + padding: 5px 6px; } + .chosen-container .chosen-results li em { + background: #feffde; + font-style: normal; } + .chosen-container .chosen-results li.group-result { + display: list-item; + cursor: default; + color: #999; + font-weight: bold; } + .chosen-container .chosen-results li.group-option { + padding-left: 15px; } + .chosen-container .chosen-results li.active-result { + cursor: pointer; + display: list-item; } + .chosen-container .chosen-results li.highlighted { + background-color: #337ab7; + background-image: none; + color: white; } + .chosen-container .chosen-results li.highlighted em { + background: transparent; } + .chosen-container .chosen-results li.disabled-result { + display: list-item; + color: #777777; } + .chosen-container .chosen-results .no-results { + background: #eeeeee; + display: list-item; } + .chosen-container .chosen-results-scroll { + background: white; + margin: 0 4px; + position: absolute; + text-align: center; + width: 321px; + z-index: 1; } + .chosen-container .chosen-results-scroll span { + display: inline-block; + height: 1.42857; + text-indent: -5000px; + width: 9px; } + .chosen-container .chosen-results-scroll-down { + bottom: 0; } + .chosen-container .chosen-results-scroll-down span { + background: url("chosen-sprite.png") no-repeat -4px -3px; } + .chosen-container .chosen-results-scroll-up span { + background: url("chosen-sprite.png") no-repeat -22px -3px; } + +.chosen-container-single .chosen-single { + background-color: #fff; + -webkit-background-clip: padding-box; + -moz-background-clip: padding; + background-clip: padding-box; + border: 1px solid #ccc; + border-top-right-radius: 4px; + border-top-left-radius: 4px; + border-bottom-right-radius: 4px; + border-bottom-left-radius: 4px; + -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); + color: #555555; + display: block; + height: 34px; + overflow: hidden; + line-height: 34px; + padding: 0 0 0 8px; + position: relative; + text-decoration: none; + white-space: nowrap; } + .chosen-container-single .chosen-single span { + display: block; + margin-right: 26px; + overflow: hidden; + text-overflow: ellipsis; + white-space: nowrap; } + .chosen-container-single .chosen-single abbr { + background: url("chosen-sprite.png") right top no-repeat; + display: block; + font-size: 1px; + height: 10px; + position: absolute; + right: 26px; + top: 12px; + width: 12px; } + .chosen-container-single .chosen-single abbr:hover { + background-position: right -11px; } + .chosen-container-single .chosen-single.chosen-disabled .chosen-single abbr:hover { + background-position: right 2px; } + .chosen-container-single .chosen-single div { + display: block; + height: 100%; + position: absolute; + top: 0; + right: 0; + width: 18px; } + .chosen-container-single .chosen-single div b { + background: url("chosen-sprite.png") no-repeat 0 7px; + display: block; + height: 100%; + width: 100%; } +.chosen-container-single .chosen-default { + color: #777777; } +.chosen-container-single .chosen-search { + margin: 0; + padding: 3px 4px; + position: relative; + white-space: nowrap; + z-index: 1000; } + .chosen-container-single .chosen-search input[type="text"] { + background: url("chosen-sprite.png") no-repeat 100% -20px, #fff; + border: 1px solid #ccc; + border-top-right-radius: 4px; + border-top-left-radius: 4px; + border-bottom-right-radius: 4px; + border-bottom-left-radius: 4px; + -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); + margin: 1px 0; + padding: 4px 20px 4px 4px; + width: 100%; } +.chosen-container-single .chosen-drop { + margin-top: -1px; + border-bottom-right-radius: 4px; + border-bottom-left-radius: 4px; + -webkit-background-clip: padding-box; + -moz-background-clip: padding; + background-clip: padding-box; } + +.chosen-container-single-nosearch .chosen-search input[type="text"] { + position: absolute; + left: -9000px; } + +.chosen-container-multi .chosen-choices { + background-color: #fff; + border: 1px solid #ccc; + border-top-right-radius: 4px; + border-top-left-radius: 4px; + border-bottom-right-radius: 4px; + border-bottom-left-radius: 4px; + -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); + cursor: text; + height: auto !important; + height: 1%; + margin: 0; + overflow: hidden; + padding: 0; + position: relative; } + .chosen-container-multi .chosen-choices li { + float: left; + list-style: none; } + .chosen-container-multi .chosen-choices .search-field { + margin: 0; + padding: 0; + white-space: nowrap; } + .chosen-container-multi .chosen-choices .search-field input[type="text"] { + background: transparent !important; + border: 0 !important; + -webkit-box-shadow: none; + box-shadow: none; + color: #555555; + height: 32px; + margin: 0; + padding: 4px; + outline: 0; } + .chosen-container-multi .chosen-choices .search-field .default { + color: #999; } + .chosen-container-multi .chosen-choices .search-choice { + -webkit-background-clip: padding-box; + -moz-background-clip: padding; + background-clip: padding-box; + background-color: #eeeeee; + border: 1px solid #ccc; + border-top-right-radius: 4px; + border-top-left-radius: 4px; + border-bottom-right-radius: 4px; + border-bottom-left-radius: 4px; + background-image: -webkit-linear-gradient(top, white 0%, #eeeeee 100%); + background-image: -o-linear-gradient(top, white 0%, #eeeeee 100%); + background-image: linear-gradient(to bottom, white 0%, #eeeeee 100%); + background-repeat: repeat-x; + filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#FFFFFFFF', endColorstr='#FFEEEEEE', GradientType=0); + -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); + color: #333333; + cursor: default; + line-height: 13px; + margin: 6px 0 3px 5px; + padding: 3px 20px 3px 5px; + position: relative; } + .chosen-container-multi .chosen-choices .search-choice .search-choice-close { + background: url("chosen-sprite.png") right top no-repeat; + display: block; + font-size: 1px; + height: 10px; + position: absolute; + right: 4px; + top: 5px; + width: 12px; + cursor: pointer; } + .chosen-container-multi .chosen-choices .search-choice .search-choice-close:hover { + background-position: right -11px; } + .chosen-container-multi .chosen-choices .search-choice-focus { + background: #d4d4d4; } + .chosen-container-multi .chosen-choices .search-choice-focus .search-choice-close { + background-position: right -11px; } +.chosen-container-multi .chosen-results { + margin: 0 0 0 0; + padding: 0; } +.chosen-container-multi .chosen-drop .result-selected { + display: none; } + +.chosen-container-active .chosen-single { + border: 1px solid #66afe9; + -webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, 0.075) inset, 0 0 8px #66afe9; + box-shadow: 0 1px 1px rgba(0, 0, 0, 0.075) inset, 0 0 8px #66afe9; + -webkit-transition: border linear 0.2s, box-shadow linear 0.2s; + -o-transition: border linear 0.2s, box-shadow linear 0.2s; + transition: border linear 0.2s, box-shadow linear 0.2s; } +.chosen-container-active.chosen-with-drop .chosen-single { + background-color: #fff; + border: 1px solid #66afe9; + border-bottom-right-radius: 0; + border-bottom-left-radius: 0; + -webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, 0.075) inset, 0 0 8px #66afe9; + box-shadow: 0 1px 1px rgba(0, 0, 0, 0.075) inset, 0 0 8px #66afe9; + -webkit-transition: border linear 0.2s, box-shadow linear 0.2s; + -o-transition: border linear 0.2s, box-shadow linear 0.2s; + transition: border linear 0.2s, box-shadow linear 0.2s; } + .chosen-container-active.chosen-with-drop .chosen-single div { + background: transparent; + border-left: none; } + .chosen-container-active.chosen-with-drop .chosen-single div b { + background-position: -18px 7px; } +.chosen-container-active .chosen-choices { + border: 1px solid #66afe9; + border-bottom-right-radius: 0; + border-bottom-left-radius: 0; + -webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, 0.075) inset, 0 0 8px #66afe9; + box-shadow: 0 1px 1px rgba(0, 0, 0, 0.075) inset, 0 0 8px #66afe9; + -webkit-transition: border linear 0.2s, box-shadow linear 0.2s; + -o-transition: border linear 0.2s, box-shadow linear 0.2s; + transition: border linear 0.2s, box-shadow linear 0.2s; } + .chosen-container-active .chosen-choices .search-field input[type="text"] { + color: #111 !important; } +.chosen-container-active.chosen-with-drop .chosen-choices { + border-bottom-right-radius: 0; + border-bottom-left-radius: 0; } + +.chosen-disabled { + cursor: default; + opacity: 0.5 !important; } + .chosen-disabled .chosen-single { + cursor: default; } + .chosen-disabled .chosen-choices .search-choice .search-choice-close { + cursor: default; } + +.chosen-rtl { + text-align: right; } + .chosen-rtl .chosen-single { + padding: 0 8px 0 0; + overflow: visible; } + .chosen-rtl .chosen-single span { + margin-left: 26px; + margin-right: 0; + direction: rtl; } + .chosen-rtl .chosen-single div { + left: 7px; + right: auto; } + .chosen-rtl .chosen-single abbr { + left: 26px; + right: auto; } + .chosen-rtl .chosen-choices .search-field input[type="text"] { + direction: rtl; } + .chosen-rtl .chosen-choices li { + float: right; } + .chosen-rtl .chosen-choices .search-choice { + margin: 6px 5px 3px 0; + padding: 3px 5px 3px 19px; } + .chosen-rtl .chosen-choices .search-choice .search-choice-close { + background-position: right top; + left: 4px; + right: auto; } + .chosen-rtl.chosen-container-single .chosen-results { + margin: 0 0 4px 4px; + padding: 0 4px 0 0; } + .chosen-rtl .chosen-results .group-option { + padding-left: 0; + padding-right: 15px; } + .chosen-rtl.chosen-container-active.chosen-with-drop .chosen-single div { + border-right: none; } + .chosen-rtl .chosen-search input[type="text"] { + background: url("chosen-sprite.png") no-repeat -28px -20px, #fff; + direction: rtl; + padding: 4px 5px 4px 20px; } + +@media only screen and (-webkit-min-device-pixel-ratio: 2), only screen and (min-resolution: 2dppx) { + .chosen-rtl .chosen-search input[type="text"], + .chosen-container-single .chosen-single abbr, + .chosen-container-single .chosen-single div b, + .chosen-container-single .chosen-search input[type="text"], + .chosen-container-multi .chosen-choices .search-choice .search-choice-close, + .chosen-container .chosen-results-scroll-down span, + .chosen-container .chosen-results-scroll-up span { + background-image: url("chosen-sprite@2x.png") !important; + background-size: 52px 37px !important; + background-repeat: no-repeat !important; } } + +/*# sourceMappingURL=bootstrap-chosen.css.map */ diff --git a/csf/ui/images/bootstrap-switch.min.css b/csf/ui/images/bootstrap-switch.min.css new file mode 100644 index 0000000..c63cfe2 --- /dev/null +++ b/csf/ui/images/bootstrap-switch.min.css @@ -0,0 +1,22 @@ +/* ======================================================================== + * bootstrap-switch - v3.3.2 + * http://www.bootstrap-switch.org + * ======================================================================== + * Copyright 2012-2013 Mattia Larentis + * + * ======================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ======================================================================== + */ + +.bootstrap-switch{display:inline-block;direction:ltr;cursor:pointer;border-radius:4px;border:1px solid #ccc;position:relative;text-align:left;overflow:hidden;line-height:8px;z-index:0;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-webkit-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.bootstrap-switch .bootstrap-switch-container{display:inline-block;top:0;border-radius:4px;-webkit-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.bootstrap-switch .bootstrap-switch-handle-off,.bootstrap-switch .bootstrap-switch-handle-on,.bootstrap-switch .bootstrap-switch-label{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;cursor:pointer;display:inline-block!important;height:100%;padding:6px 12px;font-size:14px;line-height:20px}.bootstrap-switch .bootstrap-switch-handle-off,.bootstrap-switch .bootstrap-switch-handle-on{text-align:center;z-index:1}.bootstrap-switch .bootstrap-switch-handle-off.bootstrap-switch-primary,.bootstrap-switch .bootstrap-switch-handle-on.bootstrap-switch-primary{color:#fff;background:#337ab7}.bootstrap-switch .bootstrap-switch-handle-off.bootstrap-switch-info,.bootstrap-switch .bootstrap-switch-handle-on.bootstrap-switch-info{color:#fff;background:#5bc0de}.bootstrap-switch .bootstrap-switch-handle-off.bootstrap-switch-success,.bootstrap-switch .bootstrap-switch-handle-on.bootstrap-switch-success{color:#fff;background:#5cb85c}.bootstrap-switch .bootstrap-switch-handle-off.bootstrap-switch-warning,.bootstrap-switch .bootstrap-switch-handle-on.bootstrap-switch-warning{background:#f0ad4e;color:#fff}.bootstrap-switch .bootstrap-switch-handle-off.bootstrap-switch-danger,.bootstrap-switch .bootstrap-switch-handle-on.bootstrap-switch-danger{color:#fff;background:#d9534f}.bootstrap-switch .bootstrap-switch-handle-off.bootstrap-switch-default,.bootstrap-switch .bootstrap-switch-handle-on.bootstrap-switch-default{color:#000;background:#eee}.bootstrap-switch .bootstrap-switch-label{text-align:center;margin-top:-1px;margin-bottom:-1px;z-index:100;color:#333;background:#fff}.bootstrap-switch .bootstrap-switch-handle-on{border-bottom-left-radius:3px;border-top-left-radius:3px}.bootstrap-switch .bootstrap-switch-handle-off{border-bottom-right-radius:3px;border-top-right-radius:3px}.bootstrap-switch input[type=radio],.bootstrap-switch input[type=checkbox]{position:absolute!important;top:0;left:0;margin:0;z-index:-1;opacity:0;filter:alpha(opacity=0)}.bootstrap-switch.bootstrap-switch-mini .bootstrap-switch-handle-off,.bootstrap-switch.bootstrap-switch-mini .bootstrap-switch-handle-on,.bootstrap-switch.bootstrap-switch-mini .bootstrap-switch-label{padding:1px 5px;font-size:12px;line-height:1.5}.bootstrap-switch.bootstrap-switch-small .bootstrap-switch-handle-off,.bootstrap-switch.bootstrap-switch-small .bootstrap-switch-handle-on,.bootstrap-switch.bootstrap-switch-small .bootstrap-switch-label{padding:5px 10px;font-size:12px;line-height:1.5}.bootstrap-switch.bootstrap-switch-large .bootstrap-switch-handle-off,.bootstrap-switch.bootstrap-switch-large .bootstrap-switch-handle-on,.bootstrap-switch.bootstrap-switch-large .bootstrap-switch-label{padding:6px 16px;font-size:18px;line-height:1.3333333}.bootstrap-switch.bootstrap-switch-disabled,.bootstrap-switch.bootstrap-switch-indeterminate,.bootstrap-switch.bootstrap-switch-readonly{cursor:default!important}.bootstrap-switch.bootstrap-switch-disabled .bootstrap-switch-handle-off,.bootstrap-switch.bootstrap-switch-disabled .bootstrap-switch-handle-on,.bootstrap-switch.bootstrap-switch-disabled .bootstrap-switch-label,.bootstrap-switch.bootstrap-switch-indeterminate .bootstrap-switch-handle-off,.bootstrap-switch.bootstrap-switch-indeterminate .bootstrap-switch-handle-on,.bootstrap-switch.bootstrap-switch-indeterminate .bootstrap-switch-label,.bootstrap-switch.bootstrap-switch-readonly .bootstrap-switch-handle-off,.bootstrap-switch.bootstrap-switch-readonly .bootstrap-switch-handle-on,.bootstrap-switch.bootstrap-switch-readonly .bootstrap-switch-label{opacity:.5;filter:alpha(opacity=50);cursor:default!important}.bootstrap-switch.bootstrap-switch-animate .bootstrap-switch-container{-webkit-transition:margin-left .5s;-o-transition:margin-left .5s;transition:margin-left .5s}.bootstrap-switch.bootstrap-switch-inverse .bootstrap-switch-handle-on{border-radius:0 3px 3px 0}.bootstrap-switch.bootstrap-switch-inverse .bootstrap-switch-handle-off{border-radius:3px 0 0 3px}.bootstrap-switch.bootstrap-switch-focused{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)}.bootstrap-switch.bootstrap-switch-inverse.bootstrap-switch-off .bootstrap-switch-label,.bootstrap-switch.bootstrap-switch-on .bootstrap-switch-label{border-bottom-right-radius:3px;border-top-right-radius:3px}.bootstrap-switch.bootstrap-switch-inverse.bootstrap-switch-on .bootstrap-switch-label,.bootstrap-switch.bootstrap-switch-off .bootstrap-switch-label{border-bottom-left-radius:3px;border-top-left-radius:3px} \ No newline at end of file diff --git a/csf/ui/images/bootstrap-switch.min.js b/csf/ui/images/bootstrap-switch.min.js new file mode 100644 index 0000000..9849658 --- /dev/null +++ b/csf/ui/images/bootstrap-switch.min.js @@ -0,0 +1,22 @@ +/* ======================================================================== + * bootstrap-switch - v3.3.2 + * http://www.bootstrap-switch.org + * ======================================================================== + * Copyright 2012-2013 Mattia Larentis + * + * ======================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ======================================================================== + */ + +(function(){var t=[].slice;!function(e,i){"use strict";var n;return n=function(){function t(t,i){null==i&&(i={}),this.$element=e(t),this.options=e.extend({},e.fn.bootstrapSwitch.defaults,{state:this.$element.is(":checked"),size:this.$element.data("size"),animate:this.$element.data("animate"),disabled:this.$element.is(":disabled"),readonly:this.$element.is("[readonly]"),indeterminate:this.$element.data("indeterminate"),inverse:this.$element.data("inverse"),radioAllOff:this.$element.data("radio-all-off"),onColor:this.$element.data("on-color"),offColor:this.$element.data("off-color"),onText:this.$element.data("on-text"),offText:this.$element.data("off-text"),labelText:this.$element.data("label-text"),handleWidth:this.$element.data("handle-width"),labelWidth:this.$element.data("label-width"),baseClass:this.$element.data("base-class"),wrapperClass:this.$element.data("wrapper-class")},i),this.prevOptions={},this.$wrapper=e("
    ",{"class":function(t){return function(){var e;return e=[""+t.options.baseClass].concat(t._getClasses(t.options.wrapperClass)),e.push(t.options.state?t.options.baseClass+"-on":t.options.baseClass+"-off"),null!=t.options.size&&e.push(t.options.baseClass+"-"+t.options.size),t.options.disabled&&e.push(t.options.baseClass+"-disabled"),t.options.readonly&&e.push(t.options.baseClass+"-readonly"),t.options.indeterminate&&e.push(t.options.baseClass+"-indeterminate"),t.options.inverse&&e.push(t.options.baseClass+"-inverse"),t.$element.attr("id")&&e.push(t.options.baseClass+"-id-"+t.$element.attr("id")),e.join(" ")}}(this)()}),this.$container=e("
    ",{"class":this.options.baseClass+"-container"}),this.$on=e("",{html:this.options.onText,"class":this.options.baseClass+"-handle-on "+this.options.baseClass+"-"+this.options.onColor}),this.$off=e("",{html:this.options.offText,"class":this.options.baseClass+"-handle-off "+this.options.baseClass+"-"+this.options.offColor}),this.$label=e("",{html:this.options.labelText,"class":this.options.baseClass+"-label"}),this.$element.on("init.bootstrapSwitch",function(e){return function(){return e.options.onInit.apply(t,arguments)}}(this)),this.$element.on("switchChange.bootstrapSwitch",function(i){return function(n){return!1===i.options.onSwitchChange.apply(t,arguments)?i.$element.is(":radio")?e("[name='"+i.$element.attr("name")+"']").trigger("previousState.bootstrapSwitch",!0):i.$element.trigger("previousState.bootstrapSwitch",!0):void 0}}(this)),this.$container=this.$element.wrap(this.$container).parent(),this.$wrapper=this.$container.wrap(this.$wrapper).parent(),this.$element.before(this.options.inverse?this.$off:this.$on).before(this.$label).before(this.options.inverse?this.$on:this.$off),this.options.indeterminate&&this.$element.prop("indeterminate",!0),this._init(),this._elementHandlers(),this._handleHandlers(),this._labelHandlers(),this._formHandler(),this._externalLabelHandler(),this.$element.trigger("init.bootstrapSwitch",this.options.state)}return t.prototype._constructor=t,t.prototype.setPrevOptions=function(){return this.prevOptions=e.extend(!0,{},this.options)},t.prototype.state=function(t,i){return"undefined"==typeof t?this.options.state:this.options.disabled||this.options.readonly?this.$element:this.options.state&&!this.options.radioAllOff&&this.$element.is(":radio")?this.$element:(this.$element.is(":radio")?e("[name='"+this.$element.attr("name")+"']").trigger("setPreviousOptions.bootstrapSwitch"):this.$element.trigger("setPreviousOptions.bootstrapSwitch"),this.options.indeterminate&&this.indeterminate(!1),t=!!t,this.$element.prop("checked",t).trigger("change.bootstrapSwitch",i),this.$element)},t.prototype.toggleState=function(t){return this.options.disabled||this.options.readonly?this.$element:this.options.indeterminate?(this.indeterminate(!1),this.state(!0)):this.$element.prop("checked",!this.options.state).trigger("change.bootstrapSwitch",t)},t.prototype.size=function(t){return"undefined"==typeof t?this.options.size:(null!=this.options.size&&this.$wrapper.removeClass(this.options.baseClass+"-"+this.options.size),t&&this.$wrapper.addClass(this.options.baseClass+"-"+t),this._width(),this._containerPosition(),this.options.size=t,this.$element)},t.prototype.animate=function(t){return"undefined"==typeof t?this.options.animate:(t=!!t,t===this.options.animate?this.$element:this.toggleAnimate())},t.prototype.toggleAnimate=function(){return this.options.animate=!this.options.animate,this.$wrapper.toggleClass(this.options.baseClass+"-animate"),this.$element},t.prototype.disabled=function(t){return"undefined"==typeof t?this.options.disabled:(t=!!t,t===this.options.disabled?this.$element:this.toggleDisabled())},t.prototype.toggleDisabled=function(){return this.options.disabled=!this.options.disabled,this.$element.prop("disabled",this.options.disabled),this.$wrapper.toggleClass(this.options.baseClass+"-disabled"),this.$element},t.prototype.readonly=function(t){return"undefined"==typeof t?this.options.readonly:(t=!!t,t===this.options.readonly?this.$element:this.toggleReadonly())},t.prototype.toggleReadonly=function(){return this.options.readonly=!this.options.readonly,this.$element.prop("readonly",this.options.readonly),this.$wrapper.toggleClass(this.options.baseClass+"-readonly"),this.$element},t.prototype.indeterminate=function(t){return"undefined"==typeof t?this.options.indeterminate:(t=!!t,t===this.options.indeterminate?this.$element:this.toggleIndeterminate())},t.prototype.toggleIndeterminate=function(){return this.options.indeterminate=!this.options.indeterminate,this.$element.prop("indeterminate",this.options.indeterminate),this.$wrapper.toggleClass(this.options.baseClass+"-indeterminate"),this._containerPosition(),this.$element},t.prototype.inverse=function(t){return"undefined"==typeof t?this.options.inverse:(t=!!t,t===this.options.inverse?this.$element:this.toggleInverse())},t.prototype.toggleInverse=function(){var t,e;return this.$wrapper.toggleClass(this.options.baseClass+"-inverse"),e=this.$on.clone(!0),t=this.$off.clone(!0),this.$on.replaceWith(t),this.$off.replaceWith(e),this.$on=t,this.$off=e,this.options.inverse=!this.options.inverse,this.$element},t.prototype.onColor=function(t){var e;return e=this.options.onColor,"undefined"==typeof t?e:(null!=e&&this.$on.removeClass(this.options.baseClass+"-"+e),this.$on.addClass(this.options.baseClass+"-"+t),this.options.onColor=t,this.$element)},t.prototype.offColor=function(t){var e;return e=this.options.offColor,"undefined"==typeof t?e:(null!=e&&this.$off.removeClass(this.options.baseClass+"-"+e),this.$off.addClass(this.options.baseClass+"-"+t),this.options.offColor=t,this.$element)},t.prototype.onText=function(t){return"undefined"==typeof t?this.options.onText:(this.$on.html(t),this._width(),this._containerPosition(),this.options.onText=t,this.$element)},t.prototype.offText=function(t){return"undefined"==typeof t?this.options.offText:(this.$off.html(t),this._width(),this._containerPosition(),this.options.offText=t,this.$element)},t.prototype.labelText=function(t){return"undefined"==typeof t?this.options.labelText:(this.$label.html(t),this._width(),this.options.labelText=t,this.$element)},t.prototype.handleWidth=function(t){return"undefined"==typeof t?this.options.handleWidth:(this.options.handleWidth=t,this._width(),this._containerPosition(),this.$element)},t.prototype.labelWidth=function(t){return"undefined"==typeof t?this.options.labelWidth:(this.options.labelWidth=t,this._width(),this._containerPosition(),this.$element)},t.prototype.baseClass=function(t){return this.options.baseClass},t.prototype.wrapperClass=function(t){return"undefined"==typeof t?this.options.wrapperClass:(t||(t=e.fn.bootstrapSwitch.defaults.wrapperClass),this.$wrapper.removeClass(this._getClasses(this.options.wrapperClass).join(" ")),this.$wrapper.addClass(this._getClasses(t).join(" ")),this.options.wrapperClass=t,this.$element)},t.prototype.radioAllOff=function(t){return"undefined"==typeof t?this.options.radioAllOff:(t=!!t,t===this.options.radioAllOff?this.$element:(this.options.radioAllOff=t,this.$element))},t.prototype.onInit=function(t){return"undefined"==typeof t?this.options.onInit:(t||(t=e.fn.bootstrapSwitch.defaults.onInit),this.options.onInit=t,this.$element)},t.prototype.onSwitchChange=function(t){return"undefined"==typeof t?this.options.onSwitchChange:(t||(t=e.fn.bootstrapSwitch.defaults.onSwitchChange),this.options.onSwitchChange=t,this.$element)},t.prototype.destroy=function(){var t;return t=this.$element.closest("form"),t.length&&t.off("reset.bootstrapSwitch").removeData("bootstrap-switch"),this.$container.children().not(this.$element).remove(),this.$element.unwrap().unwrap().off(".bootstrapSwitch").removeData("bootstrap-switch"),this.$element},t.prototype._width=function(){var t,e;return t=this.$on.add(this.$off),t.add(this.$label).css("width",""),e="auto"===this.options.handleWidth?Math.max(this.$on.width(),this.$off.width()):this.options.handleWidth,t.width(e),this.$label.width(function(t){return function(i,n){return"auto"!==t.options.labelWidth?t.options.labelWidth:e>n?e:n}}(this)),this._handleWidth=this.$on.outerWidth(),this._labelWidth=this.$label.outerWidth(),this.$container.width(2*this._handleWidth+this._labelWidth),this.$wrapper.width(this._handleWidth+this._labelWidth)},t.prototype._containerPosition=function(t,e){return null==t&&(t=this.options.state),this.$container.css("margin-left",function(e){return function(){var i;return i=[0,"-"+e._handleWidth+"px"],e.options.indeterminate?"-"+e._handleWidth/2+"px":t?e.options.inverse?i[1]:i[0]:e.options.inverse?i[0]:i[1]}}(this)),e?setTimeout(function(){return e()},50):void 0},t.prototype._init=function(){var t,e;return t=function(t){return function(){return t.setPrevOptions(),t._width(),t._containerPosition(null,function(){return t.options.animate?t.$wrapper.addClass(t.options.baseClass+"-animate"):void 0})}}(this),this.$wrapper.is(":visible")?t():e=i.setInterval(function(n){return function(){return n.$wrapper.is(":visible")?(t(),i.clearInterval(e)):void 0}}(this),50)},t.prototype._elementHandlers=function(){return this.$element.on({"setPreviousOptions.bootstrapSwitch":function(t){return function(e){return t.setPrevOptions()}}(this),"previousState.bootstrapSwitch":function(t){return function(e){return t.options=t.prevOptions,t.options.indeterminate&&t.$wrapper.addClass(t.options.baseClass+"-indeterminate"),t.$element.prop("checked",t.options.state).trigger("change.bootstrapSwitch",!0)}}(this),"change.bootstrapSwitch":function(t){return function(i,n){var o;return i.preventDefault(),i.stopImmediatePropagation(),o=t.$element.is(":checked"),t._containerPosition(o),o!==t.options.state?(t.options.state=o,t.$wrapper.toggleClass(t.options.baseClass+"-off").toggleClass(t.options.baseClass+"-on"),n?void 0:(t.$element.is(":radio")&&e("[name='"+t.$element.attr("name")+"']").not(t.$element).prop("checked",!1).trigger("change.bootstrapSwitch",!0),t.$element.trigger("switchChange.bootstrapSwitch",[o]))):void 0}}(this),"focus.bootstrapSwitch":function(t){return function(e){return e.preventDefault(),t.$wrapper.addClass(t.options.baseClass+"-focused")}}(this),"blur.bootstrapSwitch":function(t){return function(e){return e.preventDefault(),t.$wrapper.removeClass(t.options.baseClass+"-focused")}}(this),"keydown.bootstrapSwitch":function(t){return function(e){if(e.which&&!t.options.disabled&&!t.options.readonly)switch(e.which){case 37:return e.preventDefault(),e.stopImmediatePropagation(),t.state(!1);case 39:return e.preventDefault(),e.stopImmediatePropagation(),t.state(!0)}}}(this)})},t.prototype._handleHandlers=function(){return this.$on.on("click.bootstrapSwitch",function(t){return function(e){return e.preventDefault(),e.stopPropagation(),t.state(!1),t.$element.trigger("focus.bootstrapSwitch")}}(this)),this.$off.on("click.bootstrapSwitch",function(t){return function(e){return e.preventDefault(),e.stopPropagation(),t.state(!0),t.$element.trigger("focus.bootstrapSwitch")}}(this))},t.prototype._labelHandlers=function(){return this.$label.on({click:function(t){return t.stopPropagation()},"mousedown.bootstrapSwitch touchstart.bootstrapSwitch":function(t){return function(e){return t._dragStart||t.options.disabled||t.options.readonly?void 0:(e.preventDefault(),e.stopPropagation(),t._dragStart=(e.pageX||e.originalEvent.touches[0].pageX)-parseInt(t.$container.css("margin-left"),10),t.options.animate&&t.$wrapper.removeClass(t.options.baseClass+"-animate"),t.$element.trigger("focus.bootstrapSwitch"))}}(this),"mousemove.bootstrapSwitch touchmove.bootstrapSwitch":function(t){return function(e){var i;if(null!=t._dragStart&&(e.preventDefault(),i=(e.pageX||e.originalEvent.touches[0].pageX)-t._dragStart,!(i<-t._handleWidth||i>0)))return t._dragEnd=i,t.$container.css("margin-left",t._dragEnd+"px")}}(this),"mouseup.bootstrapSwitch touchend.bootstrapSwitch":function(t){return function(e){var i;if(t._dragStart)return e.preventDefault(),t.options.animate&&t.$wrapper.addClass(t.options.baseClass+"-animate"),t._dragEnd?(i=t._dragEnd>-(t._handleWidth/2),t._dragEnd=!1,t.state(t.options.inverse?!i:i)):t.state(!t.options.state),t._dragStart=!1}}(this),"mouseleave.bootstrapSwitch":function(t){return function(e){return t.$label.trigger("mouseup.bootstrapSwitch")}}(this)})},t.prototype._externalLabelHandler=function(){var t;return t=this.$element.closest("label"),t.on("click",function(e){return function(i){return i.preventDefault(),i.stopImmediatePropagation(),i.target===t[0]?e.toggleState():void 0}}(this))},t.prototype._formHandler=function(){var t;return t=this.$element.closest("form"),t.data("bootstrap-switch")?void 0:t.on("reset.bootstrapSwitch",function(){return i.setTimeout(function(){return t.find("input").filter(function(){return e(this).data("bootstrap-switch")}).each(function(){return e(this).bootstrapSwitch("state",this.checked)})},1)}).data("bootstrap-switch",!0)},t.prototype._getClasses=function(t){var i,n,o,s;if(!e.isArray(t))return[this.options.baseClass+"-"+t];for(n=[],o=0,s=t.length;s>o;o++)i=t[o],n.push(this.options.baseClass+"-"+i);return n},t}(),e.fn.bootstrapSwitch=function(){var i,o,s;return o=arguments[0],i=2<=arguments.length?t.call(arguments,1):[],s=this,this.each(function(){var t,a;return t=e(this),a=t.data("bootstrap-switch"),a||t.data("bootstrap-switch",a=new n(this,o)),"string"==typeof o?s=a[o].apply(a,i):void 0}),s},e.fn.bootstrapSwitch.Constructor=n,e.fn.bootstrapSwitch.defaults={state:!0,size:null,animate:!0,disabled:!1,readonly:!1,indeterminate:!1,inverse:!1,radioAllOff:!1,onColor:"primary",offColor:"default",onText:"ON",offText:"OFF",labelText:" ",handleWidth:"auto",labelWidth:"auto",baseClass:"bootstrap-switch",wrapperClass:"wrapper",onInit:function(){},onSwitchChange:function(){}}}(window.jQuery,window)}).call(this); \ No newline at end of file diff --git a/csf/ui/images/bootstrap.confirm.js b/csf/ui/images/bootstrap.confirm.js new file mode 100644 index 0000000..4b634ba --- /dev/null +++ b/csf/ui/images/bootstrap.confirm.js @@ -0,0 +1,87 @@ +; (function ($, window, document, undefined) { + + 'use strict'; + var + pluginName = 'bsModalConfirm', + defaults = { + template: '', + title: 'Confirm', + message: 'Are you sure?', + type: 'success' + }; + + + function Plugin(element, options) { + this.element = element; + + this.settings = $.extend({}, defaults, options, $(element).data()); + this._defaults = defaults; + this._name = pluginName; + this.init(); + } + + $.extend(Plugin.prototype, { + renderTemplate: function () { + var + settings = this.settings, + templateString = settings.template; + for (var option in settings) { + if (typeof (settings[option]) === 'string' && option !== 'template' && settings.hasOwnProperty(option)) { + var rgx = new RegExp('\{\{' + option.trim() + '\}\}', 'g'); + templateString = templateString.replace(rgx, settings[option]); + } + } + + return templateString; + }, + init: function () { + var + $this = $(this.element), + settings = this.settings, + nodeName = this.element.nodeName.toLowerCase(), + inputType = this.element.type, + $modal = $($.parseHTML(this.renderTemplate())), + handler; + + if (nodeName == 'a') { + var that = this; + handler = function (e) { + window.location.href = that.element.href; + $modal.modal('hide'); + }; + } else if (inputType == 'submit') { + var form = $this.closest('form')[0]; + + $(form).submit(function (e) { + e.preventDefault(); + }); + + handler = function (e) { + form.submit(); + $modal.modal('hide'); + + }; + + } else { + handler = function () { }; + } + + $modal.find('[data-trigger="confirm"]').click(handler); + + $this.click(function (e) { + e.preventDefault(); + $modal.modal(); + }); + + } + }); + + $.fn[pluginName] = function (options) { + return this.each(function () { + if (!$.data(this, "plugin_" + pluginName)) { + $.data(this, "plugin_" + pluginName, new Plugin(this, options)); + } + }); + }; + $('[data-toggle="confirm"]').bsModalConfirm(); +})(jQuery, window, document); diff --git a/csf/ui/images/bootstrap/css/bootstrap.min.css b/csf/ui/images/bootstrap/css/bootstrap.min.css new file mode 100644 index 0000000..b89ef7f --- /dev/null +++ b/csf/ui/images/bootstrap/css/bootstrap.min.css @@ -0,0 +1,6 @@ +/*! + * Bootstrap v3.3.7 (http://getbootstrap.com) + * Copyright 2011-2017 Twitter, Inc. + * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) + *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}input{line-height:normal}input[type=checkbox],input[type=radio]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{padding:.35em .625em .75em;margin:0 2px;border:1px solid silver}legend{padding:0;border:0}textarea{overflow:auto}optgroup{font-weight:700}table{border-spacing:0;border-collapse:collapse}td,th{padding:0}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@media print{*,:after,:before{color:#000!important;text-shadow:none!important;background:0 0!important;-webkit-box-shadow:none!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}blockquote,pre{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}img,tr{page-break-inside:avoid}img{max-width:100%!important}h2,h3,p{orphans:3;widows:3}h2,h3{page-break-after:avoid}.navbar{display:none}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table td,.table th{background-color:#fff!important}.table-bordered td,.table-bordered th{border:1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.woff2) format('woff2'),url(../fonts/glyphicons-halflings-regular.woff) format('woff'),url(../fonts/glyphicons-halflings-regular.ttf) format('truetype'),url(../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular) format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"\002a"}.glyphicon-plus:before{content:"\002b"}.glyphicon-eur:before,.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-road:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-lock:before{content:"\e033"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.glyphicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-resize-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-fire:before{content:"\e104"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-calendar:before{content:"\e109"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-bell:before{content:"\e123"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{content:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-wrench:before{content:"\e136"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-briefcase:before{content:"\e139"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{content:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}.glyphicon-cd:before{content:"\e201"}.glyphicon-save-file:before{content:"\e202"}.glyphicon-open-file:before{content:"\e203"}.glyphicon-level-up:before{content:"\e204"}.glyphicon-copy:before{content:"\e205"}.glyphicon-paste:before{content:"\e206"}.glyphicon-alert:before{content:"\e209"}.glyphicon-equalizer:before{content:"\e210"}.glyphicon-king:before{content:"\e211"}.glyphicon-queen:before{content:"\e212"}.glyphicon-pawn:before{content:"\e213"}.glyphicon-bishop:before{content:"\e214"}.glyphicon-knight:before{content:"\e215"}.glyphicon-baby-formula:before{content:"\e216"}.glyphicon-tent:before{content:"\26fa"}.glyphicon-blackboard:before{content:"\e218"}.glyphicon-bed:before{content:"\e219"}.glyphicon-apple:before{content:"\f8ff"}.glyphicon-erase:before{content:"\e221"}.glyphicon-hourglass:before{content:"\231b"}.glyphicon-lamp:before{content:"\e223"}.glyphicon-duplicate:before{content:"\e224"}.glyphicon-piggy-bank:before{content:"\e225"}.glyphicon-scissors:before{content:"\e226"}.glyphicon-bitcoin:before{content:"\e227"}.glyphicon-btc:before{content:"\e227"}.glyphicon-xbt:before{content:"\e227"}.glyphicon-yen:before{content:"\00a5"}.glyphicon-jpy:before{content:"\00a5"}.glyphicon-ruble:before{content:"\20bd"}.glyphicon-rub:before{content:"\20bd"}.glyphicon-scale:before{content:"\e230"}.glyphicon-ice-lolly:before{content:"\e231"}.glyphicon-ice-lolly-tasted:before{content:"\e232"}.glyphicon-education:before{content:"\e233"}.glyphicon-option-horizontal:before{content:"\e234"}.glyphicon-option-vertical:before{content:"\e235"}.glyphicon-menu-hamburger:before{content:"\e236"}.glyphicon-modal-window:before{content:"\e237"}.glyphicon-oil:before{content:"\e238"}.glyphicon-grain:before{content:"\e239"}.glyphicon-sunglasses:before{content:"\e240"}.glyphicon-text-size:before{content:"\e241"}.glyphicon-text-color:before{content:"\e242"}.glyphicon-text-background:before{content:"\e243"}.glyphicon-object-align-top:before{content:"\e244"}.glyphicon-object-align-bottom:before{content:"\e245"}.glyphicon-object-align-horizontal:before{content:"\e246"}.glyphicon-object-align-left:before{content:"\e247"}.glyphicon-object-align-vertical:before{content:"\e248"}.glyphicon-object-align-right:before{content:"\e249"}.glyphicon-triangle-right:before{content:"\e250"}.glyphicon-triangle-left:before{content:"\e251"}.glyphicon-triangle-bottom:before{content:"\e252"}.glyphicon-triangle-top:before{content:"\e253"}.glyphicon-console:before{content:"\e254"}.glyphicon-superscript:before{content:"\e255"}.glyphicon-subscript:before{content:"\e256"}.glyphicon-menu-left:before{content:"\e257"}.glyphicon-menu-right:before{content:"\e258"}.glyphicon-menu-down:before{content:"\e259"}.glyphicon-menu-up:before{content:"\e260"}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:after,:before{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}button,input,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#337ab7;text-decoration:none}a:focus,a:hover{color:#23527c;text-decoration:underline}a:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.carousel-inner>.item>a>img,.carousel-inner>.item>img,.img-responsive,.thumbnail a>img,.thumbnail>img{display:block;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{display:inline-block;max-width:100%;height:auto;padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}[role=button]{cursor:pointer}.h1,.h2,.h3,.h4,.h5,.h6,h1,h2,h3,h4,h5,h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}.h1 .small,.h1 small,.h2 .small,.h2 small,.h3 .small,.h3 small,.h4 .small,.h4 small,.h5 .small,.h5 small,.h6 .small,.h6 small,h1 .small,h1 small,h2 .small,h2 small,h3 .small,h3 small,h4 .small,h4 small,h5 .small,h5 small,h6 .small,h6 small{font-weight:400;line-height:1;color:#777}.h1,.h2,.h3,h1,h2,h3{margin-top:20px;margin-bottom:10px}.h1 .small,.h1 small,.h2 .small,.h2 small,.h3 .small,.h3 small,h1 .small,h1 small,h2 .small,h2 small,h3 .small,h3 small{font-size:65%}.h4,.h5,.h6,h4,h5,h6{margin-top:10px;margin-bottom:10px}.h4 .small,.h4 small,.h5 .small,.h5 small,.h6 .small,.h6 small,h4 .small,h4 small,h5 .small,h5 small,h6 .small,h6 small{font-size:75%}.h1,h1{font-size:36px}.h2,h2{font-size:30px}.h3,h3{font-size:24px}.h4,h4{font-size:18px}.h5,h5{font-size:14px}.h6,h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}.small,small{font-size:85%}.mark,mark{padding:.2em;background-color:#fcf8e3}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#337ab7}a.text-primary:focus,a.text-primary:hover{color:#286090}.text-success{color:#3c763d}a.text-success:focus,a.text-success:hover{color:#2b542c}.text-info{color:#31708f}a.text-info:focus,a.text-info:hover{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:focus,a.text-warning:hover{color:#66512c}.text-danger{color:#a94442}a.text-danger:focus,a.text-danger:hover{color:#843534}.bg-primary{color:#fff;background-color:#337ab7}a.bg-primary:focus,a.bg-primary:hover{background-color:#286090}.bg-success{background-color:#dff0d8}a.bg-success:focus,a.bg-success:hover{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:focus,a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:focus,a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:focus,a.bg-danger:hover{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ol,ul{margin-top:0;margin-bottom:10px}ol ol,ol ul,ul ol,ul ul{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;margin-left:-5px;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}dl{margin-top:0;margin-bottom:20px}dd,dt{line-height:1.42857143}dt{font-weight:700}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[data-original-title],abbr[title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote ol:last-child,blockquote p:last-child,blockquote ul:last-child{margin-bottom:0}blockquote .small,blockquote footer,blockquote small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote .small:before,blockquote footer:before,blockquote small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;text-align:right;border-right:5px solid #eee;border-left:0}.blockquote-reverse .small:before,.blockquote-reverse footer:before,.blockquote-reverse small:before,blockquote.pull-right .small:before,blockquote.pull-right footer:before,blockquote.pull-right small:before{content:''}.blockquote-reverse .small:after,.blockquote-reverse footer:after,.blockquote-reverse small:after,blockquote.pull-right .small:after,blockquote.pull-right footer:after,blockquote.pull-right small:after{content:'\00A0 \2014'}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;font-weight:700;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.row{margin-right:-15px;margin-left:-15px}.col-lg-1,.col-lg-10,.col-lg-11,.col-lg-12,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-md-1,.col-md-10,.col-md-11,.col-md-12,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-sm-1,.col-sm-10,.col-sm-11,.col-sm-12,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-xs-1,.col-xs-10,.col-xs-11,.col-xs-12,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-10,.col-xs-11,.col-xs-12,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1,.col-sm-10,.col-sm-11,.col-sm-12,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1,.col-md-10,.col-md-11,.col-md-12,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1,.col-lg-10,.col-lg-11,.col-lg-12,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}caption{padding-top:8px;padding-bottom:8px;color:#777;text-align:left}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>tbody>tr>td,.table>tbody>tr>th,.table>tfoot>tr>td,.table>tfoot>tr>th,.table>thead>tr>td,.table>thead>tr>th{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>td,.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>td,.table>thead:first-child>tr:first-child>th{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>tbody>tr>td,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>td,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>thead>tr>th{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>tbody>tr>td,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>td,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border:1px solid #ddd}.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border-bottom-width:2px}.table-striped>tbody>tr:nth-of-type(odd){background-color:#f9f9f9}.table-hover>tbody>tr:hover{background-color:#f5f5f5}table col[class*=col-]{position:static;display:table-column;float:none}table td[class*=col-],table th[class*=col-]{position:static;display:table-cell;float:none}.table>tbody>tr.active>td,.table>tbody>tr.active>th,.table>tbody>tr>td.active,.table>tbody>tr>th.active,.table>tfoot>tr.active>td,.table>tfoot>tr.active>th,.table>tfoot>tr>td.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>thead>tr.active>th,.table>thead>tr>td.active,.table>thead>tr>th.active{background-color:#f5f5f5}.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr.active:hover>th,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover{background-color:#e8e8e8}.table>tbody>tr.success>td,.table>tbody>tr.success>th,.table>tbody>tr>td.success,.table>tbody>tr>th.success,.table>tfoot>tr.success>td,.table>tfoot>tr.success>th,.table>tfoot>tr>td.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>thead>tr.success>th,.table>thead>tr>td.success,.table>thead>tr>th.success{background-color:#dff0d8}.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr.success:hover>th,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover{background-color:#d0e9c6}.table>tbody>tr.info>td,.table>tbody>tr.info>th,.table>tbody>tr>td.info,.table>tbody>tr>th.info,.table>tfoot>tr.info>td,.table>tfoot>tr.info>th,.table>tfoot>tr>td.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>thead>tr.info>th,.table>thead>tr>td.info,.table>thead>tr>th.info{background-color:#d9edf7}.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr.info:hover>th,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover{background-color:#c4e3f3}.table>tbody>tr.warning>td,.table>tbody>tr.warning>th,.table>tbody>tr>td.warning,.table>tbody>tr>th.warning,.table>tfoot>tr.warning>td,.table>tfoot>tr.warning>th,.table>tfoot>tr>td.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>thead>tr.warning>th,.table>thead>tr>td.warning,.table>thead>tr>th.warning{background-color:#fcf8e3}.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr.warning:hover>th,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover{background-color:#faf2cc}.table>tbody>tr.danger>td,.table>tbody>tr.danger>th,.table>tbody>tr>td.danger,.table>tbody>tr>th.danger,.table>tfoot>tr.danger>td,.table>tfoot>tr.danger>th,.table>tfoot>tr>td.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>thead>tr.danger>th,.table>thead>tr>td.danger,.table>thead>tr>th.danger{background-color:#f2dede}.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr.danger:hover>th,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover{background-color:#ebcccc}.table-responsive{min-height:.01%;overflow-x:auto}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-y:hidden;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>td,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>thead>tr>th{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>thead>tr>th:first-child{border-left:0}.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>thead>tr>th:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:700}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=checkbox],input[type=radio]{margin:4px 0 0;margin-top:1px\9;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=checkbox]:focus,input[type=radio]:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition:border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)}.form-control::-moz-placeholder{color:#999;opacity:1}.form-control:-ms-input-placeholder{color:#999}.form-control::-webkit-input-placeholder{color:#999}.form-control::-ms-expand{background-color:transparent;border:0}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{background-color:#eee;opacity:1}.form-control[disabled],fieldset[disabled] .form-control{cursor:not-allowed}textarea.form-control{height:auto}input[type=search]{-webkit-appearance:none}@media screen and (-webkit-min-device-pixel-ratio:0){input[type=date].form-control,input[type=time].form-control,input[type=datetime-local].form-control,input[type=month].form-control{line-height:34px}.input-group-sm input[type=date],.input-group-sm input[type=time],.input-group-sm input[type=datetime-local],.input-group-sm input[type=month],input[type=date].input-sm,input[type=time].input-sm,input[type=datetime-local].input-sm,input[type=month].input-sm{line-height:30px}.input-group-lg input[type=date],.input-group-lg input[type=time],.input-group-lg input[type=datetime-local],.input-group-lg input[type=month],input[type=date].input-lg,input[type=time].input-lg,input[type=datetime-local].input-lg,input[type=month].input-lg{line-height:46px}}.form-group{margin-bottom:15px}.checkbox,.radio{position:relative;display:block;margin-top:10px;margin-bottom:10px}.checkbox label,.radio label{min-height:20px;padding-left:20px;margin-bottom:0;font-weight:400;cursor:pointer}.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox],.radio input[type=radio],.radio-inline input[type=radio]{position:absolute;margin-top:4px\9;margin-left:-20px}.checkbox+.checkbox,.radio+.radio{margin-top:-5px}.checkbox-inline,.radio-inline{position:relative;display:inline-block;padding-left:20px;margin-bottom:0;font-weight:400;vertical-align:middle;cursor:pointer}.checkbox-inline+.checkbox-inline,.radio-inline+.radio-inline{margin-top:0;margin-left:10px}fieldset[disabled] input[type=checkbox],fieldset[disabled] input[type=radio],input[type=checkbox].disabled,input[type=checkbox][disabled],input[type=radio].disabled,input[type=radio][disabled]{cursor:not-allowed}.checkbox-inline.disabled,.radio-inline.disabled,fieldset[disabled] .checkbox-inline,fieldset[disabled] .radio-inline{cursor:not-allowed}.checkbox.disabled label,.radio.disabled label,fieldset[disabled] .checkbox label,fieldset[disabled] .radio label{cursor:not-allowed}.form-control-static{min-height:34px;padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.form-control-static.input-sm{padding-right:0;padding-left:0}.input-sm{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}select[multiple].input-sm,textarea.input-sm{height:auto}.form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.form-group-sm select.form-control{height:30px;line-height:30px}.form-group-sm select[multiple].form-control,.form-group-sm textarea.form-control{height:auto}.form-group-sm .form-control-static{height:30px;min-height:32px;padding:6px 10px;font-size:12px;line-height:1.5}.input-lg{height:46px;padding:10px 16px;font-size:18px;line-height:1.3333333;border-radius:6px}select.input-lg{height:46px;line-height:46px}select[multiple].input-lg,textarea.input-lg{height:auto}.form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.3333333;border-radius:6px}.form-group-lg select.form-control{height:46px;line-height:46px}.form-group-lg select[multiple].form-control,.form-group-lg textarea.form-control{height:auto}.form-group-lg .form-control-static{height:46px;min-height:38px;padding:11px 16px;font-size:18px;line-height:1.3333333}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:0;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center;pointer-events:none}.form-group-lg .form-control+.form-control-feedback,.input-group-lg+.form-control-feedback,.input-lg+.form-control-feedback{width:46px;height:46px;line-height:46px}.form-group-sm .form-control+.form-control-feedback,.input-group-sm+.form-control-feedback,.input-sm+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .checkbox,.has-success .checkbox-inline,.has-success .control-label,.has-success .help-block,.has-success .radio,.has-success .radio-inline,.has-success.checkbox label,.has-success.checkbox-inline label,.has-success.radio label,.has-success.radio-inline label{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color:#dff0d8;border-color:#3c763d}.has-success .form-control-feedback{color:#3c763d}.has-warning .checkbox,.has-warning .checkbox-inline,.has-warning .control-label,.has-warning .help-block,.has-warning .radio,.has-warning .radio-inline,.has-warning.checkbox label,.has-warning.checkbox-inline label,.has-warning.radio label,.has-warning.radio-inline label{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .checkbox,.has-error .checkbox-inline,.has-error .control-label,.has-error .help-block,.has-error .radio,.has-error .radio-inline,.has-error.checkbox label,.has-error.checkbox-inline label,.has-error.radio label,.has-error.radio-inline label{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedback{color:#a94442}.has-feedback label~.form-control-feedback{top:25px}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .form-control-static{display:inline-block}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .form-control,.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .checkbox,.form-inline .radio{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .checkbox label,.form-inline .radio label{padding-left:0}.form-inline .checkbox input[type=checkbox],.form-inline .radio input[type=radio]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .checkbox,.form-horizontal .checkbox-inline,.form-horizontal .radio,.form-horizontal .radio-inline{padding-top:7px;margin-top:0;margin-bottom:0}.form-horizontal .checkbox,.form-horizontal .radio{min-height:27px}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.form-horizontal .control-label{padding-top:7px;margin-bottom:0;text-align:right}}.form-horizontal .has-feedback .form-control-feedback{right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:11px;font-size:18px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px;font-size:12px}}.btn{display:inline-block;padding:6px 12px;margin-bottom:0;font-size:14px;font-weight:400;line-height:1.42857143;text-align:center;white-space:nowrap;vertical-align:middle;-ms-touch-action:manipulation;touch-action:manipulation;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-image:none;border:1px solid transparent;border-radius:4px}.btn.active.focus,.btn.active:focus,.btn.focus,.btn:active.focus,.btn:active:focus,.btn:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn.focus,.btn:focus,.btn:hover{color:#333;text-decoration:none}.btn.active,.btn:active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{cursor:not-allowed;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none;opacity:.65}a.btn.disabled,fieldset[disabled] a.btn{pointer-events:none}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default.focus,.btn-default:focus{color:#333;background-color:#e6e6e6;border-color:#8c8c8c}.btn-default:hover{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default.active,.btn-default:active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default.active.focus,.btn-default.active:focus,.btn-default.active:hover,.btn-default:active.focus,.btn-default:active:focus,.btn-default:active:hover,.open>.dropdown-toggle.btn-default.focus,.open>.dropdown-toggle.btn-default:focus,.open>.dropdown-toggle.btn-default:hover{color:#333;background-color:#d4d4d4;border-color:#8c8c8c}.btn-default.active,.btn-default:active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled.focus,.btn-default.disabled:focus,.btn-default.disabled:hover,.btn-default[disabled].focus,.btn-default[disabled]:focus,.btn-default[disabled]:hover,fieldset[disabled] .btn-default.focus,fieldset[disabled] .btn-default:focus,fieldset[disabled] .btn-default:hover{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#337ab7;border-color:#2e6da4}.btn-primary.focus,.btn-primary:focus{color:#fff;background-color:#286090;border-color:#122b40}.btn-primary:hover{color:#fff;background-color:#286090;border-color:#204d74}.btn-primary.active,.btn-primary:active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#286090;border-color:#204d74}.btn-primary.active.focus,.btn-primary.active:focus,.btn-primary.active:hover,.btn-primary:active.focus,.btn-primary:active:focus,.btn-primary:active:hover,.open>.dropdown-toggle.btn-primary.focus,.open>.dropdown-toggle.btn-primary:focus,.open>.dropdown-toggle.btn-primary:hover{color:#fff;background-color:#204d74;border-color:#122b40}.btn-primary.active,.btn-primary:active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled.focus,.btn-primary.disabled:focus,.btn-primary.disabled:hover,.btn-primary[disabled].focus,.btn-primary[disabled]:focus,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary.focus,fieldset[disabled] .btn-primary:focus,fieldset[disabled] .btn-primary:hover{background-color:#337ab7;border-color:#2e6da4}.btn-primary .badge{color:#337ab7;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success.focus,.btn-success:focus{color:#fff;background-color:#449d44;border-color:#255625}.btn-success:hover{color:#fff;background-color:#449d44;border-color:#398439}.btn-success.active,.btn-success:active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success.active.focus,.btn-success.active:focus,.btn-success.active:hover,.btn-success:active.focus,.btn-success:active:focus,.btn-success:active:hover,.open>.dropdown-toggle.btn-success.focus,.open>.dropdown-toggle.btn-success:focus,.open>.dropdown-toggle.btn-success:hover{color:#fff;background-color:#398439;border-color:#255625}.btn-success.active,.btn-success:active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled.focus,.btn-success.disabled:focus,.btn-success.disabled:hover,.btn-success[disabled].focus,.btn-success[disabled]:focus,.btn-success[disabled]:hover,fieldset[disabled] .btn-success.focus,fieldset[disabled] .btn-success:focus,fieldset[disabled] .btn-success:hover{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info.focus,.btn-info:focus{color:#fff;background-color:#31b0d5;border-color:#1b6d85}.btn-info:hover{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info.active,.btn-info:active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info.active.focus,.btn-info.active:focus,.btn-info.active:hover,.btn-info:active.focus,.btn-info:active:focus,.btn-info:active:hover,.open>.dropdown-toggle.btn-info.focus,.open>.dropdown-toggle.btn-info:focus,.open>.dropdown-toggle.btn-info:hover{color:#fff;background-color:#269abc;border-color:#1b6d85}.btn-info.active,.btn-info:active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled.focus,.btn-info.disabled:focus,.btn-info.disabled:hover,.btn-info[disabled].focus,.btn-info[disabled]:focus,.btn-info[disabled]:hover,fieldset[disabled] .btn-info.focus,fieldset[disabled] .btn-info:focus,fieldset[disabled] .btn-info:hover{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning.focus,.btn-warning:focus{color:#fff;background-color:#ec971f;border-color:#985f0d}.btn-warning:hover{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning.active,.btn-warning:active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning.active.focus,.btn-warning.active:focus,.btn-warning.active:hover,.btn-warning:active.focus,.btn-warning:active:focus,.btn-warning:active:hover,.open>.dropdown-toggle.btn-warning.focus,.open>.dropdown-toggle.btn-warning:focus,.open>.dropdown-toggle.btn-warning:hover{color:#fff;background-color:#d58512;border-color:#985f0d}.btn-warning.active,.btn-warning:active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled.focus,.btn-warning.disabled:focus,.btn-warning.disabled:hover,.btn-warning[disabled].focus,.btn-warning[disabled]:focus,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning.focus,fieldset[disabled] .btn-warning:focus,fieldset[disabled] .btn-warning:hover{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger.focus,.btn-danger:focus{color:#fff;background-color:#c9302c;border-color:#761c19}.btn-danger:hover{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger.active,.btn-danger:active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger.active.focus,.btn-danger.active:focus,.btn-danger.active:hover,.btn-danger:active.focus,.btn-danger:active:focus,.btn-danger:active:hover,.open>.dropdown-toggle.btn-danger.focus,.open>.dropdown-toggle.btn-danger:focus,.open>.dropdown-toggle.btn-danger:hover{color:#fff;background-color:#ac2925;border-color:#761c19}.btn-danger.active,.btn-danger:active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled.focus,.btn-danger.disabled:focus,.btn-danger.disabled:hover,.btn-danger[disabled].focus,.btn-danger[disabled]:focus,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger.focus,fieldset[disabled] .btn-danger:focus,fieldset[disabled] .btn-danger:hover{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{font-weight:400;color:#337ab7;border-radius:0}.btn-link,.btn-link.active,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:active,.btn-link:focus,.btn-link:hover{border-color:transparent}.btn-link:focus,.btn-link:hover{color:#23527c;text-decoration:underline;background-color:transparent}.btn-link[disabled]:focus,.btn-link[disabled]:hover,fieldset[disabled] .btn-link:focus,fieldset[disabled] .btn-link:hover{color:#777;text-decoration:none}.btn-group-lg>.btn,.btn-lg{padding:10px 16px;font-size:18px;line-height:1.3333333;border-radius:6px}.btn-group-sm>.btn,.btn-sm{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-group-xs>.btn,.btn-xs{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=button].btn-block,input[type=reset].btn-block,input[type=submit].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition-timing-function:ease;-o-transition-timing-function:ease;transition-timing-function:ease;-webkit-transition-duration:.35s;-o-transition-duration:.35s;transition-duration:.35s;-webkit-transition-property:height,visibility;-o-transition-property:height,visibility;transition-property:height,visibility}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px dashed;border-top:4px solid\9;border-right:4px solid transparent;border-left:4px solid transparent}.dropdown,.dropup{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:14px;text-align:left;list-style:none;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:4px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175)}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:400;line-height:1.42857143;color:#333;white-space:nowrap}.dropdown-menu>li>a:focus,.dropdown-menu>li>a:hover{color:#262626;text-decoration:none;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:focus,.dropdown-menu>.active>a:hover{color:#fff;text-decoration:none;background-color:#337ab7;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{color:#777}.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{right:0;left:auto}.dropdown-menu-left{right:auto;left:0}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.42857143;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{content:"";border-top:0;border-bottom:4px dashed;border-bottom:4px solid\9}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:2px}@media (min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{right:auto;left:0}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group-vertical>.btn,.btn-group>.btn{position:relative;float:left}.btn-group-vertical>.btn.active,.btn-group-vertical>.btn:active,.btn-group-vertical>.btn:focus,.btn-group-vertical>.btn:hover,.btn-group>.btn.active,.btn-group>.btn:active,.btn-group>.btn:focus,.btn-group>.btn:hover{z-index:2}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn,.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-left-radius:0;border-bottom-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-left-radius:4px;border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-left-radius:0;border-top-right-radius:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-left-radius:0;border-top-right-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{display:table-cell;float:none;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn input[type=checkbox],[data-toggle=buttons]>.btn input[type=radio],[data-toggle=buttons]>.btn-group>.btn input[type=checkbox],[data-toggle=buttons]>.btn-group>.btn input[type=radio]{position:absolute;clip:rect(0,0,0,0);pointer-events:none}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-right:0;padding-left:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group .form-control:focus{z-index:3}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.3333333;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn,textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn,textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn{height:auto}.input-group .form-control,.input-group-addon,.input-group-btn{display:table-cell}.input-group .form-control:not(:first-child):not(:last-child),.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=checkbox],.input-group-addon input[type=radio]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn-group:not(:last-child)>.btn,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:first-child>.btn-group:not(:first-child)>.btn,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:active,.input-group-btn>.btn:focus,.input-group-btn>.btn:hover{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{z-index:2;margin-left:-1px}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:focus,.nav>li>a:hover{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:focus,.nav>li.disabled>a:hover{color:#777;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:focus,.nav .open>a:hover{background-color:#eee;border-color:#337ab7}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:focus,.nav-tabs>li.active>a:hover{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:focus,.nav-tabs.nav-justified>.active>a:hover{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:focus,.nav-tabs.nav-justified>.active>a:hover{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:focus,.nav-pills>li.active>a:hover{color:#fff;background-color:#337ab7}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:focus,.nav-tabs-justified>.active>a:hover{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:focus,.nav-tabs-justified>.active>a:hover{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{padding-right:15px;padding-left:15px;overflow-x:visible;-webkit-overflow-scrolling:touch;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1)}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-bottom .navbar-collapse,.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse{padding-right:0;padding-left:0}}.navbar-fixed-bottom .navbar-collapse,.navbar-fixed-top .navbar-collapse{max-height:340px}@media (max-device-width:480px) and (orientation:landscape){.navbar-fixed-bottom .navbar-collapse,.navbar-fixed-top .navbar-collapse{max-height:200px}}.container-fluid>.navbar-collapse,.container-fluid>.navbar-header,.container>.navbar-collapse,.container>.navbar-header{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container-fluid>.navbar-collapse,.container-fluid>.navbar-header,.container>.navbar-collapse,.container>.navbar-header{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-bottom,.navbar-fixed-top{position:fixed;right:0;left:0;z-index:1030}@media (min-width:768px){.navbar-fixed-bottom,.navbar-fixed-top{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;height:50px;padding:15px 15px;font-size:18px;line-height:20px}.navbar-brand:focus,.navbar-brand:hover{text-decoration:none}.navbar-brand>img{display:block}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu .dropdown-header,.navbar-nav .open .dropdown-menu>li>a{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:focus,.navbar-nav .open .dropdown-menu>li>a:hover{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}}.navbar-form{padding:10px 15px;margin-top:8px;margin-right:-15px;margin-bottom:8px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1)}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .form-control-static{display:inline-block}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .form-control,.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .checkbox,.navbar-form .radio{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .checkbox label,.navbar-form .radio label{padding-left:0}.navbar-form .checkbox input[type=checkbox],.navbar-form .radio input[type=radio]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}.navbar-form .form-group:last-child{margin-bottom:0}}@media (min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-left-radius:0;border-top-right-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{margin-bottom:0;border-top-left-radius:4px;border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-right:15px;margin-left:15px}}@media (min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important;margin-right:-15px}.navbar-right~.navbar-right{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:focus,.navbar-default .navbar-brand:hover{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:focus,.navbar-default .navbar-nav>li>a:hover{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:focus,.navbar-default .navbar-nav>.active>a:hover{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:focus,.navbar-default .navbar-nav>.disabled>a:hover{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:focus,.navbar-default .navbar-toggle:hover{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:focus,.navbar-default .navbar-nav>.open>a:hover{color:#555;background-color:#e7e7e7}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus,.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:focus,.navbar-default .btn-link:hover{color:#333}.navbar-default .btn-link[disabled]:focus,.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:focus,fieldset[disabled] .navbar-default .btn-link:hover{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#9d9d9d}.navbar-inverse .navbar-brand:focus,.navbar-inverse .navbar-brand:hover{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#9d9d9d}.navbar-inverse .navbar-nav>li>a{color:#9d9d9d}.navbar-inverse .navbar-nav>li>a:focus,.navbar-inverse .navbar-nav>li>a:hover{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:focus,.navbar-inverse .navbar-nav>.active>a:hover{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:focus,.navbar-inverse .navbar-nav>.disabled>a:hover{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:focus,.navbar-inverse .navbar-toggle:hover{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:focus,.navbar-inverse .navbar-nav>.open>a:hover{color:#fff;background-color:#080808}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#9d9d9d}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#9d9d9d}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#9d9d9d}.navbar-inverse .btn-link:focus,.navbar-inverse .btn-link:hover{color:#fff}.navbar-inverse .btn-link[disabled]:focus,.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:focus,fieldset[disabled] .navbar-inverse .btn-link:hover{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:20px;list-style:none;background-color:#f5f5f5;border-radius:4px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:20px 0;border-radius:4px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;margin-left:-1px;line-height:1.42857143;color:#337ab7;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-top-left-radius:4px;border-bottom-left-radius:4px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:4px;border-bottom-right-radius:4px}.pagination>li>a:focus,.pagination>li>a:hover,.pagination>li>span:focus,.pagination>li>span:hover{z-index:2;color:#23527c;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>a:focus,.pagination>.active>a:hover,.pagination>.active>span,.pagination>.active>span:focus,.pagination>.active>span:hover{z-index:3;color:#fff;cursor:default;background-color:#337ab7;border-color:#337ab7}.pagination>.disabled>a,.pagination>.disabled>a:focus,.pagination>.disabled>a:hover,.pagination>.disabled>span,.pagination>.disabled>span:focus,.pagination>.disabled>span:hover{color:#777;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:18px;line-height:1.3333333}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-top-left-radius:6px;border-bottom-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:6px;border-bottom-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px;line-height:1.5}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-top-left-radius:3px;border-bottom-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:3px;border-bottom-right-radius:3px}.pager{padding-left:0;margin:20px 0;text-align:center;list-style:none}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:focus,.pager li>a:hover{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:focus,.pager .disabled>a:hover,.pager .disabled>span{color:#777;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:focus,a.label:hover{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:focus,.label-default[href]:hover{background-color:#5e5e5e}.label-primary{background-color:#337ab7}.label-primary[href]:focus,.label-primary[href]:hover{background-color:#286090}.label-success{background-color:#5cb85c}.label-success[href]:focus,.label-success[href]:hover{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:focus,.label-info[href]:hover{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:focus,.label-warning[href]:hover{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:focus,.label-danger[href]:hover{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:middle;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-group-xs>.btn .badge,.btn-xs .badge{top:0;padding:1px 5px}a.badge:focus,a.badge:hover{color:#fff;text-decoration:none;cursor:pointer}.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#337ab7;background-color:#fff}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding-top:30px;padding-bottom:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron .h1,.jumbotron h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:21px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron,.container-fluid .jumbotron{padding-right:15px;padding-left:15px;border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron,.container-fluid .jumbotron{padding-right:60px;padding-left:60px}.jumbotron .h1,.jumbotron h1{font-size:63px}}.thumbnail{display:block;padding:4px;margin-bottom:20px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:border .2s ease-in-out;-o-transition:border .2s ease-in-out;transition:border .2s ease-in-out}.thumbnail a>img,.thumbnail>img{margin-right:auto;margin-left:auto}a.thumbnail.active,a.thumbnail:focus,a.thumbnail:hover{border-color:#337ab7}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:700}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#337ab7;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-bar-striped,.progress-striped .progress-bar{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress-bar.active,.progress.active .progress-bar{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.media{margin-top:15px}.media:first-child{margin-top:0}.media,.media-body{overflow:hidden;zoom:1}.media-body{width:10000px}.media-object{display:block}.media-object.img-thumbnail{max-width:none}.media-right,.media>.pull-right{padding-left:10px}.media-left,.media>.pull-left{padding-right:10px}.media-body,.media-left,.media-right{display:table-cell;vertical-align:top}.media-middle{vertical-align:middle}.media-bottom{vertical-align:bottom}.media-heading{margin-top:0;margin-bottom:5px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-left-radius:4px;border-top-right-radius:4px}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}a.list-group-item,button.list-group-item{color:#555}a.list-group-item .list-group-item-heading,button.list-group-item .list-group-item-heading{color:#333}a.list-group-item:focus,a.list-group-item:hover,button.list-group-item:focus,button.list-group-item:hover{color:#555;text-decoration:none;background-color:#f5f5f5}button.list-group-item{width:100%;text-align:left}.list-group-item.disabled,.list-group-item.disabled:focus,.list-group-item.disabled:hover{color:#777;cursor:not-allowed;background-color:#eee}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:focus,.list-group-item.active:hover{z-index:2;color:#fff;background-color:#337ab7;border-color:#337ab7}.list-group-item.active .list-group-item-heading,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading>small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:focus .list-group-item-text,.list-group-item.active:hover .list-group-item-text{color:#c7ddef}.list-group-item-success{color:#3c763d;background-color:#dff0d8}a.list-group-item-success,button.list-group-item-success{color:#3c763d}a.list-group-item-success .list-group-item-heading,button.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:focus,a.list-group-item-success:hover,button.list-group-item-success:focus,button.list-group-item-success:hover{color:#3c763d;background-color:#d0e9c6}a.list-group-item-success.active,a.list-group-item-success.active:focus,a.list-group-item-success.active:hover,button.list-group-item-success.active,button.list-group-item-success.active:focus,button.list-group-item-success.active:hover{color:#fff;background-color:#3c763d;border-color:#3c763d}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info,button.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading,button.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:focus,a.list-group-item-info:hover,button.list-group-item-info:focus,button.list-group-item-info:hover{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:focus,a.list-group-item-info.active:hover,button.list-group-item-info.active,button.list-group-item-info.active:focus,button.list-group-item-info.active:hover{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#8a6d3b;background-color:#fcf8e3}a.list-group-item-warning,button.list-group-item-warning{color:#8a6d3b}a.list-group-item-warning .list-group-item-heading,button.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:focus,a.list-group-item-warning:hover,button.list-group-item-warning:focus,button.list-group-item-warning:hover{color:#8a6d3b;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:focus,a.list-group-item-warning.active:hover,button.list-group-item-warning.active,button.list-group-item-warning.active:focus,button.list-group-item-warning.active:hover{color:#fff;background-color:#8a6d3b;border-color:#8a6d3b}.list-group-item-danger{color:#a94442;background-color:#f2dede}a.list-group-item-danger,button.list-group-item-danger{color:#a94442}a.list-group-item-danger .list-group-item-heading,button.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:focus,a.list-group-item-danger:hover,button.list-group-item-danger:focus,button.list-group-item-danger:hover{color:#a94442;background-color:#ebcccc}a.list-group-item-danger.active,a.list-group-item-danger.active:focus,a.list-group-item-danger.active:hover,button.list-group-item-danger.active,button.list-group-item-danger.active:focus,button.list-group-item-danger.active:hover{color:#fff;background-color:#a94442;border-color:#a94442}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-left-radius:3px;border-top-right-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>.small,.panel-title>.small>a,.panel-title>a,.panel-title>small,.panel-title>small>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group,.panel>.panel-collapse>.list-group{margin-bottom:0}.panel>.list-group .list-group-item,.panel>.panel-collapse>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child,.panel>.panel-collapse>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-left-radius:3px;border-top-right-radius:3px}.panel>.list-group:last-child .list-group-item:last-child,.panel>.panel-collapse>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.panel-heading+.panel-collapse>.list-group .list-group-item:first-child{border-top-left-radius:0;border-top-right-radius:0}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.panel-collapse>.table,.panel>.table,.panel>.table-responsive>.table{margin-bottom:0}.panel>.panel-collapse>.table caption,.panel>.table caption,.panel>.table-responsive>.table caption{padding-right:15px;padding-left:15px}.panel>.table-responsive:first-child>.table:first-child,.panel>.table:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child,.panel>.table:first-child>thead:first-child>tr:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table-responsive:last-child>.table:last-child,.panel>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive,.panel>.table+.panel-body,.panel>.table-responsive+.panel-body{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child td,.panel>.table>tbody:first-child>tr:first-child th{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child{border-left:0}.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child{border-right:0}.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{margin-bottom:0;border:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.list-group,.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#337ab7}.panel-primary>.panel-heading{color:#fff;background-color:#337ab7;border-color:#337ab7}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#337ab7}.panel-primary>.panel-heading .badge{color:#337ab7;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#337ab7}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive embed,.embed-responsive iframe,.embed-responsive object,.embed-responsive video{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:21px;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;filter:alpha(opacity=20);opacity:.2}.close:focus,.close:hover{color:#000;text-decoration:none;cursor:pointer;filter:alpha(opacity=50);opacity:.5}button.close{-webkit-appearance:none;padding:0;cursor:pointer;background:0 0;border:0}.modal-open{overflow:hidden}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;display:none;overflow:hidden;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transition:-webkit-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out;-webkit-transform:translate(0,-25%);-ms-transform:translate(0,-25%);-o-transform:translate(0,-25%);transform:translate(0,-25%)}.modal.in .modal-dialog{-webkit-transform:translate(0,0);-ms-transform:translate(0,0);-o-transform:translate(0,0);transform:translate(0,0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5)}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{filter:alpha(opacity=0);opacity:0}.modal-backdrop.in{filter:alpha(opacity=50);opacity:.5}.modal-header{padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12px;font-style:normal;font-weight:400;line-height:1.42857143;text-align:left;text-align:start;text-decoration:none;text-shadow:none;text-transform:none;letter-spacing:normal;word-break:normal;word-spacing:normal;word-wrap:normal;white-space:normal;filter:alpha(opacity=0);opacity:0;line-break:auto}.tooltip.in{filter:alpha(opacity=90);opacity:.9}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;background-color:#000;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{right:5px;bottom:0;margin-bottom:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{bottom:0;left:5px;margin-bottom:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;right:5px;margin-top:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;left:5px;margin-top:-5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;font-style:normal;font-weight:400;line-height:1.42857143;text-align:left;text-align:start;text-decoration:none;text-shadow:none;text-transform:none;letter-spacing:normal;word-break:normal;word-spacing:normal;word-wrap:normal;white-space:normal;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2);line-break:auto}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{content:"";border-width:10px}.popover.top>.arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,.25);border-bottom-width:0}.popover.top>.arrow:after{bottom:1px;margin-left:-10px;content:" ";border-top-color:#fff;border-bottom-width:0}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,.25);border-left-width:0}.popover.right>.arrow:after{bottom:-10px;left:1px;content:" ";border-right-color:#fff;border-left-width:0}.popover.bottom>.arrow{top:-11px;left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25)}.popover.bottom>.arrow:after{top:1px;margin-left:-10px;content:" ";border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{right:1px;bottom:-10px;content:" ";border-right-width:0;border-left-color:#fff}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>a>img,.carousel-inner>.item>img{line-height:1}@media all and (transform-3d),(-webkit-transform-3d){.carousel-inner>.item{-webkit-transition:-webkit-transform .6s ease-in-out;-o-transition:-o-transform .6s ease-in-out;transition:transform .6s ease-in-out;-webkit-backface-visibility:hidden;backface-visibility:hidden;-webkit-perspective:1000px;perspective:1000px}.carousel-inner>.item.active.right,.carousel-inner>.item.next{left:0;-webkit-transform:translate3d(100%,0,0);transform:translate3d(100%,0,0)}.carousel-inner>.item.active.left,.carousel-inner>.item.prev{left:0;-webkit-transform:translate3d(-100%,0,0);transform:translate3d(-100%,0,0)}.carousel-inner>.item.active,.carousel-inner>.item.next.left,.carousel-inner>.item.prev.right{left:0;-webkit-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6);background-color:rgba(0,0,0,0);filter:alpha(opacity=50);opacity:.5}.carousel-control.left{background-image:-webkit-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.5)),to(rgba(0,0,0,.0001)));background-image:linear-gradient(to right,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);background-repeat:repeat-x}.carousel-control.right{right:0;left:auto;background-image:-webkit-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.0001)),to(rgba(0,0,0,.5)));background-image:linear-gradient(to right,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);background-repeat:repeat-x}.carousel-control:focus,.carousel-control:hover{color:#fff;text-decoration:none;filter:alpha(opacity=90);outline:0;opacity:.9}.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next,.carousel-control .icon-prev{position:absolute;top:50%;z-index:5;display:inline-block;margin-top:-10px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{left:50%;margin-left:-10px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{right:50%;margin-right:-10px}.carousel-control .icon-next,.carousel-control .icon-prev{width:20px;height:20px;font-family:serif;line-height:1}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;background-color:#000\9;background-color:rgba(0,0,0,0);border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next,.carousel-control .icon-prev{width:30px;height:30px;margin-top:-10px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-10px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-10px}.carousel-caption{right:20%;left:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.btn-group-vertical>.btn-group:after,.btn-group-vertical>.btn-group:before,.btn-toolbar:after,.btn-toolbar:before,.clearfix:after,.clearfix:before,.container-fluid:after,.container-fluid:before,.container:after,.container:before,.dl-horizontal dd:after,.dl-horizontal dd:before,.form-horizontal .form-group:after,.form-horizontal .form-group:before,.modal-footer:after,.modal-footer:before,.modal-header:after,.modal-header:before,.nav:after,.nav:before,.navbar-collapse:after,.navbar-collapse:before,.navbar-header:after,.navbar-header:before,.navbar:after,.navbar:before,.pager:after,.pager:before,.panel-body:after,.panel-body:before,.row:after,.row:before{display:table;content:" "}.btn-group-vertical>.btn-group:after,.btn-toolbar:after,.clearfix:after,.container-fluid:after,.container:after,.dl-horizontal dd:after,.form-horizontal .form-group:after,.modal-footer:after,.modal-header:after,.nav:after,.navbar-collapse:after,.navbar-header:after,.navbar:after,.pager:after,.panel-body:after,.row:after{clear:both}.center-block{display:block;margin-right:auto;margin-left:auto}.pull-right{float:right!important}.pull-left{float:left!important}.hide{display:none!important}.show{display:block!important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none!important}.affix{position:fixed}@-ms-viewport{width:device-width}.visible-lg,.visible-md,.visible-sm,.visible-xs{display:none!important}.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block{display:none!important}@media (max-width:767px){.visible-xs{display:block!important}table.visible-xs{display:table!important}tr.visible-xs{display:table-row!important}td.visible-xs,th.visible-xs{display:table-cell!important}}@media (max-width:767px){.visible-xs-block{display:block!important}}@media (max-width:767px){.visible-xs-inline{display:inline!important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block!important}table.visible-sm{display:table!important}tr.visible-sm{display:table-row!important}td.visible-sm,th.visible-sm{display:table-cell!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block!important}table.visible-md{display:table!important}tr.visible-md{display:table-row!important}td.visible-md,th.visible-md{display:table-cell!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block!important}}@media (min-width:1200px){.visible-lg{display:block!important}table.visible-lg{display:table!important}tr.visible-lg{display:table-row!important}td.visible-lg,th.visible-lg{display:table-cell!important}}@media (min-width:1200px){.visible-lg-block{display:block!important}}@media (min-width:1200px){.visible-lg-inline{display:inline!important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block!important}}@media (max-width:767px){.hidden-xs{display:none!important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none!important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none!important}}@media (min-width:1200px){.hidden-lg{display:none!important}}.visible-print{display:none!important}@media print{.visible-print{display:block!important}table.visible-print{display:table!important}tr.visible-print{display:table-row!important}td.visible-print,th.visible-print{display:table-cell!important}}.visible-print-block{display:none!important}@media print{.visible-print-block{display:block!important}}.visible-print-inline{display:none!important}@media print{.visible-print-inline{display:inline!important}}.visible-print-inline-block{display:none!important}@media print{.visible-print-inline-block{display:inline-block!important}}@media print{.hidden-print{display:none!important}} +/*# sourceMappingURL=bootstrap.min.css.map */ \ No newline at end of file diff --git a/csf/ui/images/bootstrap/css/bootstrap.min.css.map b/csf/ui/images/bootstrap/css/bootstrap.min.css.map new file mode 100644 index 0000000..0c2c934 --- /dev/null +++ b/csf/ui/images/bootstrap/css/bootstrap.min.css.map @@ -0,0 +1 @@ +{"version":3,"sources":["less/normalize.less","less/print.less","bootstrap.css","dist/css/bootstrap.css","less/glyphicons.less","less/scaffolding.less","less/mixins/vendor-prefixes.less","less/mixins/tab-focus.less","less/mixins/image.less","less/type.less","less/mixins/text-emphasis.less","less/mixins/background-variant.less","less/mixins/text-overflow.less","less/code.less","less/grid.less","less/mixins/grid.less","less/mixins/grid-framework.less","less/tables.less","less/mixins/table-row.less","less/forms.less","less/mixins/forms.less","less/buttons.less","less/mixins/buttons.less","less/mixins/opacity.less","less/component-animations.less","less/dropdowns.less","less/mixins/nav-divider.less","less/mixins/reset-filter.less","less/button-groups.less","less/mixins/border-radius.less","less/input-groups.less","less/navs.less","less/navbar.less","less/mixins/nav-vertical-align.less","less/utilities.less","less/breadcrumbs.less","less/pagination.less","less/mixins/pagination.less","less/pager.less","less/labels.less","less/mixins/labels.less","less/badges.less","less/jumbotron.less","less/thumbnails.less","less/alerts.less","less/mixins/alerts.less","less/progress-bars.less","less/mixins/gradients.less","less/mixins/progress-bar.less","less/media.less","less/list-group.less","less/mixins/list-group.less","less/panels.less","less/mixins/panels.less","less/responsive-embed.less","less/wells.less","less/close.less","less/modals.less","less/tooltip.less","less/mixins/reset-text.less","less/popovers.less","less/carousel.less","less/mixins/clearfix.less","less/mixins/center-block.less","less/mixins/hide-text.less","less/responsive-utilities.less","less/mixins/responsive-visibility.less"],"names":[],"mappings":";;;;4EAQA,KACE,YAAA,WACA,yBAAA,KACA,qBAAA,KAOF,KACE,OAAA,EAaF,QAAA,MAAA,QAAA,WAAA,OAAA,OAAA,OAAA,OAAA,KAAA,KAAA,IAAA,QAAA,QAaE,QAAA,MAQF,MAAA,OAAA,SAAA,MAIE,QAAA,aACA,eAAA,SAQF,sBACE,QAAA,KACA,OAAA,EAQF,SAAA,SAEE,QAAA,KAUF,EACE,iBAAA,YAQF,SAAA,QAEE,QAAA,EAUF,YACE,cAAA,IAAA,OAOF,EAAA,OAEE,YAAA,IAOF,IACE,WAAA,OAQF,GACE,OAAA,MAAA,EACA,UAAA,IAOF,KACE,MAAA,KACA,WAAA,KAOF,MACE,UAAA,IAOF,IAAA,IAEE,SAAA,SACA,UAAA,IACA,YAAA,EACA,eAAA,SAGF,IACE,IAAA,MAGF,IACE,OAAA,OAUF,IACE,OAAA,EAOF,eACE,SAAA,OAUF,OACE,OAAA,IAAA,KAOF,GACE,OAAA,EAAA,mBAAA,YAAA,gBAAA,YACA,WAAA,YAOF,IACE,SAAA,KAOF,KAAA,IAAA,IAAA,KAIE,YAAA,UAAA,UACA,UAAA,IAkBF,OAAA,MAAA,SAAA,OAAA,SAKE,OAAA,EACA,KAAA,QACA,MAAA,QAOF,OACE,SAAA,QAUF,OAAA,OAEE,eAAA,KAWF,OAAA,wBAAA,kBAAA,mBAIE,mBAAA,OACA,OAAA,QAOF,iBAAA,qBAEE,OAAA,QAOF,yBAAA,wBAEE,QAAA,EACA,OAAA,EAQF,MACE,YAAA,OAWF,qBAAA,kBAEE,mBAAA,WAAA,gBAAA,WAAA,WAAA,WACA,QAAA,EASF,8CAAA,8CAEE,OAAA,KAQF,mBACE,mBAAA,YACA,gBAAA,YAAA,WAAA,YAAA,mBAAA,UASF,iDAAA,8CAEE,mBAAA,KAOF,SACE,QAAA,MAAA,OAAA,MACA,OAAA,EAAA,IACA,OAAA,IAAA,MAAA,OAQF,OACE,QAAA,EACA,OAAA,EAOF,SACE,SAAA,KAQF,SACE,YAAA,IAUF,MACE,eAAA,EACA,gBAAA,SAGF,GAAA,GAEE,QAAA,uFCjUF,aA7FI,EAAA,OAAA,QAGI,MAAA,eACA,YAAA,eACA,WAAA,cAAA,mBAAA,eACA,WAAA,eAGJ,EAAA,UAEI,gBAAA,UAGJ,cACI,QAAA,KAAA,WAAA,IAGJ,kBACI,QAAA,KAAA,YAAA,IAKJ,6BAAA,mBAEI,QAAA,GAGJ,WAAA,IAEI,OAAA,IAAA,MAAA,KC4KL,kBAAA,MDvKK,MC0KL,QAAA,mBDrKK,IE8KN,GDLC,kBAAA,MDrKK,ICwKL,UAAA,eCUD,GF5KM,GE2KN,EF1KM,QAAA,ECuKL,OAAA,ECSD,GF3KM,GCsKL,iBAAA,MD/JK,QCkKL,QAAA,KCSD,YFtKU,oBCiKT,iBAAA,eD7JK,OCgKL,OAAA,IAAA,MAAA,KD5JK,OC+JL,gBAAA,mBCSD,UFpKU,UC+JT,iBAAA,eDzJS,mBEkKV,mBDLC,OAAA,IAAA,MAAA,gBEjPD,WACA,YAAA,uBFsPD,IAAA,+CE7OC,IAAK,sDAAuD,4BAA6B,iDAAkD,gBAAiB,gDAAiD,eAAgB,+CAAgD,mBAAoB,2EAA4E,cAE7W,WACA,SAAA,SACA,IAAA,IACA,QAAA,aACA,YAAA,uBACA,WAAA,OACA,YAAA,IACA,YAAA,EAIkC,uBAAA,YAAW,wBAAA,UACX,2BAAW,QAAA,QAEX,uBDuPlC,QAAS,QCtPyB,sBFiPnC,uBEjP8C,QAAA,QACX,wBAAW,QAAA,QACX,wBAAW,QAAA,QACX,2BAAW,QAAA,QACX,yBAAW,QAAA,QACX,wBAAW,QAAA,QACX,wBAAW,QAAA,QACX,yBAAW,QAAA,QACX,wBAAW,QAAA,QACX,uBAAW,QAAA,QACX,6BAAW,QAAA,QACX,uBAAW,QAAA,QACX,uBAAW,QAAA,QACX,2BAAW,QAAA,QACX,qBAAW,QAAA,QACX,0BAAW,QAAA,QACX,qBAAW,QAAA,QACX,yBAAW,QAAA,QACX,0BAAW,QAAA,QACX,2BAAW,QAAA,QACX,sBAAW,QAAA,QACX,yBAAW,QAAA,QACX,sBAAW,QAAA,QACX,wBAAW,QAAA,QACX,uBAAW,QAAA,QACX,uBAAW,QAAA,QACX,uBAAW,QAAA,QACX,uBAAW,QAAA,QACX,+BAAW,QAAA,QACX,2BAAW,QAAA,QACX,yBAAW,QAAA,QACX,wBAAW,QAAA,QACX,8BAAW,QAAA,QACX,yBAAW,QAAA,QACX,0BAAW,QAAA,QACX,2BAAW,QAAA,QACX,uBAAW,QAAA,QACX,uBAAW,QAAA,QACX,6BAAW,QAAA,QACX,6BAAW,QAAA,QACX,8BAAW,QAAA,QACX,4BAAW,QAAA,QACX,yBAAW,QAAA,QACX,0BAAW,QAAA,QACX,sBAAW,QAAA,QACX,uBAAW,QAAA,QACX,uBAAW,QAAA,QACX,2BAAW,QAAA,QACX,wBAAW,QAAA,QACX,yBAAW,QAAA,QACX,uBAAW,QAAA,QACX,uBAAW,QAAA,QACX,yBAAW,QAAA,QACX,8BAAW,QAAA,QACX,6BAAW,QAAA,QACX,6BAAW,QAAA,QACX,+BAAW,QAAA,QACX,8BAAW,QAAA,QACX,gCAAW,QAAA,QACX,uBAAW,QAAA,QACX,8BAAW,QAAA,QACX,+BAAW,QAAA,QACX,iCAAW,QAAA,QACX,0BAAW,QAAA,QACX,6BAAW,QAAA,QACX,yBAAW,QAAA,QACX,uBAAW,QAAA,QACX,uBAAW,QAAA,QACX,wBAAW,QAAA,QACX,wBAAW,QAAA,QACX,uBAAW,QAAA,QACX,gCAAW,QAAA,QACX,gCAAW,QAAA,QACX,2BAAW,QAAA,QACX,uBAAW,QAAA,QACX,wBAAW,QAAA,QACX,uBAAW,QAAA,QACX,0BAAW,QAAA,QACX,+BAAW,QAAA,QACX,+BAAW,QAAA,QACX,wBAAW,QAAA,QACX,+BAAW,QAAA,QACX,gCAAW,QAAA,QACX,4BAAW,QAAA,QACX,6BAAW,QAAA,QACX,8BAAW,QAAA,QACX,0BAAW,QAAA,QACX,gCAAW,QAAA,QACX,4BAAW,QAAA,QACX,6BAAW,QAAA,QACX,gCAAW,QAAA,QACX,4BAAW,QAAA,QACX,6BAAW,QAAA,QACX,6BAAW,QAAA,QACX,8BAAW,QAAA,QACX,2BAAW,QAAA,QACX,6BAAW,QAAA,QACX,4BAAW,QAAA,QACX,8BAAW,QAAA,QACX,+BAAW,QAAA,QACX,mCAAW,QAAA,QACX,uBAAW,QAAA,QACX,uBAAW,QAAA,QACX,uBAAW,QAAA,QACX,2BAAW,QAAA,QACX,4BAAW,QAAA,QACX,+BAAW,QAAA,QACX,wBAAW,QAAA,QACX,2BAAW,QAAA,QACX,yBAAW,QAAA,QACX,0BAAW,QAAA,QACX,yBAAW,QAAA,QACX,6BAAW,QAAA,QACX,+BAAW,QAAA,QACX,0BAAW,QAAA,QACX,gCAAW,QAAA,QACX,+BAAW,QAAA,QACX,8BAAW,QAAA,QACX,kCAAW,QAAA,QACX,oCAAW,QAAA,QACX,sBAAW,QAAA,QACX,2BAAW,QAAA,QACX,uBAAW,QAAA,QACX,8BAAW,QAAA,QACX,4BAAW,QAAA,QACX,8BAAW,QAAA,QACX,6BAAW,QAAA,QACX,4BAAW,QAAA,QACX,0BAAW,QAAA,QACX,4BAAW,QAAA,QACX,qCAAW,QAAA,QACX,oCAAW,QAAA,QACX,kCAAW,QAAA,QACX,oCAAW,QAAA,QACX,wBAAW,QAAA,QACX,yBAAW,QAAA,QACX,wBAAW,QAAA,QACX,yBAAW,QAAA,QACX,4BAAW,QAAA,QACX,6BAAW,QAAA,QACX,4BAAW,QAAA,QACX,4BAAW,QAAA,QACX,8BAAW,QAAA,QACX,uBAAW,QAAA,QACX,wBAAW,QAAA,QACX,0BAAW,QAAA,QACX,sBAAW,QAAA,QACX,sBAAW,QAAA,QACX,uBAAW,QAAA,QACX,mCAAW,QAAA,QACX,uCAAW,QAAA,QACX,gCAAW,QAAA,QACX,oCAAW,QAAA,QACX,qCAAW,QAAA,QACX,yCAAW,QAAA,QACX,4BAAW,QAAA,QACX,yBAAW,QAAA,QACX,gCAAW,QAAA,QACX,8BAAW,QAAA,QACX,yBAAW,QAAA,QACX,wBAAW,QAAA,QACX,0BAAW,QAAA,QACX,6BAAW,QAAA,QACX,yBAAW,QAAA,QACX,uBAAW,QAAA,QACX,uBAAW,QAAA,QACX,wBAAW,QAAA,QACX,yBAAW,QAAA,QACX,yBAAW,QAAA,QACX,uBAAW,QAAA,QACX,8BAAW,QAAA,QACX,+BAAW,QAAA,QACX,gCAAW,QAAA,QACX,8BAAW,QAAA,QACX,8BAAW,QAAA,QACX,8BAAW,QAAA,QACX,2BAAW,QAAA,QACX,0BAAW,QAAA,QACX,yBAAW,QAAA,QACX,6BAAW,QAAA,QACX,2BAAW,QAAA,QACX,4BAAW,QAAA,QACX,wBAAW,QAAA,QACX,wBAAW,QAAA,QACX,2BAAW,QAAA,QACX,2BAAW,QAAA,QACX,4BAAW,QAAA,QACX,+BAAW,QAAA,QACX,8BAAW,QAAA,QACX,4BAAW,QAAA,QACX,4BAAW,QAAA,QACX,4BAAW,QAAA,QACX,iCAAW,QAAA,QACX,oCAAW,QAAA,QACX,iCAAW,QAAA,QACX,+BAAW,QAAA,QACX,+BAAW,QAAA,QACX,iCAAW,QAAA,QACX,qBAAW,QAAA,QACX,4BAAW,QAAA,QACX,4BAAW,QAAA,QACX,2BAAW,QAAA,QACX,uBAAW,QAAA,QASX,wBAAW,QAAA,QACX,wBAAW,QAAA,QACX,4BAAW,QAAA,QACX,uBAAW,QAAA,QACX,wBAAW,QAAA,QACX,uBAAW,QAAA,QACX,yBAAW,QAAA,QACX,yBAAW,QAAA,QACX,+BAAW,QAAA,QACX,uBAAW,QAAA,QACX,6BAAW,QAAA,QACX,sBAAW,QAAA,QACX,wBAAW,QAAA,QACX,wBAAW,QAAA,QACX,4BAAW,QAAA,QACX,uBAAW,QAAA,QACX,4BAAW,QAAA,QACX,6BAAW,QAAA,QACX,2BAAW,QAAA,QACX,0BAAW,QAAA,QACX,sBAAW,QAAA,QACX,sBAAW,QAAA,QACX,sBAAW,QAAA,QACX,sBAAW,QAAA,QACX,wBAAW,QAAA,QACX,sBAAW,QAAA,QACX,wBAAW,QAAA,QACX,4BAAW,QAAA,QACX,mCAAW,QAAA,QACX,4BAAW,QAAA,QACX,oCAAW,QAAA,QACX,kCAAW,QAAA,QACX,iCAAW,QAAA,QACX,+BAAW,QAAA,QACX,sBAAW,QAAA,QACX,wBAAW,QAAA,QACX,6BAAW,QAAA,QACX,4BAAW,QAAA,QACX,6BAAW,QAAA,QACX,kCAAW,QAAA,QACX,mCAAW,QAAA,QACX,sCAAW,QAAA,QACX,0CAAW,QAAA,QACX,oCAAW,QAAA,QACX,wCAAW,QAAA,QACX,qCAAW,QAAA,QACX,iCAAW,QAAA,QACX,gCAAW,QAAA,QACX,kCAAW,QAAA,QACX,+BAAW,QAAA,QACX,0BAAW,QAAA,QACX,8BAAW,QAAA,QACX,4BAAW,QAAA,QACX,4BAAW,QAAA,QACX,6BAAW,QAAA,QACX,4BAAW,QAAA,QCtS/C,0BCgEE,QAAA,QHi+BF,EDNC,mBAAA,WGxhCI,gBAAiB,WFiiCZ,WAAY,WGl+BZ,OADL,QJg+BJ,mBAAA,WGthCI,gBAAiB,WACpB,WAAA,WHyhCD,KGrhCC,UAAW,KAEX,4BAAA,cAEA,KACA,YAAA,iBAAA,UAAA,MAAA,WHuhCD,UAAA,KGnhCC,YAAa,WF4hCb,MAAO,KACP,iBAAkB,KExhClB,OADA,MAEA,OHqhCD,SG/gCC,YAAa,QACb,UAAA,QACA,YAAA,QAEA,EFwhCA,MAAO,QEthCL,gBAAA,KAIF,QH8gCD,QKjkCC,MAAA,QACA,gBAAA,UF6DF,QACE,QAAA,IAAA,KAAA,yBHygCD,eAAA,KGlgCC,OHqgCD,OAAA,ECSD,IACE,eAAgB,ODDjB,4BM/kCC,0BLklCF,gBKnlCE,iBADA,eH4EA,QAAS,MACT,UAAA,KHugCD,OAAA,KGhgCC,aACA,cAAA,IAEA,eACA,QAAA,aC6FA,UAAA,KACK,OAAA,KACG,QAAA,IEvLR,YAAA,WACA,iBAAA,KACA,OAAA,IAAA,MAAA,KN+lCD,cAAA,IGjgCC,mBAAoB,IAAI,IAAI,YAC5B,cAAA,IAAA,IAAA,YHmgCD,WAAA,IAAA,IAAA,YG5/BC,YACA,cAAA,IAEA,GH+/BD,WAAA,KGv/BC,cAAe,KACf,OAAA,EACA,WAAA,IAAA,MAAA,KAEA,SACA,SAAA,SACA,MAAA,IACA,OAAA,IACA,QAAA,EHy/BD,OAAA,KGj/BC,SAAA,OF0/BA,KAAM,cEx/BJ,OAAA,EAEA,0BACA,yBACA,SAAA,OACA,MAAA,KHm/BH,OAAA,KGx+BC,OAAQ,EACR,SAAA,QH0+BD,KAAA,KCSD,cACE,OAAQ,QAQV,IACA,IMlpCE,IACA,IACA,IACA,INwoCF,GACA,GACA,GACA,GACA,GACA,GDAC,YAAA,QOlpCC,YAAa,IN2pCb,YAAa,IACb,MAAO,QAoBT,WAZA,UAaA,WAZA,UM5pCI,WN6pCJ,UM5pCI,WN6pCJ,UM5pCI,WN6pCJ,UDMC,WCLD,UACA,UAZA,SAaA,UAZA,SAaA,UAZA,SAaA,UAZA,SAaA,UAZA,SAaA,UAZA,SMppCE,YAAa,INwqCb,YAAa,EACb,MAAO,KAGT,IMxqCE,IAJF,IN2qCA,GAEA,GDLC,GCSC,WAAY,KACZ,cAAe,KASjB,WANA,UDCC,WCCD,UM5qCA,WN8qCA,UACA,UANA,SM5qCI,UN8qCJ,SM3qCA,UN6qCA,SAQE,UAAW,IAGb,IMprCE,IAJF,INurCA,GAEA,GDLC,GCSC,WAAY,KACZ,cAAe,KASjB,WANA,UDCC,WCCD,UMvrCA,WNyrCA,UACA,UANA,SMxrCI,UN0rCJ,SMtrCA,UNwrCA,SMxrCU,UAAA,IACV,IAAA,GAAU,UAAA,KACV,IAAA,GAAU,UAAA,KACV,IAAA,GAAU,UAAA,KACV,IAAA,GAAU,UAAA,KACV,IAAA,GAAU,UAAA,KAOR,IADF,GPssCC,UAAA,KCSD,EMzsCE,OAAA,EAAA,EAAA,KAEA,MPosCD,cAAA,KO/rCC,UAAW,KAwOX,YAAa,IA1OX,YAAA,IPssCH,yBO7rCC,MNssCE,UAAW,MMjsCf,OAAA,MAEE,UAAA,IAKF,MP0rCC,KO1rCsB,QAAA,KP6rCtB,iBAAA,QO5rCsB,WP+rCtB,WAAA,KO9rCsB,YPisCtB,WAAA,MOhsCsB,aPmsCtB,WAAA,OOlsCsB,cPqsCtB,WAAA,QOlsCsB,aPqsCtB,YAAA,OOpsCsB,gBPusCtB,eAAA,UOtsCsB,gBPysCtB,eAAA,UOrsCC,iBPwsCD,eAAA,WQ3yCC,YR8yCD,MAAA,KCSD,cOpzCI,MAAA,QAHF,qBDwGF,qBP6sCC,MAAA,QCSD,cO3zCI,MAAA,QAHF,qBD2GF,qBPitCC,MAAA,QCSD,WOl0CI,MAAA,QAHF,kBD8GF,kBPqtCC,MAAA,QCSD,cOz0CI,MAAA,QAHF,qBDiHF,qBPytCC,MAAA,QCSD,aOh1CI,MAAA,QDwHF,oBAHF,oBExHE,MAAA,QACA,YR01CA,MAAO,KQx1CL,iBAAA,QAHF,mBF8HF,mBP2tCC,iBAAA,QCSD,YQ/1CI,iBAAA,QAHF,mBFiIF,mBP+tCC,iBAAA,QCSD,SQt2CI,iBAAA,QAHF,gBFoIF,gBPmuCC,iBAAA,QCSD,YQ72CI,iBAAA,QAHF,mBFuIF,mBPuuCC,iBAAA,QCSD,WQp3CI,iBAAA,QF6IF,kBADF,kBAEE,iBAAA,QPsuCD,aO7tCC,eAAgB,INsuChB,OAAQ,KAAK,EAAE,KMpuCf,cAAA,IAAA,MAAA,KAFF,GPkuCC,GCSC,WAAY,EACZ,cAAe,KM9tCf,MP0tCD,MO3tCD,MAPI,MASF,cAAA,EAIF,eALE,aAAA,EACA,WAAA,KPkuCD,aO9tCC,aAAc,EAKZ,YAAA,KACA,WAAA,KP6tCH,gBOvtCC,QAAS,aACT,cAAA,IACA,aAAA,IAEF,GNguCE,WAAY,EM9tCZ,cAAA,KAGA,GADF,GP0tCC,YAAA,WOttCC,GPytCD,YAAA,IOnnCD,GAvFM,YAAA,EAEA,yBACA,kBGtNJ,MAAA,KACA,MAAA,MACA,SAAA,OVq6CC,MAAA,KO7nCC,WAAY,MAhFV,cAAA,SPgtCH,YAAA,OOtsCD,kBNgtCE,YAAa,OM1sCjB,0BPssCC,YOrsCC,OAAA,KA9IqB,cAAA,IAAA,OAAA,KAmJvB,YACE,UAAA,IACA,eAAA,UAEA,WPssCD,QAAA,KAAA,KOjsCG,OAAA,EAAA,EAAA,KN0sCF,UAAW,OACX,YAAa,IAAI,MAAM,KMptCzB,yBP+sCC,wBO/sCD,yBNytCE,cAAe,EMnsCb,kBAFA,kBACA,iBPksCH,QAAA,MO/rCG,UAAA,INwsCF,YAAa,WACb,MAAO,KMhsCT,yBP2rCC,yBO3rCD,wBAEE,QAAA,cAEA,oBACA,sBACA,cAAA,KP6rCD,aAAA,EOvrCG,WAAA,MNgsCF,aAAc,IAAI,MAAM,KACxB,YAAa,EMhsCX,kCNksCJ,kCMnsCe,iCACX,oCNmsCJ,oCDLC,mCCUC,QAAS,GMjsCX,iCNmsCA,iCMzsCM,gCAOJ,mCNmsCF,mCDLC,kCO7rCC,QAAA,cPksCD,QWv+CC,cAAe,KVg/Cf,WAAY,OACZ,YAAa,WU7+Cb,KXy+CD,IWr+CD,IACE,KACA,YAAA,MAAA,OAAA,SAAA,cAAA,UAEA,KACA,QAAA,IAAA,IXu+CD,UAAA,IWn+CC,MAAO,QACP,iBAAA,QACA,cAAA,IAEA,IACA,QAAA,IAAA,IACA,UAAA,IV4+CA,MU5+CA,KXq+CD,iBAAA,KW3+CC,cAAe,IASb,mBAAA,MAAA,EAAA,KAAA,EAAA,gBACA,WAAA,MAAA,EAAA,KAAA,EAAA,gBAEA,QV6+CF,QU7+CE,EXq+CH,UAAA,KWh+CC,YAAa,IACb,mBAAA,KACA,WAAA,KAEA,IACA,QAAA,MACA,QAAA,MACA,OAAA,EAAA,EAAA,KACA,UAAA,KACA,YAAA,WACA,MAAA,KACA,WAAA,UXk+CD,UAAA,WW7+CC,iBAAkB,QAehB,OAAA,IAAA,MAAA,KACA,cAAA,IAEA,SACA,QAAA,EACA,UAAA,QXi+CH,MAAA,QW59CC,YAAa,SACb,iBAAA,YACA,cAAA,EC1DF,gBCHE,WAAA,MACA,WAAA,OAEA,Wb8hDD,cAAA,KYxhDC,aAAA,KAqEA,aAAc,KAvEZ,YAAA,KZ+hDH,yBY1hDC,WAkEE,MAAO,OZ69CV,yBY5hDC,WA+DE,MAAO,OZk+CV,0BYzhDC,WCvBA,MAAA,QAGA,iBbmjDD,cAAA,KYthDC,aAAc,KCvBd,aAAA,KACA,YAAA,KCAE,KACE,aAAA,MAEA,YAAA,MAGA,UAAA,WAAA,WAAA,WAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,WAAA,WAAA,WAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,WAAA,WAAA,WAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,WAAA,WAAA,WAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UdgjDL,SAAA,SchiDG,WAAA,IACE,cAAA,KdkiDL,aAAA,Kc1hDG,UAAA,WAAA,WAAA,WAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,Ud6hDH,MAAA,Kc7hDG,WdgiDH,MAAA,KchiDG,WdmiDH,MAAA,acniDG,WdsiDH,MAAA,actiDG,UdyiDH,MAAA,IcziDG,Ud4iDH,MAAA,ac5iDG,Ud+iDH,MAAA,ac/iDG,UdkjDH,MAAA,IcljDG,UdqjDH,MAAA,acrjDG,UdwjDH,MAAA,acxjDG,Ud2jDH,MAAA,Ic3jDG,Ud8jDH,MAAA,ac/iDG,UdkjDH,MAAA,YcljDG,gBdqjDH,MAAA,KcrjDG,gBdwjDH,MAAA,acxjDG,gBd2jDH,MAAA,ac3jDG,ed8jDH,MAAA,Ic9jDG,edikDH,MAAA,acjkDG,edokDH,MAAA,acpkDG,edukDH,MAAA,IcvkDG,ed0kDH,MAAA,ac1kDG,ed6kDH,MAAA,ac7kDG,edglDH,MAAA,IchlDG,edmlDH,MAAA,ac9kDG,edilDH,MAAA,YchmDG,edmmDH,MAAA,KcnmDG,gBdsmDH,KAAA,KctmDG,gBdymDH,KAAA,aczmDG,gBd4mDH,KAAA,ac5mDG,ed+mDH,KAAA,Ic/mDG,edknDH,KAAA,aclnDG,edqnDH,KAAA,acrnDG,edwnDH,KAAA,IcxnDG,ed2nDH,KAAA,ac3nDG,ed8nDH,KAAA,ac9nDG,edioDH,KAAA,IcjoDG,edooDH,KAAA,ac/nDG,edkoDH,KAAA,YcnnDG,edsnDH,KAAA,KctnDG,kBdynDH,YAAA,KcznDG,kBd4nDH,YAAA,ac5nDG,kBd+nDH,YAAA,ac/nDG,iBdkoDH,YAAA,IcloDG,iBdqoDH,YAAA,acroDG,iBdwoDH,YAAA,acxoDG,iBd2oDH,YAAA,Ic3oDG,iBd8oDH,YAAA,ac9oDG,iBdipDH,YAAA,acjpDG,iBdopDH,YAAA,IcppDG,iBdupDH,YAAA,acvpDG,iBd0pDH,YAAA,Yc5rDG,iBACE,YAAA,EAOJ,yBACE,UAAA,WAAA,WAAA,WAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,Ud0rDD,MAAA,Kc1rDC,Wd6rDD,MAAA,Kc7rDC,WdgsDD,MAAA,achsDC,WdmsDD,MAAA,acnsDC,UdssDD,MAAA,IctsDC,UdysDD,MAAA,aczsDC,Ud4sDD,MAAA,ac5sDC,Ud+sDD,MAAA,Ic/sDC,UdktDD,MAAA,acltDC,UdqtDD,MAAA,acrtDC,UdwtDD,MAAA,IcxtDC,Ud2tDD,MAAA,ac5sDC,Ud+sDD,MAAA,Yc/sDC,gBdktDD,MAAA,KcltDC,gBdqtDD,MAAA,acrtDC,gBdwtDD,MAAA,acxtDC,ed2tDD,MAAA,Ic3tDC,ed8tDD,MAAA,ac9tDC,ediuDD,MAAA,acjuDC,edouDD,MAAA,IcpuDC,eduuDD,MAAA,acvuDC,ed0uDD,MAAA,ac1uDC,ed6uDD,MAAA,Ic7uDC,edgvDD,MAAA,ac3uDC,ed8uDD,MAAA,Yc7vDC,edgwDD,MAAA,KchwDC,gBdmwDD,KAAA,KcnwDC,gBdswDD,KAAA,actwDC,gBdywDD,KAAA,aczwDC,ed4wDD,KAAA,Ic5wDC,ed+wDD,KAAA,ac/wDC,edkxDD,KAAA,aclxDC,edqxDD,KAAA,IcrxDC,edwxDD,KAAA,acxxDC,ed2xDD,KAAA,ac3xDC,ed8xDD,KAAA,Ic9xDC,ediyDD,KAAA,ac5xDC,ed+xDD,KAAA,YchxDC,edmxDD,KAAA,KcnxDC,kBdsxDD,YAAA,KctxDC,kBdyxDD,YAAA,aczxDC,kBd4xDD,YAAA,ac5xDC,iBd+xDD,YAAA,Ic/xDC,iBdkyDD,YAAA,aclyDC,iBdqyDD,YAAA,acryDC,iBdwyDD,YAAA,IcxyDC,iBd2yDD,YAAA,ac3yDC,iBd8yDD,YAAA,ac9yDC,iBdizDD,YAAA,IcjzDC,iBdozDD,YAAA,acpzDC,iBduzDD,YAAA,YY9yDD,iBE3CE,YAAA,GAQF,yBACE,UAAA,WAAA,WAAA,WAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,Udw1DD,MAAA,Kcx1DC,Wd21DD,MAAA,Kc31DC,Wd81DD,MAAA,ac91DC,Wdi2DD,MAAA,acj2DC,Udo2DD,MAAA,Icp2DC,Udu2DD,MAAA,acv2DC,Ud02DD,MAAA,ac12DC,Ud62DD,MAAA,Ic72DC,Udg3DD,MAAA,ach3DC,Udm3DD,MAAA,acn3DC,Uds3DD,MAAA,Ict3DC,Udy3DD,MAAA,ac12DC,Ud62DD,MAAA,Yc72DC,gBdg3DD,MAAA,Kch3DC,gBdm3DD,MAAA,acn3DC,gBds3DD,MAAA,act3DC,edy3DD,MAAA,Icz3DC,ed43DD,MAAA,ac53DC,ed+3DD,MAAA,ac/3DC,edk4DD,MAAA,Icl4DC,edq4DD,MAAA,acr4DC,edw4DD,MAAA,acx4DC,ed24DD,MAAA,Ic34DC,ed84DD,MAAA,acz4DC,ed44DD,MAAA,Yc35DC,ed85DD,MAAA,Kc95DC,gBdi6DD,KAAA,Kcj6DC,gBdo6DD,KAAA,acp6DC,gBdu6DD,KAAA,acv6DC,ed06DD,KAAA,Ic16DC,ed66DD,KAAA,ac76DC,edg7DD,KAAA,ach7DC,edm7DD,KAAA,Icn7DC,eds7DD,KAAA,act7DC,edy7DD,KAAA,acz7DC,ed47DD,KAAA,Ic57DC,ed+7DD,KAAA,ac17DC,ed67DD,KAAA,Yc96DC,edi7DD,KAAA,Kcj7DC,kBdo7DD,YAAA,Kcp7DC,kBdu7DD,YAAA,acv7DC,kBd07DD,YAAA,ac17DC,iBd67DD,YAAA,Ic77DC,iBdg8DD,YAAA,ach8DC,iBdm8DD,YAAA,acn8DC,iBds8DD,YAAA,Ict8DC,iBdy8DD,YAAA,acz8DC,iBd48DD,YAAA,ac58DC,iBd+8DD,YAAA,Ic/8DC,iBdk9DD,YAAA,acl9DC,iBdq9DD,YAAA,YYz8DD,iBE9CE,YAAA,GAQF,0BACE,UAAA,WAAA,WAAA,WAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,UAAA,Uds/DD,MAAA,Kct/DC,Wdy/DD,MAAA,Kcz/DC,Wd4/DD,MAAA,ac5/DC,Wd+/DD,MAAA,ac//DC,UdkgED,MAAA,IclgEC,UdqgED,MAAA,acrgEC,UdwgED,MAAA,acxgEC,Ud2gED,MAAA,Ic3gEC,Ud8gED,MAAA,ac9gEC,UdihED,MAAA,acjhEC,UdohED,MAAA,IcphEC,UduhED,MAAA,acxgEC,Ud2gED,MAAA,Yc3gEC,gBd8gED,MAAA,Kc9gEC,gBdihED,MAAA,acjhEC,gBdohED,MAAA,acphEC,eduhED,MAAA,IcvhEC,ed0hED,MAAA,ac1hEC,ed6hED,MAAA,ac7hEC,edgiED,MAAA,IchiEC,edmiED,MAAA,acniEC,edsiED,MAAA,actiEC,edyiED,MAAA,IcziEC,ed4iED,MAAA,acviEC,ed0iED,MAAA,YczjEC,ed4jED,MAAA,Kc5jEC,gBd+jED,KAAA,Kc/jEC,gBdkkED,KAAA,aclkEC,gBdqkED,KAAA,acrkEC,edwkED,KAAA,IcxkEC,ed2kED,KAAA,ac3kEC,ed8kED,KAAA,ac9kEC,edilED,KAAA,IcjlEC,edolED,KAAA,acplEC,edulED,KAAA,acvlEC,ed0lED,KAAA,Ic1lEC,ed6lED,KAAA,acxlEC,ed2lED,KAAA,Yc5kEC,ed+kED,KAAA,Kc/kEC,kBdklED,YAAA,KcllEC,kBdqlED,YAAA,acrlEC,kBdwlED,YAAA,acxlEC,iBd2lED,YAAA,Ic3lEC,iBd8lED,YAAA,ac9lEC,iBdimED,YAAA,acjmEC,iBdomED,YAAA,IcpmEC,iBdumED,YAAA,acvmEC,iBd0mED,YAAA,ac1mEC,iBd6mED,YAAA,Ic7mEC,iBdgnED,YAAA,achnEC,iBdmnED,YAAA,YetrED,iBACA,YAAA,GAGA,MACA,iBAAA,YAEA,QfyrED,YAAA,IevrEC,eAAgB,IAChB,MAAA,KfyrED,WAAA,KelrEC,GACA,WAAA,KfsrED,OexrEC,MAAO,KdmsEP,UAAW,KACX,cAAe,KcvrET,mBd0rER,mBczrEQ,mBAHA,mBACA,mBd0rER,mBDHC,QAAA,IensEC,YAAa,WAoBX,eAAA,IACA,WAAA,IAAA,MAAA,KArBJ,mBdktEE,eAAgB,OAChB,cAAe,IAAI,MAAM,KDJ1B,uCCMD,uCcrtEA,wCdstEA,wCclrEI,2CANI,2CforEP,WAAA,EezqEG,mBf4qEH,WAAA,IAAA,MAAA,KCWD,cACE,iBAAkB,Kc/pEpB,6BdkqEA,6BcjqEE,6BAZM,6BfsqEP,6BCMD,6BDHC,QAAA,ICWD,gBACE,OAAQ,IAAI,MAAM,Kc1qEpB,4Bd6qEA,4Bc7qEA,4BAQQ,4Bf8pEP,4BCMD,4Bc7pEM,OAAA,IAAA,MAAA,KAYF,4BAFJ,4BfopEC,oBAAA,IevoEG,yCf0oEH,iBAAA,QehoEC,4BACA,iBAAA,QfooED,uBe9nEG,SAAA,OdyoEF,QAAS,acxoEL,MAAA,KAEA,sBfioEL,sBgB7wEC,SAAA,OfwxEA,QAAS,WACT,MAAO,KAST,0BerxEE,0Bf+wEF,0BAGA,0BexxEM,0BAMJ,0BfgxEF,0BAGA,0BACA,0BDNC,0BCAD,0BAGA,0BASE,iBAAkB,QDLnB,sCgBlyEC,sCAAA,oCfyyEF,sCetxEM,sCf2xEJ,iBAAkB,QASpB,2Be1yEE,2BfoyEF,2BAGA,2Be7yEM,2BAMJ,2BfqyEF,2BAGA,2BACA,2BDNC,2BCAD,2BAGA,2BASE,iBAAkB,QDLnB,uCgBvzEC,uCAAA,qCf8zEF,uCe3yEM,uCfgzEJ,iBAAkB,QASpB,wBe/zEE,wBfyzEF,wBAGA,wBel0EM,wBAMJ,wBf0zEF,wBAGA,wBACA,wBDNC,wBCAD,wBAGA,wBASE,iBAAkB,QDLnB,oCgB50EC,oCAAA,kCfm1EF,oCeh0EM,oCfq0EJ,iBAAkB,QASpB,2Bep1EE,2Bf80EF,2BAGA,2Bev1EM,2BAMJ,2Bf+0EF,2BAGA,2BACA,2BDNC,2BCAD,2BAGA,2BASE,iBAAkB,QDLnB,uCgBj2EC,uCAAA,qCfw2EF,uCer1EM,uCf01EJ,iBAAkB,QASpB,0Bez2EE,0Bfm2EF,0BAGA,0Be52EM,0BAMJ,0Bfo2EF,0BAGA,0BACA,0BDNC,0BCAD,0BAGA,0BASE,iBAAkB,QDLnB,sCehtEC,sCADF,oCdwtEA,sCe12EM,sCDoJJ,iBAAA,QA6DF,kBACE,WAAY,KA3DV,WAAA,KAEA,oCACA,kBACA,MAAA,KfotED,cAAA,Ke7pEC,WAAY,OAnDV,mBAAA,yBfmtEH,OAAA,IAAA,MAAA,KCWD,yBACE,cAAe,Ec5qEjB,qCd+qEA,qCcjtEI,qCARM,qCfktET,qCCMD,qCDHC,YAAA,OCWD,kCACE,OAAQ,EcvrEV,0Dd0rEA,0Dc1rEA,0DAzBU,0Df4sET,0DCMD,0DAME,YAAa,Ec/rEf,yDdksEA,yDclsEA,yDArBU,yDfgtET,yDCMD,yDAME,aAAc,EDLjB,yDe1sEW,yDEzNV,yDjBk6EC,yDiBj6ED,cAAA,GAMA,SjBk6ED,UAAA,EiB/5EC,QAAS,EACT,OAAA,EACA,OAAA,EAEA,OACA,QAAA,MACA,MAAA,KACA,QAAA,EACA,cAAA,KACA,UAAA,KjBi6ED,YAAA,QiB95EC,MAAO,KACP,OAAA,EACA,cAAA,IAAA,MAAA,QAEA,MjBg6ED,QAAA,aiBr5EC,UAAW,Kb4BX,cAAA,IACG,YAAA,IJ63EJ,mBiBr5EC,mBAAoB,WhBg6EjB,gBAAiB,WgB95EpB,WAAA,WjBy5ED,qBiBv5EC,kBAGA,OAAQ,IAAI,EAAE,EACd,WAAA,MjBs5ED,YAAA,OiBj5EC,iBACA,QAAA,MAIF,kBhB25EE,QAAS,MgBz5ET,MAAA,KAIF,iBAAA,ahB05EE,OAAQ,KI99ER,uBY2EF,2BjB64EC,wBiB54EC,QAAA,IAAA,KAAA,yBACA,eAAA,KAEA,OACA,QAAA,MjB+4ED,YAAA,IiBr3EC,UAAW,KACX,YAAA,WACA,MAAA,KAEA,cACA,QAAA,MACA,MAAA,KACA,OAAA,KACA,QAAA,IAAA,KACA,UAAA,KACA,YAAA,WACA,MAAA,KbxDA,iBAAA,KACQ,iBAAA,KAyHR,OAAA,IAAA,MAAA,KACK,cAAA,IACG,mBAAA,MAAA,EAAA,IAAA,IAAA,iBJwzET,WAAA,MAAA,EAAA,IAAA,IAAA,iBkBh8EC,mBAAA,aAAA,YAAA,KAAA,mBAAA,YAAA,KACE,cAAA,aAAA,YAAA,KAAA,WAAA,YAAA,KACA,WAAA,aAAA,YAAA,KAAA,WAAA,YAAA,KdWM,oBJy7ET,aAAA,QIx5EC,QAAA,EACE,mBAAA,MAAA,EAAA,IAAA,IAAA,iBAAA,EAAA,EAAA,IAAA,qBACA,WAAA,MAAA,EAAA,IAAA,IAAA,iBAAA,EAAA,EAAA,IAAA,qBAEF,gCAA0B,MAAA,KJ25E3B,QAAA,EI15EiC,oCJ65EjC,MAAA,KiBh4EG,yCACA,MAAA,KAQF,0BhBs4EA,iBAAkB,YAClB,OAAQ,EgBn4EN,wBjB63EH,wBiB13EC,iChBq4EA,iBAAkB,KgBn4EhB,QAAA,EAIF,wBACE,iCjB03EH,OAAA,YiB72EC,sBjBg3ED,OAAA,KiB91EG,mBhB02EF,mBAAoB,KAEtB,qDgB32EM,8BjBo2EH,8BiBj2EC,wCAAA,+BhB62EA,YAAa,KgB32EX,iCjBy2EH,iCiBt2EC,2CAAA,kChB02EF,0BACA,0BACA,oCACA,2BAKE,YAAa,KgBh3EX,iCjB82EH,iCACF,2CiBp2EC,kChBu2EA,0BACA,0BACA,oCACA,2BgBz2EA,YAAA,MhBi3EF,YgBv2EE,cAAA,KAGA,UADA,OjBi2ED,SAAA,SiBr2EC,QAAS,MhBg3ET,WAAY,KgBx2EV,cAAA,KAGA,gBADA,aAEA,WAAA,KjBi2EH,aAAA,KiB91EC,cAAe,EhBy2Ef,YAAa,IACb,OAAQ,QgBp2ER,+BjBg2ED,sCiBl2EC,yBACA,gCAIA,SAAU,ShBw2EV,WAAY,MgBt2EZ,YAAA,MAIF,oBAAA,cAEE,WAAA,KAGA,iBADA,cAEA,SAAA,SACA,QAAA,aACA,aAAA,KjB61ED,cAAA,EiB31EC,YAAa,IhBs2Eb,eAAgB,OgBp2EhB,OAAA,QAUA,kCjBo1ED,4BCWC,WAAY,EACZ,YAAa,KgBv1Eb,wCAAA,qCjBm1ED,8BCOD,+BgBh2EI,2BhB+1EJ,4BAME,OAAQ,YDNT,0BiBv1EG,uBAMF,oCAAA,iChB61EA,OAAQ,YDNT,yBiBp1EK,sBAaJ,mCAFF,gCAGE,OAAA,YAGA,qBjBy0ED,WAAA,KiBv0EC,YAAA,IhBk1EA,eAAgB,IgBh1Ed,cAAA,EjB00EH,8BiB5zED,8BCnQE,cAAA,EACA,aAAA,EAEA,UACA,OAAA,KlBkkFD,QAAA,IAAA,KkBhkFC,UAAA,KACE,YAAA,IACA,cAAA,IAGF,gBjB0kFA,OAAQ,KiBxkFN,YAAA,KD2PA,0BAFJ,kBAGI,OAAA,KAEA,6BACA,OAAA,KjBy0EH,QAAA,IAAA,KiB/0EC,UAAW,KAST,YAAA,IACA,cAAA,IAVJ,mChB81EE,OAAQ,KgBh1EN,YAAA,KAGA,6CAjBJ,qCAkBI,OAAA,KAEA,oCACA,OAAA,KjBy0EH,WAAA,KiBr0EC,QAAS,IAAI,KC/Rb,UAAA,KACA,YAAA,IAEA,UACA,OAAA,KlBumFD,QAAA,KAAA,KkBrmFC,UAAA,KACE,YAAA,UACA,cAAA,IAGF,gBjB+mFA,OAAQ,KiB7mFN,YAAA,KDuRA,0BAFJ,kBAGI,OAAA,KAEA,6BACA,OAAA,KjBk1EH,QAAA,KAAA,KiBx1EC,UAAW,KAST,YAAA,UACA,cAAA,IAVJ,mChBu2EE,OAAQ,KgBz1EN,YAAA,KAGA,6CAjBJ,qCAkBI,OAAA,KAEA,oCACA,OAAA,KjBk1EH,WAAA,KiBz0EC,QAAS,KAAK,KAEd,UAAA,KjB00ED,YAAA,UiBt0EG,cjBy0EH,SAAA,SiBp0EC,4BACA,cAAA,OAEA,uBACA,SAAA,SACA,IAAA,EACA,MAAA,EACA,QAAA,EACA,QAAA,MACA,MAAA,KjBu0ED,OAAA,KiBr0EC,YAAa,KhBg1Eb,WAAY,OACZ,eAAgB,KDLjB,oDiBv0EC,uCADA,iCAGA,MAAO,KhBg1EP,OAAQ,KACR,YAAa,KDLd,oDiBv0EC,uCADA,iCAKA,MAAO,KhB80EP,OAAQ,KACR,YAAa,KAKf,uBAEA,8BAJA,4BADA,yBAEA,oBAEA,2BDNC,4BkBruFG,mCAJA,yBD0ZJ,gCbvWE,MAAA,QJ2rFD,2BkBxuFG,aAAA,QACE,mBAAA,MAAA,EAAA,IAAA,IAAA,iBd4CJ,WAAA,MAAA,EAAA,IAAA,IAAA,iBJgsFD,iCiBz1EC,aAAc,QC5YZ,mBAAA,MAAA,EAAA,IAAA,IAAA,iBAAA,EAAA,EAAA,IAAA,QACA,WAAA,MAAA,EAAA,IAAA,IAAA,iBAAA,EAAA,EAAA,IAAA,QlByuFH,gCiB91EC,MAAO,QCtYL,iBAAA,QlBuuFH,aAAA,QCWD,oCACE,MAAO,QAKT,uBAEA,8BAJA,4BADA,yBAEA,oBAEA,2BDNC,4BkBnwFG,mCAJA,yBD6ZJ,gCb1WE,MAAA,QJytFD,2BkBtwFG,aAAA,QACE,mBAAA,MAAA,EAAA,IAAA,IAAA,iBd4CJ,WAAA,MAAA,EAAA,IAAA,IAAA,iBJ8tFD,iCiBp3EC,aAAc,QC/YZ,mBAAA,MAAA,EAAA,IAAA,IAAA,iBAAA,EAAA,EAAA,IAAA,QACA,WAAA,MAAA,EAAA,IAAA,IAAA,iBAAA,EAAA,EAAA,IAAA,QlBuwFH,gCiBz3EC,MAAO,QCzYL,iBAAA,QlBqwFH,aAAA,QCWD,oCACE,MAAO,QAKT,qBAEA,4BAJA,0BADA,uBAEA,kBAEA,yBDNC,0BkBjyFG,iCAJA,uBDgaJ,8Bb7WE,MAAA,QJuvFD,yBkBpyFG,aAAA,QACE,mBAAA,MAAA,EAAA,IAAA,IAAA,iBd4CJ,WAAA,MAAA,EAAA,IAAA,IAAA,iBJ4vFD,+BiB/4EC,aAAc,QClZZ,mBAAA,MAAA,EAAA,IAAA,IAAA,iBAAA,EAAA,EAAA,IAAA,QACA,WAAA,MAAA,EAAA,IAAA,IAAA,iBAAA,EAAA,EAAA,IAAA,QlBqyFH,8BiBp5EC,MAAO,QC5YL,iBAAA,QlBmyFH,aAAA,QiB/4EG,kCjBk5EH,MAAA,QiB/4EG,2CjBk5EH,IAAA,KiBv4EC,mDACA,IAAA,EAEA,YjB04ED,QAAA,MiBvzEC,WAAY,IAwEZ,cAAe,KAtIX,MAAA,QAEA,yBjBy3EH,yBiBrvEC,QAAS,aA/HP,cAAA,EACA,eAAA,OjBw3EH,2BiB1vEC,QAAS,aAxHP,MAAA,KjBq3EH,eAAA,OiBj3EG,kCACA,QAAA,aAmHJ,0BhB4wEE,QAAS,aACT,eAAgB,OgBr3Ed,wCjB82EH,6CiBtwED,2CjBywEC,MAAA,KiB72EG,wCACA,MAAA,KAmGJ,4BhBwxEE,cAAe,EgBp3Eb,eAAA,OAGA,uBADA,oBjB82EH,QAAA,aiBpxEC,WAAY,EhB+xEZ,cAAe,EgBr3EX,eAAA,OAsFN,6BAAA,0BAjFI,aAAA,EAiFJ,4CjB6xEC,sCiBx2EG,SAAA,SjB22EH,YAAA,EiBh2ED,kDhB42EE,IAAK,GgBl2EL,2BjB+1EH,kCiBh2EG,wBAEA,+BAXF,YAAa,IhBo3Eb,WAAY,EgBn2EV,cAAA,EJviBF,2BIshBF,wBJrhBE,WAAA,KI4jBA,6BAyBA,aAAc,MAnCV,YAAA,MAEA,yBjBw1EH,gCACF,YAAA,IiBx3EG,cAAe,EAwCf,WAAA,OAwBJ,sDAdQ,MAAA,KjB80EL,yBACF,+CiBn0EC,YAAA,KAEE,UAAW,MjBs0EZ,yBACF,+CmBp6FG,YAAa,IACf,UAAA,MAGA,KACA,QAAA,aACA,QAAA,IAAA,KAAA,cAAA,EACA,UAAA,KACA,YAAA,IACA,YAAA,WACA,WAAA,OC0CA,YAAA,OACA,eAAA,OACA,iBAAA,aACA,aAAA,ahB+JA,OAAA,QACG,oBAAA,KACC,iBAAA,KACI,gBAAA,KJ+tFT,YAAA,KmBv6FG,iBAAA,KlBm7FF,OAAQ,IAAI,MAAM,YAClB,cAAe,IkB96Ff,kBdzBA,kBACA,WLk8FD,kBCOD,kBADA,WAME,QAAS,IAAI,KAAK,yBAClB,eAAgB,KkBh7FhB,WnBy6FD,WmB56FG,WlBw7FF,MAAO,KkBn7FL,gBAAA,Kf6BM,YADR,YJk5FD,iBAAA,KmBz6FC,QAAA,ElBq7FA,mBAAoB,MAAM,EAAE,IAAI,IAAI,iBAC5B,WAAY,MAAM,EAAE,IAAI,IAAI,iBoBh+FpC,cAGA,ejB8DA,wBACQ,OAAA,YJ05FT,OAAA,kBmBz6FG,mBAAA,KlBq7FM,WAAY,KkBn7FhB,QAAA,IASN,eC3DE,yBACA,eAAA,KpBi+FD,aoB99FC,MAAA,KnB0+FA,iBAAkB,KmBx+FhB,aAAA,KpBk+FH,mBoBh+FO,mBAEN,MAAA,KACE,iBAAA,QACA,aAAA,QpBi+FH,mBoB99FC,MAAA,KnB0+FA,iBAAkB,QAClB,aAAc,QmBt+FR,oBADJ,oBpBi+FH,mCoB99FG,MAAA,KnB0+FF,iBAAkB,QAClB,aAAc,QmBt+FN,0BnB4+FV,0BAHA,0BmB1+FM,0BnB4+FN,0BAHA,0BDFC,yCoBx+FK,yCnB4+FN,yCmBv+FE,MAAA,KnB++FA,iBAAkB,QAClB,aAAc,QmBx+FZ,oBpBg+FH,oBoBh+FG,mCnB6+FF,iBAAkB,KmBz+FV,4BnB8+FV,4BAHA,4BDHC,6BCOD,6BAHA,6BkB39FA,sCClBM,sCnB8+FN,sCmBx+FI,iBAAA,KACA,aAAA,KDcJ,oBC9DE,MAAA,KACA,iBAAA,KpB0hGD,aoBvhGC,MAAA,KnBmiGA,iBAAkB,QmBjiGhB,aAAA,QpB2hGH,mBoBzhGO,mBAEN,MAAA,KACE,iBAAA,QACA,aAAA,QpB0hGH,mBoBvhGC,MAAA,KnBmiGA,iBAAkB,QAClB,aAAc,QmB/hGR,oBADJ,oBpB0hGH,mCoBvhGG,MAAA,KnBmiGF,iBAAkB,QAClB,aAAc,QmB/hGN,0BnBqiGV,0BAHA,0BmBniGM,0BnBqiGN,0BAHA,0BDFC,yCoBjiGK,yCnBqiGN,yCmBhiGE,MAAA,KnBwiGA,iBAAkB,QAClB,aAAc,QmBjiGZ,oBpByhGH,oBoBzhGG,mCnBsiGF,iBAAkB,KmBliGV,4BnBuiGV,4BAHA,4BDHC,6BCOD,6BAHA,6BkBjhGA,sCCrBM,sCnBuiGN,sCmBjiGI,iBAAA,QACA,aAAA,QDkBJ,oBClEE,MAAA,QACA,iBAAA,KpBmlGD,aoBhlGC,MAAA,KnB4lGA,iBAAkB,QmB1lGhB,aAAA,QpBolGH,mBoBllGO,mBAEN,MAAA,KACE,iBAAA,QACA,aAAA,QpBmlGH,mBoBhlGC,MAAA,KnB4lGA,iBAAkB,QAClB,aAAc,QmBxlGR,oBADJ,oBpBmlGH,mCoBhlGG,MAAA,KnB4lGF,iBAAkB,QAClB,aAAc,QmBxlGN,0BnB8lGV,0BAHA,0BmB5lGM,0BnB8lGN,0BAHA,0BDFC,yCoB1lGK,yCnB8lGN,yCmBzlGE,MAAA,KnBimGA,iBAAkB,QAClB,aAAc,QmB1lGZ,oBpBklGH,oBoBllGG,mCnB+lGF,iBAAkB,KmB3lGV,4BnBgmGV,4BAHA,4BDHC,6BCOD,6BAHA,6BkBtkGA,sCCzBM,sCnBgmGN,sCmB1lGI,iBAAA,QACA,aAAA,QDsBJ,oBCtEE,MAAA,QACA,iBAAA,KpB4oGD,UoBzoGC,MAAA,KnBqpGA,iBAAkB,QmBnpGhB,aAAA,QpB6oGH,gBoB3oGO,gBAEN,MAAA,KACE,iBAAA,QACA,aAAA,QpB4oGH,gBoBzoGC,MAAA,KnBqpGA,iBAAkB,QAClB,aAAc,QmBjpGR,iBADJ,iBpB4oGH,gCoBzoGG,MAAA,KnBqpGF,iBAAkB,QAClB,aAAc,QmBjpGN,uBnBupGV,uBAHA,uBmBrpGM,uBnBupGN,uBAHA,uBDFC,sCoBnpGK,sCnBupGN,sCmBlpGE,MAAA,KnB0pGA,iBAAkB,QAClB,aAAc,QmBnpGZ,iBpB2oGH,iBoB3oGG,gCnBwpGF,iBAAkB,KmBppGV,yBnBypGV,yBAHA,yBDHC,0BCOD,0BAHA,0BkB3nGA,mCC7BM,mCnBypGN,mCmBnpGI,iBAAA,QACA,aAAA,QD0BJ,iBC1EE,MAAA,QACA,iBAAA,KpBqsGD,aoBlsGC,MAAA,KnB8sGA,iBAAkB,QmB5sGhB,aAAA,QpBssGH,mBoBpsGO,mBAEN,MAAA,KACE,iBAAA,QACA,aAAA,QpBqsGH,mBoBlsGC,MAAA,KnB8sGA,iBAAkB,QAClB,aAAc,QmB1sGR,oBADJ,oBpBqsGH,mCoBlsGG,MAAA,KnB8sGF,iBAAkB,QAClB,aAAc,QmB1sGN,0BnBgtGV,0BAHA,0BmB9sGM,0BnBgtGN,0BAHA,0BDFC,yCoB5sGK,yCnBgtGN,yCmB3sGE,MAAA,KnBmtGA,iBAAkB,QAClB,aAAc,QmB5sGZ,oBpBosGH,oBoBpsGG,mCnBitGF,iBAAkB,KmB7sGV,4BnBktGV,4BAHA,4BDHC,6BCOD,6BAHA,6BkBhrGA,sCCjCM,sCnBktGN,sCmB5sGI,iBAAA,QACA,aAAA,QD8BJ,oBC9EE,MAAA,QACA,iBAAA,KpB8vGD,YoB3vGC,MAAA,KnBuwGA,iBAAkB,QmBrwGhB,aAAA,QpB+vGH,kBoB7vGO,kBAEN,MAAA,KACE,iBAAA,QACA,aAAA,QpB8vGH,kBoB3vGC,MAAA,KnBuwGA,iBAAkB,QAClB,aAAc,QmBnwGR,mBADJ,mBpB8vGH,kCoB3vGG,MAAA,KnBuwGF,iBAAkB,QAClB,aAAc,QmBnwGN,yBnBywGV,yBAHA,yBmBvwGM,yBnBywGN,yBAHA,yBDFC,wCoBrwGK,wCnBywGN,wCmBpwGE,MAAA,KnB4wGA,iBAAkB,QAClB,aAAc,QmBrwGZ,mBpB6vGH,mBoB7vGG,kCnB0wGF,iBAAkB,KmBtwGV,2BnB2wGV,2BAHA,2BDHC,4BCOD,4BAHA,4BkBruGA,qCCrCM,qCnB2wGN,qCmBrwGI,iBAAA,QACA,aAAA,QDuCJ,mBACE,MAAA,QACA,iBAAA,KnB+tGD,UmB5tGC,YAAA,IlBwuGA,MAAO,QACP,cAAe,EAEjB,UGzwGE,iBemCE,iBflCM,oBJkwGT,6BmB7tGC,iBAAA,YlByuGA,mBAAoB,KACZ,WAAY,KkBtuGlB,UAEF,iBAAA,gBnB6tGD,gBmB3tGG,aAAA,YnBiuGH,gBmB/tGG,gBAIA,MAAA,QlBuuGF,gBAAiB,UACjB,iBAAkB,YDNnB,0BmBhuGK,0BAUN,mCATM,mClB2uGJ,MAAO,KmB1yGP,gBAAA,KAGA,mBADA,QpBmyGD,QAAA,KAAA,KmBztGC,UAAW,KlBquGX,YAAa,UmBjzGb,cAAA,IAGA,mBADA,QpB0yGD,QAAA,IAAA,KmB5tGC,UAAW,KlBwuGX,YAAa,ImBxzGb,cAAA,IAGA,mBADA,QpBizGD,QAAA,IAAA,ImB3tGC,UAAW,KACX,YAAA,IACA,cAAA,IAIF,WACE,QAAA,MnB2tGD,MAAA,KCYD,sBACE,WAAY,IqBz3GZ,6BADF,4BtBk3GC,6BI7rGC,MAAA,KAEQ,MJisGT,QAAA,EsBr3GC,mBAAA,QAAA,KAAA,OACE,cAAA,QAAA,KAAA,OtBu3GH,WAAA,QAAA,KAAA,OsBl3GC,StBq3GD,QAAA,EsBn3Ga,UtBs3Gb,QAAA,KsBr3Ga,atBw3Gb,QAAA,MsBv3Ga,etB03Gb,QAAA,UsBt3GC,kBACA,QAAA,gBlBwKA,YACQ,SAAA,SAAA,OAAA,EAOR,SAAA,OACQ,mCAAA,KAAA,8BAAA,KAGR,2BAAA,KACQ,4BAAA,KAAA,uBAAA,KJ2sGT,oBAAA,KuBr5GC,4BAA6B,OAAQ,WACrC,uBAAA,OAAA,WACA,oBAAA,OAAA,WAEA,OACA,QAAA,aACA,MAAA,EACA,OAAA,EACA,YAAA,IACA,eAAA,OvBu5GD,WAAA,IAAA,OuBn5GC,WAAY,IAAI,QtBk6GhB,aAAc,IAAI,MAAM,YsBh6GxB,YAAA,IAAA,MAAA,YAKA,UADF,QvBo5GC,SAAA,SuB94GC,uBACA,QAAA,EAEA,eACA,SAAA,SACA,IAAA,KACA,KAAA,EACA,QAAA,KACA,QAAA,KACA,MAAA,KACA,UAAA,MACA,QAAA,IAAA,EACA,OAAA,IAAA,EAAA,EACA,UAAA,KACA,WAAA,KACA,WAAA,KnBsBA,iBAAA,KACQ,wBAAA,YmBrBR,gBAAA,YtB+5GA,OsB/5GA,IAAA,MAAA,KvBk5GD,OAAA,IAAA,MAAA,gBuB74GC,cAAA,IACE,mBAAA,EAAA,IAAA,KAAA,iBACA,WAAA,EAAA,IAAA,KAAA,iBAzBJ,0BCzBE,MAAA,EACA,KAAA,KAEA,wBxBo8GD,OAAA,IuB96GC,OAAQ,IAAI,EAmCV,SAAA,OACA,iBAAA,QAEA,oBACA,QAAA,MACA,QAAA,IAAA,KACA,MAAA,KvB84GH,YAAA,IuBx4GC,YAAA,WtBw5GA,MAAO,KsBt5GL,YAAA,OvB44GH,0BuB14GG,0BAMF,MAAA,QtBo5GA,gBAAiB,KACjB,iBAAkB,QsBj5GhB,yBAEA,+BADA,+BvBu4GH,MAAA,KuB73GC,gBAAA,KtB64GA,iBAAkB,QAClB,QAAS,EDZV,2BuB33GC,iCAAA,iCAEE,MAAA,KEzGF,iCF2GE,iCAEA,gBAAA,KvB63GH,OAAA,YuBx3GC,iBAAkB,YAGhB,iBAAA,KvBw3GH,OAAA,0DuBn3GG,qBvBs3GH,QAAA,MuB72GC,QACA,QAAA,EAQF,qBACE,MAAA,EACA,KAAA,KAIF,oBACE,MAAA,KACA,KAAA,EAEA,iBACA,QAAA,MACA,QAAA,IAAA,KvBw2GD,UAAA,KuBp2GC,YAAa,WACb,MAAA,KACA,YAAA,OAEA,mBACA,SAAA,MACA,IAAA,EvBs2GD,MAAA,EuBl2GC,OAAQ,EACR,KAAA,EACA,QAAA,IAQF,2BtB42GE,MAAO,EsBx2GL,KAAA,KAEA,eACA,sCvB41GH,QAAA,GuBn2GC,WAAY,EtBm3GZ,cAAe,IAAI,OsBx2GjB,cAAA,IAAA,QAEA,uBvB41GH,8CuBv0GC,IAAK,KAXL,OAAA,KApEA,cAAA,IvB25GC,yBuBv1GD,6BA1DA,MAAA,EACA,KAAA,KvBq5GD,kC0BpiHG,MAAO,KzBojHP,KAAM,GyBhjHR,W1BsiHD,oB0B1iHC,SAAU,SzB0jHV,QAAS,ayBpjHP,eAAA,OAGA,yB1BsiHH,gBCgBC,SAAU,SACV,MAAO,KyB7iHT,gC1BsiHC,gCCYD,+BAFA,+ByBhjHA,uBANM,uBzBujHN,sBAFA,sBAQE,QAAS,EyBljHP,qB1BuiHH,2B0BliHD,2BACE,iC1BoiHD,YAAA,KCgBD,aACE,YAAa,KDZd,kB0B1iHD,wBAAA,0BzB2jHE,MAAO,KDZR,kB0B/hHD,wBACE,0B1BiiHD,YAAA,I0B5hHC,yE1B+hHD,cAAA,E2BhlHC,4BACG,YAAA,EDsDL,mEzB6iHE,wBAAyB,E0B5lHzB,2BAAA,E3BilHD,6C0B5hHD,8CACE,uBAAA,E1B8hHD,0BAAA,E0B3hHC,sB1B8hHD,MAAA,KCgBD,8D0B/mHE,cAAA,E3BomHD,mE0B3hHD,oECjEE,wBAAA,EACG,2BAAA,EDqEL,oEzB0iHE,uBAAwB,EyBxiHxB,0BAAA,EAiBF,mCACE,iCACA,QAAA,EAEF,iCACE,cAAA,IACA,aAAA,IAKF,oCtB/CE,cAAA,KACQ,aAAA,KsBkDR,iCtBnDA,mBAAA,MAAA,EAAA,IAAA,IAAA,iBACQ,WAAA,MAAA,EAAA,IAAA,IAAA,iBsByDV,0CACE,mBAAA,K1BugHD,WAAA,K0BngHC,YACA,YAAA,EAGF,eACE,aAAA,IAAA,IAAA,E1BqgHD,oBAAA,ECgBD,uBACE,aAAc,EAAE,IAAI,IyB1gHlB,yBACA,+BACA,oC1B+/GH,QAAA,M0BtgHC,MAAO,KAcH,MAAA,K1B2/GL,UAAA,KCgBD,oCACE,MAAO,KyBpgHL,8BACA,oC1By/GH,oC0Bp/GC,0CACE,WAAA,K1Bs/GH,YAAA,E2B/pHC,4DACC,cAAA,EAQA,sD3B4pHF,uBAAA,I0Bt/GC,wBAAA,IC/KA,2BAAA,EACC,0BAAA,EAQA,sD3BkqHF,uBAAA,E0Bv/GC,wBAAyB,EACzB,2BAAA,I1By/GD,0BAAA,ICgBD,uE0BtrHE,cAAA,E3B2qHD,4E0Bt/GD,6EC7LE,2BAAA,EACC,0BAAA,EDoMH,6EACE,uBAAA,EACA,wBAAA,EAEA,qB1Bo/GD,QAAA,M0Bx/GC,MAAO,KzBwgHP,aAAc,MyBjgHZ,gBAAA,SAEA,0B1Bq/GH,gC0B9/GC,QAAS,WAYP,MAAA,K1Bq/GH,MAAA,G0Bj/GG,qC1Bo/GH,MAAA,KCgBD,+CACE,KAAM,KyB7+GF,gDAFA,6C1Bs+GL,2D0Br+GK,wDEzOJ,SAAU,SACV,KAAA,cACA,eAAA,K5BitHD,a4B7sHC,SAAA,SACE,QAAA,MACA,gBAAA,S5BgtHH,0B4BxtHC,MAAO,KAeL,cAAA,EACA,aAAA,EAOA,2BACA,SAAA,S5BusHH,QAAA,E4BrsHG,MAAA,KACE,MAAA,K5BusHL,cAAA,ECgBD,iCACE,QAAS,EiBnrHT,8BACA,mCACA,sCACA,OAAA,KlBwqHD,QAAA,KAAA,KkBtqHC,UAAA,KjBsrHA,YAAa,UACb,cAAe,IiBrrHb,oClB0qHH,yCkBvqHC,4CjBurHA,OAAQ,KACR,YAAa,KDTd,8C4B/sHD,mDAAA,sD3B0tHA,sCACA,2CiBzrHI,8CjB8rHF,OAAQ,KiB1sHR,8BACA,mCACA,sCACA,OAAA,KlB+rHD,QAAA,IAAA,KkB7rHC,UAAA,KjB6sHA,YAAa,IACb,cAAe,IiB5sHb,oClBisHH,yCkB9rHC,4CjB8sHA,OAAQ,KACR,YAAa,KDTd,8C4B7tHD,mDAAA,sD3BwuHA,sCACA,2CiBhtHI,8CjBqtHF,OAAQ,K2BzuHR,2B5B6tHD,mB4B7tHC,iB3B8uHA,QAAS,W2BzuHX,8D5B6tHC,sD4B7tHD,oDAEE,cAAA,EAEA,mB5B+tHD,iB4B1tHC,MAAO,GACP,YAAA,OACA,eAAA,OAEA,mBACA,QAAA,IAAA,KACA,UAAA,KACA,YAAA,IACA,YAAA,EACA,MAAA,K5B4tHD,WAAA,O4BztHC,iBAAA,KACE,OAAA,IAAA,MAAA,KACA,cAAA,I5B4tHH,4B4BztHC,QAAA,IAAA,KACE,UAAA,KACA,cAAA,I5B4tHH,4B4B/uHC,QAAS,KAAK,K3B+vHd,UAAW,K2BruHT,cAAA,IAKJ,wCAAA,qC3BquHE,WAAY,EAEd,uCACA,+BACA,kC0B70HE,6CACG,8CC4GL,6D5BqtHC,wE4BptHC,wBAAA,E5ButHD,2BAAA,ECgBD,+BACE,aAAc,EAEhB,sCACA,8B2BhuHA,+D5BstHC,oDCWD,iC0Bl1HE,4CACG,6CCiHH,uBAAA,E5BwtHD,0BAAA,E4BltHC,8BAGA,YAAA,E5BotHD,iB4BxtHC,SAAU,SAUR,UAAA,E5BitHH,YAAA,O4B/sHK,sB5BktHL,SAAA,SCgBD,2BACE,YAAa,K2BxtHb,6BAAA,4B5B4sHD,4B4BzsHK,QAAA,EAGJ,kCAAA,wCAGI,aAAA,K5B4sHL,iC6B12HD,uCACE,QAAA,EACA,YAAA,K7B62HD,K6B/2HC,aAAc,EAOZ,cAAA,EACA,WAAA,KARJ,QAWM,SAAA,SACA,QAAA,M7B42HL,U6B12HK,SAAA,S5B03HJ,QAAS,M4Bx3HH,QAAA,KAAA,KAMJ,gB7Bu2HH,gB6Bt2HK,gBAAA,K7By2HL,iBAAA,KCgBD,mB4Br3HQ,MAAA,KAGA,yBADA,yB7B02HP,MAAA,K6Bl2HG,gBAAA,K5Bk3HF,OAAQ,YACR,iBAAkB,Y4B/2Hd,aAzCN,mB7B64HC,mBwBh5HC,iBAAA,KACA,aAAA,QAEA,kBxBm5HD,OAAA,I6Bn5HC,OAAQ,IAAI,EA0DV,SAAA,O7B41HH,iBAAA,Q6Bl1HC,c7Bq1HD,UAAA,K6Bn1HG,UAEA,cAAA,IAAA,MAAA,KALJ,aASM,MAAA,KACA,cAAA,KAEA,e7Bo1HL,aAAA,I6Bn1HK,YAAA,WACE,OAAA,IAAA,MAAA,Y7Bq1HP,cAAA,IAAA,IAAA,EAAA,ECgBD,qBACE,aAAc,KAAK,KAAK,K4B51HlB,sBAEA,4BADA,4BAEA,MAAA,K7Bi1HP,OAAA,Q6B50HC,iBAAA,KAqDA,OAAA,IAAA,MAAA,KA8BA,oBAAA,YAnFA,wBAwDE,MAAA,K7B2xHH,cAAA,E6BzxHK,2BACA,MAAA,KA3DJ,6BAgEE,cAAA,IACA,WAAA,OAYJ,iDA0DE,IAAK,KAjED,KAAA,K7B0xHH,yB6BztHD,2BA9DM,QAAA,W7B0xHL,MAAA,G6Bn2HD,6BAuFE,cAAA,GAvFF,6B5Bw3HA,aAAc,EACd,cAAe,IDZhB,kC6BtuHD,wCA3BA,wCATM,OAAA,IAAA,MAAA,K7B+wHH,yB6B3uHD,6B5B2vHE,cAAe,IAAI,MAAM,KACzB,cAAe,IAAI,IAAI,EAAE,EDZ1B,kC6B92HD,wC7B+2HD,wC6B72HG,oBAAA,MAIE,c7B+2HL,MAAA,K6B52HK,gB7B+2HL,cAAA,ICgBD,iBACE,YAAa,I4Bv3HP,uBAQR,6B7Bo2HC,6B6Bl2HG,MAAA,K7Bq2HH,iBAAA,Q6Bn2HK,gBACA,MAAA,KAYN,mBACE,WAAA,I7B41HD,YAAA,E6Bz1HG,e7B41HH,MAAA,K6B11HK,kBACA,MAAA,KAPN,oBAYI,cAAA,IACA,WAAA,OAYJ,wCA0DE,IAAK,KAjED,KAAA,K7B21HH,yB6B1xHD,kBA9DM,QAAA,W7B21HL,MAAA,G6Bl1HD,oBACA,cAAA,GAIE,oBACA,cAAA,EANJ,yB5B02HE,aAAc,EACd,cAAe,IDZhB,8B6B1yHD,oCA3BA,oCATM,OAAA,IAAA,MAAA,K7Bm1HH,yB6B/yHD,yB5B+zHE,cAAe,IAAI,MAAM,KACzB,cAAe,IAAI,IAAI,EAAE,EDZ1B,8B6Bx0HD,oC7By0HD,oC6Bv0HG,oBAAA,MAGA,uB7B00HH,QAAA,K6B/zHC,qBF3OA,QAAA,M3B+iID,yB8BxiIC,WAAY,KACZ,uBAAA,EACA,wBAAA,EAEA,Q9B0iID,SAAA,S8BliIC,WAAY,KA8nBZ,cAAe,KAhoBb,OAAA,IAAA,MAAA,Y9ByiIH,yB8BzhIC,QAgnBE,cAAe,K9B86GlB,yB8BjhIC,eACA,MAAA,MAGA,iBACA,cAAA,KAAA,aAAA,KAEA,WAAA,Q9BkhID,2BAAA,M8BhhIC,WAAA,IAAA,MAAA,YACE,mBAAA,MAAA,EAAA,IAAA,EAAA,qB9BkhIH,WAAA,MAAA,EAAA,IAAA,EAAA,qB8Bz7GD,oBArlBI,WAAA,KAEA,yBAAA,iB9BkhID,MAAA,K8BhhIC,WAAA,EACE,mBAAA,KACA,WAAA,KAEA,0B9BkhIH,QAAA,gB8B/gIC,OAAA,eACE,eAAA,E9BihIH,SAAA,kBCkBD,oBACE,WAAY,QDZf,sC8B/gIK,mC9B8gIH,oC8BzgIC,cAAe,E7B4hIf,aAAc,G6Bj+GlB,sCAnjBE,mC7ByhIA,WAAY,MDdX,4D8BngID,sC9BogID,mCCkBG,WAAY,O6B3gId,kCANE,gC9BsgIH,4B8BvgIG,0BAuiBF,aAAc,M7Bm/Gd,YAAa,MAEf,yBDZC,kC8B3gIK,gC9B0gIH,4B8B3gIG,0BAcF,aAAc,EAChB,YAAA,GAMF,mBA8gBE,QAAS,KAhhBP,aAAA,EAAA,EAAA,I9BkgIH,yB8B7/HC,mB7B+gIE,cAAe,G6B1gIjB,qBADA,kB9BggID,SAAA,M8Bz/HC,MAAO,EAggBP,KAAM,E7B4gHN,QAAS,KDdR,yB8B7/HD,qB9B8/HD,kB8B7/HC,cAAA,GAGF,kBACE,IAAA,EACA,aAAA,EAAA,EAAA,I9BigID,qB8B1/HC,OAAQ,EACR,cAAA,EACA,aAAA,IAAA,EAAA,EAEA,cACA,MAAA,K9B4/HD,OAAA,K8B1/HC,QAAA,KAAA,K7B4gIA,UAAW,K6B1gIT,YAAA,KAIA,oBAbJ,oB9BwgIC,gBAAA,K8Bv/HG,kB7B0gIF,QAAS,MDdR,yBACF,iC8Bh/HC,uCACA,YAAA,OAGA,eC9LA,SAAA,SACA,MAAA,MD+LA,QAAA,IAAA,KACA,WAAA,IACA,aAAA,KACA,cAAA,I9Bm/HD,iBAAA,Y8B/+HC,iBAAA,KACE,OAAA,IAAA,MAAA,Y9Bi/HH,cAAA,I8B5+HG,qBACA,QAAA,EAEA,yB9B++HH,QAAA,M8BrgIC,MAAO,KAyBL,OAAA,I9B++HH,cAAA,I8BpjHD,mCAvbI,WAAA,I9Bg/HH,yB8Bt+HC,eACA,QAAA,MAGE,YACA,OAAA,MAAA,M9By+HH,iB8B58HC,YAAA,KA2YA,eAAgB,KAjaZ,YAAA,KAEA,yBACA,iCACA,SAAA,OACA,MAAA,KACA,MAAA,KAAA,WAAA,E9Bs+HH,iBAAA,Y8B3kHC,OAAQ,E7B8lHR,mBAAoB,K6Bt/HhB,WAAA,KAGA,kDAqZN,sC9BklHC,QAAA,IAAA,KAAA,IAAA,KCmBD,sC6Bv/HQ,YAAA,KAmBR,4C9Bs9HD,4C8BvlHG,iBAAkB,M9B4lHnB,yB8B5lHD,YAtYI,MAAA,K9Bq+HH,OAAA,E8Bn+HK,eACA,MAAA,K9Bu+HP,iB8B39HG,YAAa,KACf,eAAA,MAGA,aACA,QAAA,KAAA,K1B9NA,WAAA,IACQ,aAAA,M2B/DR,cAAA,IACA,YAAA,M/B4vID,WAAA,IAAA,MAAA,YiBtuHC,cAAe,IAAI,MAAM,YAwEzB,mBAAoB,MAAM,EAAE,IAAI,EAAE,qBAAyB,EAAE,IAAI,EAAE,qBAtI/D,WAAA,MAAA,EAAA,IAAA,EAAA,qBAAA,EAAA,IAAA,EAAA,qBAEA,yBjBwyHH,yBiBpqHC,QAAS,aA/HP,cAAA,EACA,eAAA,OjBuyHH,2BiBzqHC,QAAS,aAxHP,MAAA,KjBoyHH,eAAA,OiBhyHG,kCACA,QAAA,aAmHJ,0BhBmsHE,QAAS,aACT,eAAgB,OgB5yHd,wCjB6xHH,6CiBrrHD,2CjBwrHC,MAAA,KiB5xHG,wCACA,MAAA,KAmGJ,4BhB+sHE,cAAe,EgB3yHb,eAAA,OAGA,uBADA,oBjB6xHH,QAAA,aiBnsHC,WAAY,EhBstHZ,cAAe,EgB5yHX,eAAA,OAsFN,6BAAA,0BAjFI,aAAA,EAiFJ,4CjB4sHC,sCiBvxHG,SAAA,SjB0xHH,YAAA,E8BngID,kDAmWE,IAAK,GAvWH,yBACE,yB9B8gIL,cAAA,I8B5/HD,oCAoVE,cAAe,GA1Vf,yBACA,aACA,MAAA,KACA,YAAA,E1BzPF,eAAA,EACQ,aAAA,EJmwIP,YAAA,EACF,OAAA,E8BngIG,mBAAoB,KACtB,WAAA,M9BugID,8B8BngIC,WAAY,EACZ,uBAAA,EHzUA,wBAAA,EAQA,mDACC,cAAA,E3By0IF,uBAAA,I8B//HC,wBAAyB,IChVzB,2BAAA,EACA,0BAAA,EDkVA,YCnVA,WAAA,IACA,cAAA,IDqVA,mBCtVA,WAAA,KACA,cAAA,KD+VF,mBChWE,WAAA,KACA,cAAA,KDuWF,aAsSE,WAAY,KA1SV,cAAA,KAEA,yB9B+/HD,aACF,MAAA,K8Bl+HG,aAAc,KAhBhB,YAAA,MACA,yBE5WA,aF8WE,MAAA,eAFF,cAKI,MAAA,gB9Bu/HH,aAAA,M8B7+HD,4BACA,aAAA,GADF,gBAKI,iBAAA,Q9Bg/HH,aAAA,QCmBD,8B6BhgIM,MAAA,KARN,oC9B0/HC,oC8B5+HG,MAAA,Q9B++HH,iBAAA,Y8B1+HK,6B9B6+HL,MAAA,KCmBD,iC6B5/HQ,MAAA,KAKF,uC9By+HL,uCCmBC,MAAO,KACP,iBAAkB,Y6Bz/HZ,sCAIF,4C9Bu+HL,4CCmBC,MAAO,KACP,iBAAkB,Q6Bv/HZ,wCAxCR,8C9BihIC,8C8Bn+HG,MAAA,K9Bs+HH,iBAAA,YCmBD,+B6Bt/HM,aAAA,KAGA,qCApDN,qC9B2hIC,iBAAA,KCmBD,yC6Bp/HI,iBAAA,KAOE,iCAAA,6B7Bk/HJ,aAAc,Q6B9+HR,oCAiCN,0C9B+7HD,0C8B3xHC,MAAO,KA7LC,iBAAA,QACA,yB7B8+HR,sD6B5+HU,MAAA,KAKF,4D9By9HP,4DCmBC,MAAO,KACP,iBAAkB,Y6Bz+HV,2DAIF,iE9Bu9HP,iECmBC,MAAO,KACP,iBAAkB,Q6Bv+HV,6D9B09HX,mEADE,mE8B1jIC,MAAO,KA8GP,iBAAA,aAEE,6B9Bi9HL,MAAA,K8B58HG,mC9B+8HH,MAAA,KCmBD,0B6B/9HM,MAAA,KAIA,gCAAA,gC7Bg+HJ,MAAO,K6Bt9HT,0CARQ,0CASN,mD9Bu8HD,mD8Bt8HC,MAAA,KAFF,gBAKI,iBAAA,K9B08HH,aAAA,QCmBD,8B6B19HM,MAAA,QARN,oC9Bo9HC,oC8Bt8HG,MAAA,K9By8HH,iBAAA,Y8Bp8HK,6B9Bu8HL,MAAA,QCmBD,iC6Bt9HQ,MAAA,QAKF,uC9Bm8HL,uCCmBC,MAAO,KACP,iBAAkB,Y6Bn9HZ,sCAIF,4C9Bi8HL,4CCmBC,MAAO,KACP,iBAAkB,Q6Bj9HZ,wCAxCR,8C9B2+HC,8C8B57HG,MAAA,K9B+7HH,iBAAA,YCmBD,+B6B/8HM,aAAA,KAGA,qCArDN,qC9Bq/HC,iBAAA,KCmBD,yC6B78HI,iBAAA,KAME,iCAAA,6B7B48HJ,aAAc,Q6Bx8HR,oCAuCN,0C9Bm5HD,0C8B33HC,MAAO,KAvDC,iBAAA,QAuDV,yBApDU,kE9Bs7HP,aAAA,Q8Bn7HO,0D9Bs7HP,iBAAA,QCmBD,sD6Bt8HU,MAAA,QAKF,4D9Bm7HP,4DCmBC,MAAO,KACP,iBAAkB,Y6Bn8HV,2DAIF,iE9Bi7HP,iECmBC,MAAO,KACP,iBAAkB,Q6Bj8HV,6D9Bo7HX,mEADE,mE8B1hIC,MAAO,KA+GP,iBAAA,aAEE,6B9Bg7HL,MAAA,Q8B36HG,mC9B86HH,MAAA,KCmBD,0B6B97HM,MAAA,QAIA,gCAAA,gC7B+7HJ,MAAO,KgCvkJT,0CH0oBQ,0CGzoBN,mDjCwjJD,mDiCvjJC,MAAA,KAEA,YACA,QAAA,IAAA,KjC2jJD,cAAA,KiChkJC,WAAY,KAQV,iBAAA,QjC2jJH,cAAA,IiCxjJK,eACA,QAAA,ajC4jJL,yBiCxkJC,QAAS,EAAE,IAkBT,MAAA,KjCyjJH,QAAA,SkC5kJC,oBACA,MAAA,KAEA,YlC+kJD,QAAA,akCnlJC,aAAc,EAOZ,OAAA,KAAA,ElC+kJH,cAAA,ICmBD,eiC/lJM,QAAA,OAEA,iBACA,oBACA,SAAA,SACA,MAAA,KACA,QAAA,IAAA,KACA,YAAA,KACA,YAAA,WlCglJL,MAAA,QkC9kJG,gBAAA,KjCimJF,iBAAkB,KiC9lJZ,OAAA,IAAA,MAAA,KPVH,6B3B2lJJ,gCkC7kJG,YAAA,EjCgmJF,uBAAwB,I0BvnJxB,0BAAA,I3BymJD,4BkCxkJG,+BjC2lJF,wBAAyB,IACzB,2BAA4B,IiCxlJxB,uBAFA,uBAGA,0BAFA,0BlC8kJL,QAAA,EkCtkJG,MAAA,QjCylJF,iBAAkB,KAClB,aAAc,KAEhB,sBiCvlJM,4BAFA,4BjC0lJN,yBiCvlJM,+BAFA,+BAGA,QAAA,ElC2kJL,MAAA,KkCloJC,OAAQ,QjCqpJR,iBAAkB,QAClB,aAAc,QiCnlJV,wBAEA,8BADA,8BjColJN,2BiCtlJM,iCjCulJN,iCDZC,MAAA,KkC/jJC,OAAQ,YjCklJR,iBAAkB,KkC7pJd,aAAA,KAEA,oBnC8oJL,uBmC5oJG,QAAA,KAAA,KlC+pJF,UAAW,K0B1pJX,YAAA,U3B4oJD,gCmC3oJG,mClC8pJF,uBAAwB,I0BvqJxB,0BAAA,I3BypJD,+BkC1kJD,kCjC6lJE,wBAAyB,IkC7qJrB,2BAAA,IAEA,oBnC8pJL,uBmC5pJG,QAAA,IAAA,KlC+qJF,UAAW,K0B1qJX,YAAA,I3B4pJD,gCmC3pJG,mClC8qJF,uBAAwB,I0BvrJxB,0BAAA,I3ByqJD,+BoC3qJD,kCACE,wBAAA,IACA,2BAAA,IAEA,OpC6qJD,aAAA,EoCjrJC,OAAQ,KAAK,EAOX,WAAA,OpC6qJH,WAAA,KCmBD,UmC7rJM,QAAA,OAEA,YACA,eACA,QAAA,apC8qJL,QAAA,IAAA,KoC5rJC,iBAAkB,KnC+sJlB,OAAQ,IAAI,MAAM,KmC5rJd,cAAA,KAnBN,kBpCisJC,kBCmBC,gBAAiB,KmCzrJb,iBAAA,KA3BN,eAAA,kBAkCM,MAAA,MAlCN,mBAAA,sBnC6tJE,MAAO,KmClrJH,mBAEA,yBADA,yBpCqqJL,sBqCltJC,MAAO,KACP,OAAA,YACA,iBAAA,KAEA,OACA,QAAA,OACA,QAAA,KAAA,KAAA,KACA,UAAA,IACA,YAAA,IACA,YAAA,EACA,MAAA,KrCotJD,WAAA,OqChtJG,YAAA,OpCmuJF,eAAgB,SoCjuJZ,cAAA,MrCotJL,cqCltJK,cAKJ,MAAA,KACE,gBAAA,KrC+sJH,OAAA,QqC1sJG,aACA,QAAA,KAOJ,YCtCE,SAAA,StC+uJD,IAAA,KCmBD,eqC7vJM,iBAAA,KALJ,2BD0CF,2BrC4sJC,iBAAA,QCmBD,eqCpwJM,iBAAA,QALJ,2BD8CF,2BrC+sJC,iBAAA,QCmBD,eqC3wJM,iBAAA,QALJ,2BDkDF,2BrCktJC,iBAAA,QCmBD,YqClxJM,iBAAA,QALJ,wBDsDF,wBrCqtJC,iBAAA,QCmBD,eqCzxJM,iBAAA,QALJ,2BD0DF,2BrCwtJC,iBAAA,QCmBD,cqChyJM,iBAAA,QCDJ,0BADF,0BAEE,iBAAA,QAEA,OACA,QAAA,aACA,UAAA,KACA,QAAA,IAAA,IACA,UAAA,KACA,YAAA,IACA,YAAA,EACA,MAAA,KACA,WAAA,OvCqxJD,YAAA,OuClxJC,eAAA,OACE,iBAAA,KvCoxJH,cAAA,KuC/wJG,aACA,QAAA,KAGF,YtCkyJA,SAAU,SsChyJR,IAAA,KAMA,0BvC4wJH,eCmBC,IAAK,EsC7xJD,QAAA,IAAA,IvCgxJL,cuC9wJK,cAKJ,MAAA,KtC4xJA,gBAAiB,KsC1xJf,OAAA,QvC4wJH,+BuCxwJC,4BACE,MAAA,QvC0wJH,iBAAA,KuCtwJG,wBvCywJH,MAAA,MuCrwJG,+BvCwwJH,aAAA,IwCj0JC,uBACA,YAAA,IAEA,WACA,YAAA,KxCo0JD,eAAA,KwCz0JC,cAAe,KvC41Jf,MAAO,QuCn1JL,iBAAA,KAIA,eAbJ,cAcI,MAAA,QxCo0JH,awCl1JC,cAAe,KAmBb,UAAA,KxCk0JH,YAAA,ICmBD,cuCh1JI,iBAAA,QAEA,sBxCi0JH,4BwC31JC,cAAe,KA8Bb,aAAA,KxCg0JH,cAAA,IwC7yJD,sBAfI,UAAA,KxCi0JD,oCwC9zJC,WvCi1JA,YAAa,KuC/0JX,eAAA,KxCi0JH,sBwCvzJD,4BvC00JE,cAAe,KuC90Jb,aAAA,KC5CJ,ezC42JD,cyC32JC,UAAA,MAGA,WACA,QAAA,MACA,QAAA,IACA,cAAA,KrCiLA,YAAA,WACK,iBAAA,KACG,OAAA,IAAA,MAAA,KJ8rJT,cAAA,IyCx3JC,mBAAoB,OAAO,IAAI,YxC24J1B,cAAe,OAAO,IAAI,YwC93J7B,WAAA,OAAA,IAAA,YAKF,iBzC22JD,eCmBC,aAAc,KACd,YAAa,KwCv3JX,mBA1BJ,kBzCk4JC,kByCv2JG,aAAA,QCzBJ,oBACE,QAAA,IACA,MAAA,KAEA,O1Cs4JD,QAAA,K0C14JC,cAAe,KAQb,OAAA,IAAA,MAAA,YAEA,cAAA,IAVJ,UAeI,WAAA,E1Ck4JH,MAAA,QCmBD,mByC/4JI,YAAA,IArBJ,SAyBI,U1C+3JH,cAAA,ECmBD,WyCx4JE,WAAA,IAFF,mBAAA,mBAMI,cAAA,KAEA,0BACA,0B1Cy3JH,SAAA,S0Cj3JC,IAAK,KCvDL,MAAA,MACA,MAAA,Q3C46JD,e0Ct3JC,MAAO,QClDL,iBAAA,Q3C26JH,aAAA,Q2Cx6JG,kB3C26JH,iBAAA,Q2Cn7JC,2BACA,MAAA,Q3Cu7JD,Y0C73JC,MAAO,QCtDL,iBAAA,Q3Cs7JH,aAAA,Q2Cn7JG,e3Cs7JH,iBAAA,Q2C97JC,wBACA,MAAA,Q3Ck8JD,e0Cp4JC,MAAO,QC1DL,iBAAA,Q3Ci8JH,aAAA,Q2C97JG,kB3Ci8JH,iBAAA,Q2Cz8JC,2BACA,MAAA,Q3C68JD,c0C34JC,MAAO,QC9DL,iBAAA,Q3C48JH,aAAA,Q2Cz8JG,iB3C48JH,iBAAA,Q4C78JC,0BAAQ,MAAA,QACR,wCAAQ,K5Cm9JP,oBAAA,KAAA,E4C/8JD,GACA,oBAAA,EAAA,GACA,mCAAQ,K5Cq9JP,oBAAA,KAAA,E4Cv9JD,GACA,oBAAA,EAAA,GACA,gCAAQ,K5Cq9JP,oBAAA,KAAA,E4C78JD,GACA,oBAAA,EAAA,GAGA,UACA,OAAA,KxCsCA,cAAA,KACQ,SAAA,OJ26JT,iBAAA,Q4C78JC,cAAe,IACf,mBAAA,MAAA,EAAA,IAAA,IAAA,eACA,WAAA,MAAA,EAAA,IAAA,IAAA,eAEA,cACA,MAAA,KACA,MAAA,EACA,OAAA,KACA,UAAA,KxCyBA,YAAA,KACQ,MAAA,KAyHR,WAAA,OACK,iBAAA,QACG,mBAAA,MAAA,EAAA,KAAA,EAAA,gBJ+zJT,WAAA,MAAA,EAAA,KAAA,EAAA,gB4C18JC,mBAAoB,MAAM,IAAI,K3Cq+JzB,cAAe,MAAM,IAAI,K4Cp+J5B,WAAA,MAAA,IAAA,KDEF,sBCAE,gCDAF,iBAAA,yK5C88JD,iBAAA,oK4Cv8JC,iBAAiB,iK3Cm+JjB,wBAAyB,KAAK,KG/gK9B,gBAAA,KAAA,KJy/JD,qBIv/JS,+BwCmDR,kBAAmB,qBAAqB,GAAG,OAAO,SErElD,aAAA,qBAAA,GAAA,OAAA,S9C4gKD,UAAA,qBAAA,GAAA,OAAA,S6Cz9JG,sBACA,iBAAA,Q7C69JH,wC4Cx8JC,iBAAkB,yKEzElB,iBAAA,oK9CohKD,iBAAA,iK6Cj+JG,mBACA,iBAAA,Q7Cq+JH,qC4C58JC,iBAAkB,yKE7ElB,iBAAA,oK9C4hKD,iBAAA,iK6Cz+JG,sBACA,iBAAA,Q7C6+JH,wC4Ch9JC,iBAAkB,yKEjFlB,iBAAA,oK9CoiKD,iBAAA,iK6Cj/JG,qBACA,iBAAA,Q7Cq/JH,uC+C5iKC,iBAAkB,yKAElB,iBAAA,oK/C6iKD,iBAAA,iK+C1iKG,O/C6iKH,WAAA,KC4BD,mB8CnkKE,WAAA,E/C4iKD,O+CxiKD,YACE,SAAA,O/C0iKD,KAAA,E+CtiKC,Y/CyiKD,MAAA,Q+CriKG,c/CwiKH,QAAA,MC4BD,4B8C9jKE,UAAA,KAGF,aAAA,mBAEE,aAAA,KAGF,YAAA,kB9C+jKE,cAAe,K8CxjKjB,YAHE,Y/CoiKD,a+ChiKC,QAAA,W/CmiKD,eAAA,I+C/hKC,c/CkiKD,eAAA,O+C7hKC,cACA,eAAA,OAMF,eACE,WAAA,EACA,cAAA,ICvDF,YAEE,aAAA,EACA,WAAA,KAQF,YACE,aAAA,EACA,cAAA,KAGA,iBACA,SAAA,SACA,QAAA,MhD6kKD,QAAA,KAAA,KgD1kKC,cAAA,KrB3BA,iBAAA,KACC,OAAA,IAAA,MAAA,KqB6BD,6BACE,uBAAA,IrBvBF,wBAAA,I3BsmKD,4BgDpkKC,cAAe,E/CgmKf,2BAA4B,I+C9lK5B,0BAAA,IAFF,kBAAA,uBAKI,MAAA,KAIF,2CAAA,gD/CgmKA,MAAO,K+C5lKL,wBAFA,wBhDykKH,6BgDxkKG,6BAKF,MAAO,KACP,gBAAA,KACA,iBAAA,QAKA,uB/C4lKA,MAAO,KACP,WAAY,K+CzlKV,0BhDmkKH,gCgDlkKG,gCALF,MAAA,K/CmmKA,OAAQ,YACR,iBAAkB,KDxBnB,mDgD5kKC,yDAAA,yD/CymKA,MAAO,QDxBR,gDgDhkKC,sDAAA,sD/C6lKA,MAAO,K+CzlKL,wBAEA,8BADA,8BhDmkKH,QAAA,EgDxkKC,MAAA,K/ComKA,iBAAkB,QAClB,aAAc,QAEhB,iDDpBC,wDCuBD,uDADA,uD+CzmKE,8DAYI,6D/C4lKN,uD+CxmKE,8D/C2mKF,6DAKE,MAAO,QDxBR,8CiD1qKG,oDADF,oDAEE,MAAA,QAEA,yBhDusKF,MAAO,QgDrsKH,iBAAA,QAFF,0BAAA,+BAKI,MAAA,QAGF,mDAAA,wDhDwsKJ,MAAO,QDtBR,gCiDhrKO,gCAGF,qCAFE,qChD2sKN,MAAO,QACP,iBAAkB,QAEpB,iCgDvsKQ,uCAFA,uChD0sKR,sCDtBC,4CiDnrKO,4CArBN,MAAA,KACE,iBAAA,QACA,aAAA,QAEA,sBhDouKF,MAAO,QgDluKH,iBAAA,QAFF,uBAAA,4BAKI,MAAA,QAGF,gDAAA,qDhDquKJ,MAAO,QDtBR,6BiD7sKO,6BAGF,kCAFE,kChDwuKN,MAAO,QACP,iBAAkB,QAEpB,8BgDpuKQ,oCAFA,oChDuuKR,mCDtBC,yCiDhtKO,yCArBN,MAAA,KACE,iBAAA,QACA,aAAA,QAEA,yBhDiwKF,MAAO,QgD/vKH,iBAAA,QAFF,0BAAA,+BAKI,MAAA,QAGF,mDAAA,wDhDkwKJ,MAAO,QDtBR,gCiD1uKO,gCAGF,qCAFE,qChDqwKN,MAAO,QACP,iBAAkB,QAEpB,iCgDjwKQ,uCAFA,uChDowKR,sCDtBC,4CiD7uKO,4CArBN,MAAA,KACE,iBAAA,QACA,aAAA,QAEA,wBhD8xKF,MAAO,QgD5xKH,iBAAA,QAFF,yBAAA,8BAKI,MAAA,QAGF,kDAAA,uDhD+xKJ,MAAO,QDtBR,+BiDvwKO,+BAGF,oCAFE,oChDkyKN,MAAO,QACP,iBAAkB,QAEpB,gCgD9xKQ,sCAFA,sChDiyKR,qCDtBC,2CiD1wKO,2CDkGN,MAAO,KACP,iBAAA,QACA,aAAA,QAEF,yBACE,WAAA,EACA,cAAA,IE1HF,sBACE,cAAA,EACA,YAAA,IAEA,O9C0DA,cAAA,KACQ,iBAAA,KJ6uKT,OAAA,IAAA,MAAA,YkDnyKC,cAAe,IACf,mBAAA,EAAA,IAAA,IAAA,gBlDqyKD,WAAA,EAAA,IAAA,IAAA,gBkD/xKC,YACA,QAAA,KvBnBC,e3BuzKF,QAAA,KAAA,KkDtyKC,cAAe,IAAI,MAAM,YAMvB,uBAAA,IlDmyKH,wBAAA,IkD7xKC,0CACA,MAAA,QAEA,alDgyKD,WAAA,EkDpyKC,cAAe,EjDg0Kf,UAAW,KACX,MAAO,QDtBR,oBkD1xKC,sBjDkzKF,eiDxzKI,mBAKJ,qBAEE,MAAA,QvBvCA,cACC,QAAA,KAAA,K3Bs0KF,iBAAA,QkDrxKC,WAAY,IAAI,MAAM,KjDizKtB,2BAA4B,IiD9yK1B,0BAAA,IAHJ,mBAAA,mCAMM,cAAA,ElDwxKL,oCkDnxKG,oDjD+yKF,aAAc,IAAI,EiD7yKZ,cAAA,EvBtEL,4D3B61KF,4EkDjxKG,WAAA,EjD6yKF,uBAAwB,IiD3yKlB,wBAAA,IvBtEL,0D3B21KF,0EkD1yKC,cAAe,EvB1Df,2BAAA,IACC,0BAAA,IuB0FH,+EAEI,uBAAA,ElD8wKH,wBAAA,EkD1wKC,wDlD6wKD,iBAAA,EC4BD,0BACE,iBAAkB,EiDlyKpB,8BlD0wKC,ckD1wKD,gCjDuyKE,cAAe,EiDvyKjB,sCAQM,sBlDwwKL,wCC4BC,cAAe,K0Br5Kf,aAAA,KuByGF,wDlDqxKC,0BC4BC,uBAAwB,IACxB,wBAAyB,IiDlzK3B,yFAoBQ,yFlDwwKP,2DkDzwKO,2DjDqyKN,uBAAwB,IACxB,wBAAyB,IAK3B,wGiD9zKA,wGjD4zKA,wGDtBC,wGCuBD,0EiD7zKA,0EjD2zKA,0EiDnyKU,0EjD2yKR,uBAAwB,IAK1B,uGiDx0KA,uGjDs0KA,uGDtBC,uGCuBD,yEiDv0KA,yEjDq0KA,yEiDzyKU,yEvB7HR,wBAAA,IuBiGF,sDlDqzKC,yBC4BC,2BAA4B,IAC5B,0BAA2B,IiDxyKrB,qFA1CR,qFAyCQ,wDlDmxKP,wDC4BC,2BAA4B,IAC5B,0BAA2B,IAG7B,oGDtBC,oGCwBD,oGiD91KA,oGjD21KA,uEiD7yKU,uEjD+yKV,uEiD71KA,uEjDm2KE,0BAA2B,IAG7B,mGDtBC,mGCwBD,mGiDx2KA,mGjDq2KA,sEiDnzKU,sEjDqzKV,sEiDv2KA,sEjD62KE,2BAA4B,IiDlzK1B,0BlD2xKH,qCkDt1KD,0BAAA,qCA+DI,WAAA,IAAA,MAAA,KA/DJ,kDAAA,kDAmEI,WAAA,EAnEJ,uBAAA,yCjD23KE,OAAQ,EiDjzKA,+CjDqzKV,+CiD/3KA,+CjDi4KA,+CAEA,+CANA,+CDjBC,iECoBD,iEiDh4KA,iEjDk4KA,iEAEA,iEANA,iEAWE,YAAa,EiD3zKL,8CjD+zKV,8CiD74KA,8CjD+4KA,8CAEA,8CANA,8CDjBC,gECoBD,gEiD94KA,gEjDg5KA,gEAEA,gEANA,gEAWE,aAAc,EAIhB,+CiD35KA,+CjDy5KA,+CiDl0KU,+CjDq0KV,iEiD55KA,iEjD05KA,iEDtBC,iEC6BC,cAAe,EAEjB,8CiDn0KU,8CjDq0KV,8CiDr6KA,8CjDo6KA,gEDtBC,gECwBD,gEiDh0KI,gEACA,cAAA,EAUJ,yBACE,cAAA,ElDmyKD,OAAA,EkD/xKG,aACA,cAAA,KANJ,oBASM,cAAA,ElDkyKL,cAAA,IkD7xKG,2BlDgyKH,WAAA,IC4BD,4BiDxzKM,cAAA,EAKF,wDAvBJ,wDlDqzKC,WAAA,IAAA,MAAA,KkD5xKK,2BlD+xKL,WAAA,EmDlhLC,uDnDqhLD,cAAA,IAAA,MAAA,KmDlhLG,eACA,aAAA,KnDshLH,8BmDxhLC,MAAA,KAMI,iBAAA,QnDqhLL,aAAA,KmDlhLK,0DACA,iBAAA,KAGJ,qCAEI,MAAA,QnDmhLL,iBAAA,KmDpiLC,yDnDuiLD,oBAAA,KmDpiLG,eACA,aAAA,QnDwiLH,8BmD1iLC,MAAA,KAMI,iBAAA,QnDuiLL,aAAA,QmDpiLK,0DACA,iBAAA,QAGJ,qCAEI,MAAA,QnDqiLL,iBAAA,KmDtjLC,yDnDyjLD,oBAAA,QmDtjLG,eACA,aAAA,QnD0jLH,8BmD5jLC,MAAA,QAMI,iBAAA,QnDyjLL,aAAA,QmDtjLK,0DACA,iBAAA,QAGJ,qCAEI,MAAA,QnDujLL,iBAAA,QmDxkLC,yDnD2kLD,oBAAA,QmDxkLG,YACA,aAAA,QnD4kLH,2BmD9kLC,MAAA,QAMI,iBAAA,QnD2kLL,aAAA,QmDxkLK,uDACA,iBAAA,QAGJ,kCAEI,MAAA,QnDykLL,iBAAA,QmD1lLC,sDnD6lLD,oBAAA,QmD1lLG,eACA,aAAA,QnD8lLH,8BmDhmLC,MAAA,QAMI,iBAAA,QnD6lLL,aAAA,QmD1lLK,0DACA,iBAAA,QAGJ,qCAEI,MAAA,QnD2lLL,iBAAA,QmD5mLC,yDnD+mLD,oBAAA,QmD5mLG,cACA,aAAA,QnDgnLH,6BmDlnLC,MAAA,QAMI,iBAAA,QnD+mLL,aAAA,QmD5mLK,yDACA,iBAAA,QAGJ,oCAEI,MAAA,QnD6mLL,iBAAA,QoD5nLC,wDACA,oBAAA,QAEA,kBACA,SAAA,SpD+nLD,QAAA,MoDpoLC,OAAQ,EnDgqLR,QAAS,EACT,SAAU,OAEZ,yCmDtpLI,wBADA,yBAEA,yBACA,wBACA,SAAA,SACA,IAAA,EACA,OAAA,EpD+nLH,KAAA,EoD1nLC,MAAO,KACP,OAAA,KpD4nLD,OAAA,EoDvnLC,wBpD0nLD,eAAA,OqDppLC,uBACA,eAAA,IAEA,MACA,WAAA,KACA,QAAA,KjDwDA,cAAA,KACQ,iBAAA,QJgmLT,OAAA,IAAA,MAAA,QqD/pLC,cAAe,IASb,mBAAA,MAAA,EAAA,IAAA,IAAA,gBACA,WAAA,MAAA,EAAA,IAAA,IAAA,gBAKJ,iBACE,aAAA,KACA,aAAA,gBAEF,SACE,QAAA,KACA,cAAA,ICtBF,SACE,QAAA,IACA,cAAA,IAEA,OACA,MAAA,MACA,UAAA,KjCRA,YAAA,IAGA,YAAA,ErBqrLD,MAAA,KsD7qLC,YAAA,EAAA,IAAA,EAAA,KrDysLA,OAAQ,kBqDvsLN,QAAA,GjCbF,aiCeE,ajCZF,MAAA,KrB6rLD,gBAAA,KsDzqLC,OAAA,QACE,OAAA,kBACA,QAAA,GAEA,aACA,mBAAA,KtD2qLH,QAAA,EuDhsLC,OAAQ,QACR,WAAA,IvDksLD,OAAA,EuD7rLC,YACA,SAAA,OAEA,OACA,SAAA,MACA,IAAA,EACA,MAAA,EACA,OAAA,EACA,KAAA,EAIA,QAAA,KvD6rLD,QAAA,KuD1rLC,SAAA,OnD+GA,2BAAA,MACI,QAAA,EAEI,0BAkER,mBAAA,kBAAA,IAAA,SAEK,cAAA,aAAA,IAAA,SACG,WAAA,UAAA,IAAA,SJ6gLT,kBAAA,kBuDhsLC,cAAA,kBnD2GA,aAAA,kBACI,UAAA,kBAEI,wBJwlLT,kBAAA,euDpsLK,cAAe,eACnB,aAAA,eACA,UAAA,eAIF,mBACE,WAAA,OACA,WAAA,KvDqsLD,cuDhsLC,SAAU,SACV,MAAA,KACA,OAAA,KAEA,eACA,SAAA,SnDaA,iBAAA,KACQ,wBAAA,YmDZR,gBAAA,YtD4tLA,OsD5tLA,IAAA,MAAA,KAEA,OAAA,IAAA,MAAA,evDksLD,cAAA,IuD9rLC,QAAS,EACT,mBAAA,EAAA,IAAA,IAAA,eACA,WAAA,EAAA,IAAA,IAAA,eAEA,gBACA,SAAA,MACA,IAAA,EACA,MAAA,EvDgsLD,OAAA,EuD9rLC,KAAA,ElCrEA,QAAA,KAGA,iBAAA,KkCmEA,qBlCtEA,OAAA,iBAGA,QAAA,EkCwEF,mBACE,OAAA,kBACA,QAAA,GAIF,cACE,QAAA,KvDgsLD,cAAA,IAAA,MAAA,QuD3rLC,qBACA,WAAA,KAKF,aACE,OAAA,EACA,YAAA,WAIF,YACE,SAAA,SACA,QAAA,KvD0rLD,cuD5rLC,QAAS,KAQP,WAAA,MACA,WAAA,IAAA,MAAA,QATJ,wBAaI,cAAA,EvDsrLH,YAAA,IuDlrLG,mCvDqrLH,YAAA,KuD/qLC,oCACA,YAAA,EAEA,yBACA,SAAA,SvDkrLD,IAAA,QuDhqLC,MAAO,KAZP,OAAA,KACE,SAAA,OvDgrLD,yBuD7qLD,cnDvEA,MAAA,MACQ,OAAA,KAAA,KmD2ER,eAAY,mBAAA,EAAA,IAAA,KAAA,evD+qLX,WAAA,EAAA,IAAA,KAAA,euDzqLD,UAFA,MAAA,OvDirLD,yBwD/zLC,UACA,MAAA,OCNA,SAEA,SAAA,SACA,QAAA,KACA,QAAA,MACA,YAAA,iBAAA,UAAA,MAAA,WACA,UAAA,KACA,WAAA,OACA,YAAA,IACA,YAAA,WACA,WAAA,KACA,WAAA,MACA,gBAAA,KACA,YAAA,KACA,eAAA,KACA,eAAA,ODHA,WAAA,OnCVA,aAAA,OAGA,UAAA,OrBs1LD,YAAA,OwD30LC,OAAA,iBnCdA,QAAA,ErB61LD,WAAA,KwD90LY,YAAmB,OAAA,kBxDk1L/B,QAAA,GwDj1LY,aAAmB,QAAA,IAAA,ExDq1L/B,WAAA,KwDp1LY,eAAmB,QAAA,EAAA,IxDw1L/B,YAAA,IwDv1LY,gBAAmB,QAAA,IAAA,ExD21L/B,WAAA,IwDt1LC,cACA,QAAA,EAAA,IACA,YAAA,KAEA,eACA,UAAA,MxDy1LD,QAAA,IAAA,IwDr1LC,MAAO,KACP,WAAA,OACA,iBAAA,KACA,cAAA,IAEA,exDu1LD,SAAA,SwDn1LC,MAAA,EACE,OAAA,EACA,aAAA,YACA,aAAA,MAEA,4BxDq1LH,OAAA,EwDn1LC,KAAA,IACE,YAAA,KACA,aAAA,IAAA,IAAA,EACA,iBAAA,KAEA,iCxDq1LH,MAAA,IwDn1LC,OAAA,EACE,cAAA,KACA,aAAA,IAAA,IAAA,EACA,iBAAA,KAEA,kCxDq1LH,OAAA,EwDn1LC,KAAA,IACE,cAAA,KACA,aAAA,IAAA,IAAA,EACA,iBAAA,KAEA,8BxDq1LH,IAAA,IwDn1LC,KAAA,EACE,WAAA,KACA,aAAA,IAAA,IAAA,IAAA,EACA,mBAAA,KAEA,6BxDq1LH,IAAA,IwDn1LC,MAAA,EACE,WAAA,KACA,aAAA,IAAA,EAAA,IAAA,IACA,kBAAA,KAEA,+BxDq1LH,IAAA,EwDn1LC,KAAA,IACE,YAAA,KACA,aAAA,EAAA,IAAA,IACA,oBAAA,KAEA,oCxDq1LH,IAAA,EwDn1LC,MAAA,IACE,WAAA,KACA,aAAA,EAAA,IAAA,IACA,oBAAA,KAEA,qCxDq1LH,IAAA,E0Dl7LC,KAAM,IACN,WAAA,KACA,aAAA,EAAA,IAAA,IACA,oBAAA,KAEA,SACA,SAAA,SACA,IAAA,EDXA,KAAA,EAEA,QAAA,KACA,QAAA,KACA,UAAA,MACA,QAAA,IACA,YAAA,iBAAA,UAAA,MAAA,WACA,UAAA,KACA,WAAA,OACA,YAAA,IACA,YAAA,WACA,WAAA,KACA,WAAA,MACA,gBAAA,KACA,YAAA,KACA,eAAA,KCAA,eAAA,OAEA,WAAA,OACA,aAAA,OAAA,UAAA,OACA,YAAA,OACA,iBAAA,KACA,wBAAA,YtD8CA,gBAAA,YACQ,OAAA,IAAA,MAAA,KJk5LT,OAAA,IAAA,MAAA,e0D77LC,cAAA,IAAY,mBAAA,EAAA,IAAA,KAAA,e1Dg8Lb,WAAA,EAAA,IAAA,KAAA,e0D/7La,WAAA,KACZ,aAAY,WAAA,MACZ,eAAY,YAAA,KAGd,gBACE,WAAA,KAEA,cACA,YAAA,MAEA,e1Dq8LD,QAAA,IAAA,K0Dl8LC,OAAQ,EACR,UAAA,K1Do8LD,iBAAA,Q0D57LC,cAAA,IAAA,MAAA,QzDy9LA,cAAe,IAAI,IAAI,EAAE,EyDt9LvB,iBACA,QAAA,IAAA,KAEA,gBACA,sB1D87LH,SAAA,S0D37LC,QAAS,MACT,MAAA,E1D67LD,OAAA,E0D37LC,aAAc,YACd,aAAA,M1D87LD,gB0Dz7LC,aAAA,KAEE,sBACA,QAAA,GACA,aAAA,KAEA,oB1D27LH,OAAA,M0D17LG,KAAA,IACE,YAAA,MACA,iBAAA,KACA,iBAAA,gBACA,oBAAA,E1D67LL,0B0Dz7LC,OAAA,IACE,YAAA,MACA,QAAA,IACA,iBAAA,KACA,oBAAA,EAEA,sB1D27LH,IAAA,I0D17LG,KAAA,MACE,WAAA,MACA,mBAAA,KACA,mBAAA,gBACA,kBAAA,E1D67LL,4B0Dz7LC,OAAA,MACE,KAAA,IACA,QAAA,IACA,mBAAA,KACA,kBAAA,EAEA,uB1D27LH,IAAA,M0D17LG,KAAA,IACE,YAAA,MACA,iBAAA,EACA,oBAAA,KACA,oBAAA,gB1D67LL,6B0Dx7LC,IAAA,IACE,YAAA,MACA,QAAA,IACA,iBAAA,EACA,oBAAA,KAEA,qB1D07LH,IAAA,I0Dz7LG,MAAA,MACE,WAAA,MACA,mBAAA,EACA,kBAAA,KACA,kBAAA,gB1D47LL,2B2DpjMC,MAAO,IACP,OAAA,M3DsjMD,QAAA,I2DnjMC,mBAAoB,EACpB,kBAAA,KAEA,U3DqjMD,SAAA,S2DljMG,gBACA,SAAA,SvD6KF,MAAA,KACK,SAAA,OJ04LN,sB2D/jMC,SAAU,S1D4lMV,QAAS,K0D9kML,mBAAA,IAAA,YAAA,K3DqjML,cAAA,IAAA,YAAA,K2D3hMC,WAAA,IAAA,YAAA,KvDmKK,4BAFL,0BAGQ,YAAA,EA3JA,qDA+GR,sBAEQ,mBAAA,kBAAA,IAAA,YJ86LP,cAAA,aAAA,IAAA,Y2DzjMG,WAAA,UAAA,IAAA,YvDmHJ,4BAAA,OACQ,oBAAA,OuDjHF,oBAAA,O3D4jML,YAAA,OI58LD,mCHs+LA,2BGr+LQ,KAAA,EuD5GF,kBAAA,sB3D6jML,UAAA,sBC2BD,kCADA,2BG5+LA,KAAA,EACQ,kBAAA,uBuDtGF,UAAA,uBArCN,6B3DomMD,gC2DpmMC,iC1D+nME,KAAM,E0DllMN,kBAAA,mB3D4jMH,UAAA,oBAGA,wB2D5mMD,sBAAA,sBAsDI,QAAA,MAEA,wB3D0jMH,KAAA,E2DtjMG,sB3DyjMH,sB2DrnMC,SAAU,SA+DR,IAAA,E3DyjMH,MAAA,KC0BD,sB0D/kMI,KAAA,KAnEJ,sBAuEI,KAAA,MAvEJ,2BA0EI,4B3DwjMH,KAAA,E2D/iMC,6BACA,KAAA,MAEA,8BACA,KAAA,KtC3FA,kBsC6FA,SAAA,SACA,IAAA,EACA,OAAA,EACA,KAAA,EACA,MAAA,I3DmjMD,UAAA,K2D9iMC,MAAA,KdnGE,WAAA,OACA,YAAA,EAAA,IAAA,IAAA,eACA,iBAAA,cAAA,OAAA,kBACA,QAAA,G7CqpMH,uB2DljMC,iBAAA,sEACE,iBAAA,iEACA,iBAAA,uFdxGA,iBAAA,kEACA,OAAA,+GACA,kBAAA,SACA,wBACA,MAAA,E7C6pMH,KAAA,K2DpjMC,iBAAA,sE1DglMA,iBAAiB,iE0D9kMf,iBAAA,uFACA,iBAAA,kEACA,OAAA,+GtCvHF,kBAAA,SsCyFF,wB3DslMC,wBC4BC,MAAO,KACP,gBAAiB,KACjB,OAAQ,kB0D7kMN,QAAA,EACA,QAAA,G3DwjMH,0C2DhmMD,2CA2CI,6BADA,6B1DklMF,SAAU,S0D7kMR,IAAA,IACA,QAAA,E3DqjMH,QAAA,a2DrmMC,WAAY,MAqDV,0CADA,6B3DsjMH,KAAA,I2D1mMC,YAAa,MA0DX,2CADA,6BAEA,MAAA,IACA,aAAA,MAME,6BADF,6B3DmjMH,MAAA,K2D9iMG,OAAA,KACE,YAAA,M3DgjML,YAAA,E2DriMC,oCACA,QAAA,QAEA,oCACA,QAAA,QAEA,qBACA,SAAA,SACA,OAAA,K3DwiMD,KAAA,I2DjjMC,QAAS,GAYP,MAAA,IACA,aAAA,EACA,YAAA,KACA,WAAA,OACA,WAAA,KAEA,wBACA,QAAA,aAWA,MAAA,KACA,OAAA,K3D8hMH,OAAA,I2D7jMC,YAAa,OAkCX,OAAA,QACA,iBAAA,OACA,iBAAA,cACA,OAAA,IAAA,MAAA,K3D8hMH,cAAA,K2DthMC,6BACA,MAAA,KACA,OAAA,KACA,OAAA,EACA,iBAAA,KAEA,kBACA,SAAA,SACA,MAAA,IACA,OAAA,K3DyhMD,KAAA,I2DxhMC,QAAA,GACE,YAAA,K3D0hMH,eAAA,K2Dj/LC,MAAO,KAhCP,WAAA,O1D8iMA,YAAa,EAAE,IAAI,IAAI,eAEzB,uB0D3iMM,YAAA,KAEA,oCACA,0C3DmhMH,2C2D3hMD,6BAAA,6BAYI,MAAA,K3DmhMH,OAAA,K2D/hMD,WAAA,M1D2jME,UAAW,KDxBZ,0C2D9gMD,6BACE,YAAA,MAEA,2C3DghMD,6B2D5gMD,aAAA,M3D+gMC,kBACF,MAAA,I4D7wMC,KAAA,I3DyyME,eAAgB,KAElB,qBACE,OAAQ,MAkBZ,qCADA,sCADA,mBADA,oBAXA,gBADA,iBAOA,uBADA,wBADA,iBADA,kBADA,wBADA,yBASA,mCADA,oC2DpzME,oBAAA,qBAAA,oBAAA,qB3D2zMF,WADA,YAOA,uBADA,wBADA,qBADA,sBADA,cADA,e2D/zMI,a3Dq0MJ,cDvBC,kB4D7yMG,mB3DqzMJ,WADA,YAwBE,QAAS,MACT,QAAS,IASX,qCADA,mBANA,gBAGA,uBADA,iBADA,wBAIA,mCDhBC,oB6D/0MC,oB5Dk2MF,W+B51MA,uBhCo0MC,qB4D5zMG,cChBF,aACA,kB5D+1MF,W+Br1ME,MAAO,KhCy0MR,cgCt0MC,QAAS,MACT,aAAA,KhCw0MD,YAAA,KgC/zMC,YhCk0MD,MAAA,gBgC/zMC,WhCk0MD,MAAA,egC/zMC,MhCk0MD,QAAA,e8Dz1MC,MACA,QAAA,gBAEA,WACA,WAAA,O9B8BF,WACE,KAAA,EAAA,EAAA,EhCg0MD,MAAA,YgCzzMC,YAAa,KACb,iBAAA,YhC2zMD,OAAA,E+D31MC,Q/D81MD,QAAA,eC4BD,OACE,SAAU,M+Dn4MV,chE42MD,MAAA,aC+BD,YADA,YADA,YADA,YAIE,QAAS,e+Dp5MT,kBhEs4MC,mBgEr4MD,yBhEi4MD,kB+Dl1MD,mBA6IA,yB9D4tMA,kBACA,mB8Dj3ME,yB9D62MF,kBACA,mBACA,yB+Dv5MY,QAAA,eACV,yBAAU,YhE04MT,QAAA,gBC4BD,iB+Dp6MU,QAAA,gBhE64MX,c+D51MG,QAAS,oB/Dg2MV,c+Dl2MC,c/Dm2MH,QAAA,sB+D91MG,yB/Dk2MD,kBACF,QAAA,iB+D91MG,yB/Dk2MD,mBACF,QAAA,kBgEh6MC,yBhEo6MC,yBgEn6MD,QAAA,wBACA,+CAAU,YhEw6MT,QAAA,gBC4BD,iB+Dl8MU,QAAA,gBhE26MX,c+Dr2MG,QAAS,oB/Dy2MV,c+D32MC,c/D42MH,QAAA,sB+Dv2MG,+C/D22MD,kBACF,QAAA,iB+Dv2MG,+C/D22MD,mBACF,QAAA,kBgE97MC,+ChEk8MC,yBgEj8MD,QAAA,wBACA,gDAAU,YhEs8MT,QAAA,gBC4BD,iB+Dh+MU,QAAA,gBhEy8MX,c+D92MG,QAAS,oB/Dk3MV,c+Dp3MC,c/Dq3MH,QAAA,sB+Dh3MG,gD/Do3MD,kBACF,QAAA,iB+Dh3MG,gD/Do3MD,mBACF,QAAA,kBgE59MC,gDhEg+MC,yBgE/9MD,QAAA,wBACA,0BAAU,YhEo+MT,QAAA,gBC4BD,iB+D9/MU,QAAA,gBhEu+MX,c+Dv3MG,QAAS,oB/D23MV,c+D73MC,c/D83MH,QAAA,sB+Dz3MG,0B/D63MD,kBACF,QAAA,iB+Dz3MG,0B/D63MD,mBACF,QAAA,kBgEl/MC,0BhEs/MC,yBACF,QAAA,wBgEv/MC,yBhE2/MC,WACF,QAAA,gBgE5/MC,+ChEggNC,WACF,QAAA,gBgEjgNC,gDhEqgNC,WACF,QAAA,gBAGA,0B+Dh3MC,WA4BE,QAAS,gBC5LX,eAAU,QAAA,eACV,aAAU,ehEyhNT,QAAA,gBC4BD,oB+DnjNU,QAAA,gBhE4hNX,iB+D93MG,QAAS,oBAMX,iB/D23MD,iB+Dt2MG,QAAS,sB/D22MZ,qB+D/3MC,QAAS,e/Dk4MV,a+D53MC,qBAcE,QAAS,iB/Dm3MZ,sB+Dh4MC,QAAS,e/Dm4MV,a+D73MC,sBAOE,QAAS,kB/D23MZ,4B+D53MC,QAAS,eCpLT,ahEojNC,4BACF,QAAA,wBC6BD,aACE,cACE,QAAS","sourcesContent":["/*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */\n\n//\n// 1. Set default font family to sans-serif.\n// 2. Prevent iOS and IE text size adjust after device orientation change,\n// without disabling user zoom.\n//\n\nhtml {\n font-family: sans-serif; // 1\n -ms-text-size-adjust: 100%; // 2\n -webkit-text-size-adjust: 100%; // 2\n}\n\n//\n// Remove default margin.\n//\n\nbody {\n margin: 0;\n}\n\n// HTML5 display definitions\n// ==========================================================================\n\n//\n// Correct `block` display not defined for any HTML5 element in IE 8/9.\n// Correct `block` display not defined for `details` or `summary` in IE 10/11\n// and Firefox.\n// Correct `block` display not defined for `main` in IE 11.\n//\n\narticle,\naside,\ndetails,\nfigcaption,\nfigure,\nfooter,\nheader,\nhgroup,\nmain,\nmenu,\nnav,\nsection,\nsummary {\n display: block;\n}\n\n//\n// 1. Correct `inline-block` display not defined in IE 8/9.\n// 2. Normalize vertical alignment of `progress` in Chrome, Firefox, and Opera.\n//\n\naudio,\ncanvas,\nprogress,\nvideo {\n display: inline-block; // 1\n vertical-align: baseline; // 2\n}\n\n//\n// Prevent modern browsers from displaying `audio` without controls.\n// Remove excess height in iOS 5 devices.\n//\n\naudio:not([controls]) {\n display: none;\n height: 0;\n}\n\n//\n// Address `[hidden]` styling not present in IE 8/9/10.\n// Hide the `template` element in IE 8/9/10/11, Safari, and Firefox < 22.\n//\n\n[hidden],\ntemplate {\n display: none;\n}\n\n// Links\n// ==========================================================================\n\n//\n// Remove the gray background color from active links in IE 10.\n//\n\na {\n background-color: transparent;\n}\n\n//\n// Improve readability of focused elements when they are also in an\n// active/hover state.\n//\n\na:active,\na:hover {\n outline: 0;\n}\n\n// Text-level semantics\n// ==========================================================================\n\n//\n// Address styling not present in IE 8/9/10/11, Safari, and Chrome.\n//\n\nabbr[title] {\n border-bottom: 1px dotted;\n}\n\n//\n// Address style set to `bolder` in Firefox 4+, Safari, and Chrome.\n//\n\nb,\nstrong {\n font-weight: bold;\n}\n\n//\n// Address styling not present in Safari and Chrome.\n//\n\ndfn {\n font-style: italic;\n}\n\n//\n// Address variable `h1` font-size and margin within `section` and `article`\n// contexts in Firefox 4+, Safari, and Chrome.\n//\n\nh1 {\n font-size: 2em;\n margin: 0.67em 0;\n}\n\n//\n// Address styling not present in IE 8/9.\n//\n\nmark {\n background: #ff0;\n color: #000;\n}\n\n//\n// Address inconsistent and variable font size in all browsers.\n//\n\nsmall {\n font-size: 80%;\n}\n\n//\n// Prevent `sub` and `sup` affecting `line-height` in all browsers.\n//\n\nsub,\nsup {\n font-size: 75%;\n line-height: 0;\n position: relative;\n vertical-align: baseline;\n}\n\nsup {\n top: -0.5em;\n}\n\nsub {\n bottom: -0.25em;\n}\n\n// Embedded content\n// ==========================================================================\n\n//\n// Remove border when inside `a` element in IE 8/9/10.\n//\n\nimg {\n border: 0;\n}\n\n//\n// Correct overflow not hidden in IE 9/10/11.\n//\n\nsvg:not(:root) {\n overflow: hidden;\n}\n\n// Grouping content\n// ==========================================================================\n\n//\n// Address margin not present in IE 8/9 and Safari.\n//\n\nfigure {\n margin: 1em 40px;\n}\n\n//\n// Address differences between Firefox and other browsers.\n//\n\nhr {\n box-sizing: content-box;\n height: 0;\n}\n\n//\n// Contain overflow in all browsers.\n//\n\npre {\n overflow: auto;\n}\n\n//\n// Address odd `em`-unit font size rendering in all browsers.\n//\n\ncode,\nkbd,\npre,\nsamp {\n font-family: monospace, monospace;\n font-size: 1em;\n}\n\n// Forms\n// ==========================================================================\n\n//\n// Known limitation: by default, Chrome and Safari on OS X allow very limited\n// styling of `select`, unless a `border` property is set.\n//\n\n//\n// 1. Correct color not being inherited.\n// Known issue: affects color of disabled elements.\n// 2. Correct font properties not being inherited.\n// 3. Address margins set differently in Firefox 4+, Safari, and Chrome.\n//\n\nbutton,\ninput,\noptgroup,\nselect,\ntextarea {\n color: inherit; // 1\n font: inherit; // 2\n margin: 0; // 3\n}\n\n//\n// Address `overflow` set to `hidden` in IE 8/9/10/11.\n//\n\nbutton {\n overflow: visible;\n}\n\n//\n// Address inconsistent `text-transform` inheritance for `button` and `select`.\n// All other form control elements do not inherit `text-transform` values.\n// Correct `button` style inheritance in Firefox, IE 8/9/10/11, and Opera.\n// Correct `select` style inheritance in Firefox.\n//\n\nbutton,\nselect {\n text-transform: none;\n}\n\n//\n// 1. Avoid the WebKit bug in Android 4.0.* where (2) destroys native `audio`\n// and `video` controls.\n// 2. Correct inability to style clickable `input` types in iOS.\n// 3. Improve usability and consistency of cursor style between image-type\n// `input` and others.\n//\n\nbutton,\nhtml input[type=\"button\"], // 1\ninput[type=\"reset\"],\ninput[type=\"submit\"] {\n -webkit-appearance: button; // 2\n cursor: pointer; // 3\n}\n\n//\n// Re-set default cursor for disabled elements.\n//\n\nbutton[disabled],\nhtml input[disabled] {\n cursor: default;\n}\n\n//\n// Remove inner padding and border in Firefox 4+.\n//\n\nbutton::-moz-focus-inner,\ninput::-moz-focus-inner {\n border: 0;\n padding: 0;\n}\n\n//\n// Address Firefox 4+ setting `line-height` on `input` using `!important` in\n// the UA stylesheet.\n//\n\ninput {\n line-height: normal;\n}\n\n//\n// It's recommended that you don't attempt to style these elements.\n// Firefox's implementation doesn't respect box-sizing, padding, or width.\n//\n// 1. Address box sizing set to `content-box` in IE 8/9/10.\n// 2. Remove excess padding in IE 8/9/10.\n//\n\ninput[type=\"checkbox\"],\ninput[type=\"radio\"] {\n box-sizing: border-box; // 1\n padding: 0; // 2\n}\n\n//\n// Fix the cursor style for Chrome's increment/decrement buttons. For certain\n// `font-size` values of the `input`, it causes the cursor style of the\n// decrement button to change from `default` to `text`.\n//\n\ninput[type=\"number\"]::-webkit-inner-spin-button,\ninput[type=\"number\"]::-webkit-outer-spin-button {\n height: auto;\n}\n\n//\n// 1. Address `appearance` set to `searchfield` in Safari and Chrome.\n// 2. Address `box-sizing` set to `border-box` in Safari and Chrome.\n//\n\ninput[type=\"search\"] {\n -webkit-appearance: textfield; // 1\n box-sizing: content-box; //2\n}\n\n//\n// Remove inner padding and search cancel button in Safari and Chrome on OS X.\n// Safari (but not Chrome) clips the cancel button when the search input has\n// padding (and `textfield` appearance).\n//\n\ninput[type=\"search\"]::-webkit-search-cancel-button,\ninput[type=\"search\"]::-webkit-search-decoration {\n -webkit-appearance: none;\n}\n\n//\n// Define consistent border, margin, and padding.\n//\n\nfieldset {\n border: 1px solid #c0c0c0;\n margin: 0 2px;\n padding: 0.35em 0.625em 0.75em;\n}\n\n//\n// 1. Correct `color` not being inherited in IE 8/9/10/11.\n// 2. Remove padding so people aren't caught out if they zero out fieldsets.\n//\n\nlegend {\n border: 0; // 1\n padding: 0; // 2\n}\n\n//\n// Remove default vertical scrollbar in IE 8/9/10/11.\n//\n\ntextarea {\n overflow: auto;\n}\n\n//\n// Don't inherit the `font-weight` (applied by a rule above).\n// NOTE: the default cannot safely be changed in Chrome and Safari on OS X.\n//\n\noptgroup {\n font-weight: bold;\n}\n\n// Tables\n// ==========================================================================\n\n//\n// Remove most spacing between table cells.\n//\n\ntable {\n border-collapse: collapse;\n border-spacing: 0;\n}\n\ntd,\nth {\n padding: 0;\n}\n","/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */\n\n// ==========================================================================\n// Print styles.\n// Inlined to avoid the additional HTTP request: h5bp.com/r\n// ==========================================================================\n\n@media print {\n *,\n *:before,\n *:after {\n background: transparent !important;\n color: #000 !important; // Black prints faster: h5bp.com/s\n box-shadow: none !important;\n text-shadow: none !important;\n }\n\n a,\n a:visited {\n text-decoration: underline;\n }\n\n a[href]:after {\n content: \" (\" attr(href) \")\";\n }\n\n abbr[title]:after {\n content: \" (\" attr(title) \")\";\n }\n\n // Don't show links that are fragment identifiers,\n // or use the `javascript:` pseudo protocol\n a[href^=\"#\"]:after,\n a[href^=\"javascript:\"]:after {\n content: \"\";\n }\n\n pre,\n blockquote {\n border: 1px solid #999;\n page-break-inside: avoid;\n }\n\n thead {\n display: table-header-group; // h5bp.com/t\n }\n\n tr,\n img {\n page-break-inside: avoid;\n }\n\n img {\n max-width: 100% !important;\n }\n\n p,\n h2,\n h3 {\n orphans: 3;\n widows: 3;\n }\n\n h2,\n h3 {\n page-break-after: avoid;\n }\n\n // Bootstrap specific changes start\n\n // Bootstrap components\n .navbar {\n display: none;\n }\n .btn,\n .dropup > .btn {\n > .caret {\n border-top-color: #000 !important;\n }\n }\n .label {\n border: 1px solid #000;\n }\n\n .table {\n border-collapse: collapse !important;\n\n td,\n th {\n background-color: #fff !important;\n }\n }\n .table-bordered {\n th,\n td {\n border: 1px solid #ddd !important;\n }\n }\n\n // Bootstrap specific changes end\n}\n","/*!\n * Bootstrap v3.3.7 (http://getbootstrap.com)\n * Copyright 2011-2017 Twitter, Inc.\n * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)\n */\n/*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */\nhtml {\n font-family: sans-serif;\n -ms-text-size-adjust: 100%;\n -webkit-text-size-adjust: 100%;\n}\nbody {\n margin: 0;\n}\narticle,\naside,\ndetails,\nfigcaption,\nfigure,\nfooter,\nheader,\nhgroup,\nmain,\nmenu,\nnav,\nsection,\nsummary {\n display: block;\n}\naudio,\ncanvas,\nprogress,\nvideo {\n display: inline-block;\n vertical-align: baseline;\n}\naudio:not([controls]) {\n display: none;\n height: 0;\n}\n[hidden],\ntemplate {\n display: none;\n}\na {\n background-color: transparent;\n}\na:active,\na:hover {\n outline: 0;\n}\nabbr[title] {\n border-bottom: 1px dotted;\n}\nb,\nstrong {\n font-weight: bold;\n}\ndfn {\n font-style: italic;\n}\nh1 {\n font-size: 2em;\n margin: 0.67em 0;\n}\nmark {\n background: #ff0;\n color: #000;\n}\nsmall {\n font-size: 80%;\n}\nsub,\nsup {\n font-size: 75%;\n line-height: 0;\n position: relative;\n vertical-align: baseline;\n}\nsup {\n top: -0.5em;\n}\nsub {\n bottom: -0.25em;\n}\nimg {\n border: 0;\n}\nsvg:not(:root) {\n overflow: hidden;\n}\nfigure {\n margin: 1em 40px;\n}\nhr {\n box-sizing: content-box;\n height: 0;\n}\npre {\n overflow: auto;\n}\ncode,\nkbd,\npre,\nsamp {\n font-family: monospace, monospace;\n font-size: 1em;\n}\nbutton,\ninput,\noptgroup,\nselect,\ntextarea {\n color: inherit;\n font: inherit;\n margin: 0;\n}\nbutton {\n overflow: visible;\n}\nbutton,\nselect {\n text-transform: none;\n}\nbutton,\nhtml input[type=\"button\"],\ninput[type=\"reset\"],\ninput[type=\"submit\"] {\n -webkit-appearance: button;\n cursor: pointer;\n}\nbutton[disabled],\nhtml input[disabled] {\n cursor: default;\n}\nbutton::-moz-focus-inner,\ninput::-moz-focus-inner {\n border: 0;\n padding: 0;\n}\ninput {\n line-height: normal;\n}\ninput[type=\"checkbox\"],\ninput[type=\"radio\"] {\n box-sizing: border-box;\n padding: 0;\n}\ninput[type=\"number\"]::-webkit-inner-spin-button,\ninput[type=\"number\"]::-webkit-outer-spin-button {\n height: auto;\n}\ninput[type=\"search\"] {\n -webkit-appearance: textfield;\n box-sizing: content-box;\n}\ninput[type=\"search\"]::-webkit-search-cancel-button,\ninput[type=\"search\"]::-webkit-search-decoration {\n -webkit-appearance: none;\n}\nfieldset {\n border: 1px solid #c0c0c0;\n margin: 0 2px;\n padding: 0.35em 0.625em 0.75em;\n}\nlegend {\n border: 0;\n padding: 0;\n}\ntextarea {\n overflow: auto;\n}\noptgroup {\n font-weight: bold;\n}\ntable {\n border-collapse: collapse;\n border-spacing: 0;\n}\ntd,\nth {\n padding: 0;\n}\n/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */\n@media print {\n *,\n *:before,\n *:after {\n background: transparent !important;\n color: #000 !important;\n box-shadow: none !important;\n text-shadow: none !important;\n }\n a,\n a:visited {\n text-decoration: underline;\n }\n a[href]:after {\n content: \" (\" attr(href) \")\";\n }\n abbr[title]:after {\n content: \" (\" attr(title) \")\";\n }\n a[href^=\"#\"]:after,\n a[href^=\"javascript:\"]:after {\n content: \"\";\n }\n pre,\n blockquote {\n border: 1px solid #999;\n page-break-inside: avoid;\n }\n thead {\n display: table-header-group;\n }\n tr,\n img {\n page-break-inside: avoid;\n }\n img {\n max-width: 100% !important;\n }\n p,\n h2,\n h3 {\n orphans: 3;\n widows: 3;\n }\n h2,\n h3 {\n page-break-after: avoid;\n }\n .navbar {\n display: none;\n }\n .btn > .caret,\n .dropup > .btn > .caret {\n border-top-color: #000 !important;\n }\n .label {\n border: 1px solid #000;\n }\n .table {\n border-collapse: collapse !important;\n }\n .table td,\n .table th {\n background-color: #fff !important;\n }\n .table-bordered th,\n .table-bordered td {\n border: 1px solid #ddd !important;\n }\n}\n@font-face {\n font-family: 'Glyphicons Halflings';\n src: url('../fonts/glyphicons-halflings-regular.eot');\n src: url('../fonts/glyphicons-halflings-regular.eot?#iefix') format('embedded-opentype'), url('../fonts/glyphicons-halflings-regular.woff2') format('woff2'), url('../fonts/glyphicons-halflings-regular.woff') format('woff'), url('../fonts/glyphicons-halflings-regular.ttf') format('truetype'), url('../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular') format('svg');\n}\n.glyphicon {\n position: relative;\n top: 1px;\n display: inline-block;\n font-family: 'Glyphicons Halflings';\n font-style: normal;\n font-weight: normal;\n line-height: 1;\n -webkit-font-smoothing: antialiased;\n -moz-osx-font-smoothing: grayscale;\n}\n.glyphicon-asterisk:before {\n content: \"\\002a\";\n}\n.glyphicon-plus:before {\n content: \"\\002b\";\n}\n.glyphicon-euro:before,\n.glyphicon-eur:before {\n content: \"\\20ac\";\n}\n.glyphicon-minus:before {\n content: \"\\2212\";\n}\n.glyphicon-cloud:before {\n content: \"\\2601\";\n}\n.glyphicon-envelope:before {\n content: \"\\2709\";\n}\n.glyphicon-pencil:before {\n content: \"\\270f\";\n}\n.glyphicon-glass:before {\n content: \"\\e001\";\n}\n.glyphicon-music:before {\n content: \"\\e002\";\n}\n.glyphicon-search:before {\n content: \"\\e003\";\n}\n.glyphicon-heart:before {\n content: \"\\e005\";\n}\n.glyphicon-star:before {\n content: \"\\e006\";\n}\n.glyphicon-star-empty:before {\n content: \"\\e007\";\n}\n.glyphicon-user:before {\n content: \"\\e008\";\n}\n.glyphicon-film:before {\n content: \"\\e009\";\n}\n.glyphicon-th-large:before {\n content: \"\\e010\";\n}\n.glyphicon-th:before {\n content: \"\\e011\";\n}\n.glyphicon-th-list:before {\n content: \"\\e012\";\n}\n.glyphicon-ok:before {\n content: \"\\e013\";\n}\n.glyphicon-remove:before {\n content: \"\\e014\";\n}\n.glyphicon-zoom-in:before {\n content: \"\\e015\";\n}\n.glyphicon-zoom-out:before {\n content: \"\\e016\";\n}\n.glyphicon-off:before {\n content: \"\\e017\";\n}\n.glyphicon-signal:before {\n content: \"\\e018\";\n}\n.glyphicon-cog:before {\n content: \"\\e019\";\n}\n.glyphicon-trash:before {\n content: \"\\e020\";\n}\n.glyphicon-home:before {\n content: \"\\e021\";\n}\n.glyphicon-file:before {\n content: \"\\e022\";\n}\n.glyphicon-time:before {\n content: \"\\e023\";\n}\n.glyphicon-road:before {\n content: \"\\e024\";\n}\n.glyphicon-download-alt:before {\n content: \"\\e025\";\n}\n.glyphicon-download:before {\n content: \"\\e026\";\n}\n.glyphicon-upload:before {\n content: \"\\e027\";\n}\n.glyphicon-inbox:before {\n content: \"\\e028\";\n}\n.glyphicon-play-circle:before {\n content: \"\\e029\";\n}\n.glyphicon-repeat:before {\n content: \"\\e030\";\n}\n.glyphicon-refresh:before {\n content: \"\\e031\";\n}\n.glyphicon-list-alt:before {\n content: \"\\e032\";\n}\n.glyphicon-lock:before {\n content: \"\\e033\";\n}\n.glyphicon-flag:before {\n content: \"\\e034\";\n}\n.glyphicon-headphones:before {\n content: \"\\e035\";\n}\n.glyphicon-volume-off:before {\n content: \"\\e036\";\n}\n.glyphicon-volume-down:before {\n content: \"\\e037\";\n}\n.glyphicon-volume-up:before {\n content: \"\\e038\";\n}\n.glyphicon-qrcode:before {\n content: \"\\e039\";\n}\n.glyphicon-barcode:before {\n content: \"\\e040\";\n}\n.glyphicon-tag:before {\n content: \"\\e041\";\n}\n.glyphicon-tags:before {\n content: \"\\e042\";\n}\n.glyphicon-book:before {\n content: \"\\e043\";\n}\n.glyphicon-bookmark:before {\n content: \"\\e044\";\n}\n.glyphicon-print:before {\n content: \"\\e045\";\n}\n.glyphicon-camera:before {\n content: \"\\e046\";\n}\n.glyphicon-font:before {\n content: \"\\e047\";\n}\n.glyphicon-bold:before {\n content: \"\\e048\";\n}\n.glyphicon-italic:before {\n content: \"\\e049\";\n}\n.glyphicon-text-height:before {\n content: \"\\e050\";\n}\n.glyphicon-text-width:before {\n content: \"\\e051\";\n}\n.glyphicon-align-left:before {\n content: \"\\e052\";\n}\n.glyphicon-align-center:before {\n content: \"\\e053\";\n}\n.glyphicon-align-right:before {\n content: \"\\e054\";\n}\n.glyphicon-align-justify:before {\n content: \"\\e055\";\n}\n.glyphicon-list:before {\n content: \"\\e056\";\n}\n.glyphicon-indent-left:before {\n content: \"\\e057\";\n}\n.glyphicon-indent-right:before {\n content: \"\\e058\";\n}\n.glyphicon-facetime-video:before {\n content: \"\\e059\";\n}\n.glyphicon-picture:before {\n content: \"\\e060\";\n}\n.glyphicon-map-marker:before {\n content: \"\\e062\";\n}\n.glyphicon-adjust:before {\n content: \"\\e063\";\n}\n.glyphicon-tint:before {\n content: \"\\e064\";\n}\n.glyphicon-edit:before {\n content: \"\\e065\";\n}\n.glyphicon-share:before {\n content: \"\\e066\";\n}\n.glyphicon-check:before {\n content: \"\\e067\";\n}\n.glyphicon-move:before {\n content: \"\\e068\";\n}\n.glyphicon-step-backward:before {\n content: \"\\e069\";\n}\n.glyphicon-fast-backward:before {\n content: \"\\e070\";\n}\n.glyphicon-backward:before {\n content: \"\\e071\";\n}\n.glyphicon-play:before {\n content: \"\\e072\";\n}\n.glyphicon-pause:before {\n content: \"\\e073\";\n}\n.glyphicon-stop:before {\n content: \"\\e074\";\n}\n.glyphicon-forward:before {\n content: \"\\e075\";\n}\n.glyphicon-fast-forward:before {\n content: \"\\e076\";\n}\n.glyphicon-step-forward:before {\n content: \"\\e077\";\n}\n.glyphicon-eject:before {\n content: \"\\e078\";\n}\n.glyphicon-chevron-left:before {\n content: \"\\e079\";\n}\n.glyphicon-chevron-right:before {\n content: \"\\e080\";\n}\n.glyphicon-plus-sign:before {\n content: \"\\e081\";\n}\n.glyphicon-minus-sign:before {\n content: \"\\e082\";\n}\n.glyphicon-remove-sign:before {\n content: \"\\e083\";\n}\n.glyphicon-ok-sign:before {\n content: \"\\e084\";\n}\n.glyphicon-question-sign:before {\n content: \"\\e085\";\n}\n.glyphicon-info-sign:before {\n content: \"\\e086\";\n}\n.glyphicon-screenshot:before {\n content: \"\\e087\";\n}\n.glyphicon-remove-circle:before {\n content: \"\\e088\";\n}\n.glyphicon-ok-circle:before {\n content: \"\\e089\";\n}\n.glyphicon-ban-circle:before {\n content: \"\\e090\";\n}\n.glyphicon-arrow-left:before {\n content: \"\\e091\";\n}\n.glyphicon-arrow-right:before {\n content: \"\\e092\";\n}\n.glyphicon-arrow-up:before {\n content: \"\\e093\";\n}\n.glyphicon-arrow-down:before {\n content: \"\\e094\";\n}\n.glyphicon-share-alt:before {\n content: \"\\e095\";\n}\n.glyphicon-resize-full:before {\n content: \"\\e096\";\n}\n.glyphicon-resize-small:before {\n content: \"\\e097\";\n}\n.glyphicon-exclamation-sign:before {\n content: \"\\e101\";\n}\n.glyphicon-gift:before {\n content: \"\\e102\";\n}\n.glyphicon-leaf:before {\n content: \"\\e103\";\n}\n.glyphicon-fire:before {\n content: \"\\e104\";\n}\n.glyphicon-eye-open:before {\n content: \"\\e105\";\n}\n.glyphicon-eye-close:before {\n content: \"\\e106\";\n}\n.glyphicon-warning-sign:before {\n content: \"\\e107\";\n}\n.glyphicon-plane:before {\n content: \"\\e108\";\n}\n.glyphicon-calendar:before {\n content: \"\\e109\";\n}\n.glyphicon-random:before {\n content: \"\\e110\";\n}\n.glyphicon-comment:before {\n content: \"\\e111\";\n}\n.glyphicon-magnet:before {\n content: \"\\e112\";\n}\n.glyphicon-chevron-up:before {\n content: \"\\e113\";\n}\n.glyphicon-chevron-down:before {\n content: \"\\e114\";\n}\n.glyphicon-retweet:before {\n content: \"\\e115\";\n}\n.glyphicon-shopping-cart:before {\n content: \"\\e116\";\n}\n.glyphicon-folder-close:before {\n content: \"\\e117\";\n}\n.glyphicon-folder-open:before {\n content: \"\\e118\";\n}\n.glyphicon-resize-vertical:before {\n content: \"\\e119\";\n}\n.glyphicon-resize-horizontal:before {\n content: \"\\e120\";\n}\n.glyphicon-hdd:before {\n content: \"\\e121\";\n}\n.glyphicon-bullhorn:before {\n content: \"\\e122\";\n}\n.glyphicon-bell:before {\n content: \"\\e123\";\n}\n.glyphicon-certificate:before {\n content: \"\\e124\";\n}\n.glyphicon-thumbs-up:before {\n content: \"\\e125\";\n}\n.glyphicon-thumbs-down:before {\n content: \"\\e126\";\n}\n.glyphicon-hand-right:before {\n content: \"\\e127\";\n}\n.glyphicon-hand-left:before {\n content: \"\\e128\";\n}\n.glyphicon-hand-up:before {\n content: \"\\e129\";\n}\n.glyphicon-hand-down:before {\n content: \"\\e130\";\n}\n.glyphicon-circle-arrow-right:before {\n content: \"\\e131\";\n}\n.glyphicon-circle-arrow-left:before {\n content: \"\\e132\";\n}\n.glyphicon-circle-arrow-up:before {\n content: \"\\e133\";\n}\n.glyphicon-circle-arrow-down:before {\n content: \"\\e134\";\n}\n.glyphicon-globe:before {\n content: \"\\e135\";\n}\n.glyphicon-wrench:before {\n content: \"\\e136\";\n}\n.glyphicon-tasks:before {\n content: \"\\e137\";\n}\n.glyphicon-filter:before {\n content: \"\\e138\";\n}\n.glyphicon-briefcase:before {\n content: \"\\e139\";\n}\n.glyphicon-fullscreen:before {\n content: \"\\e140\";\n}\n.glyphicon-dashboard:before {\n content: \"\\e141\";\n}\n.glyphicon-paperclip:before {\n content: \"\\e142\";\n}\n.glyphicon-heart-empty:before {\n content: \"\\e143\";\n}\n.glyphicon-link:before {\n content: \"\\e144\";\n}\n.glyphicon-phone:before {\n content: \"\\e145\";\n}\n.glyphicon-pushpin:before {\n content: \"\\e146\";\n}\n.glyphicon-usd:before {\n content: \"\\e148\";\n}\n.glyphicon-gbp:before {\n content: \"\\e149\";\n}\n.glyphicon-sort:before {\n content: \"\\e150\";\n}\n.glyphicon-sort-by-alphabet:before {\n content: \"\\e151\";\n}\n.glyphicon-sort-by-alphabet-alt:before {\n content: \"\\e152\";\n}\n.glyphicon-sort-by-order:before {\n content: \"\\e153\";\n}\n.glyphicon-sort-by-order-alt:before {\n content: \"\\e154\";\n}\n.glyphicon-sort-by-attributes:before {\n content: \"\\e155\";\n}\n.glyphicon-sort-by-attributes-alt:before {\n content: \"\\e156\";\n}\n.glyphicon-unchecked:before {\n content: \"\\e157\";\n}\n.glyphicon-expand:before {\n content: \"\\e158\";\n}\n.glyphicon-collapse-down:before {\n content: \"\\e159\";\n}\n.glyphicon-collapse-up:before {\n content: \"\\e160\";\n}\n.glyphicon-log-in:before {\n content: \"\\e161\";\n}\n.glyphicon-flash:before {\n content: \"\\e162\";\n}\n.glyphicon-log-out:before {\n content: \"\\e163\";\n}\n.glyphicon-new-window:before {\n content: \"\\e164\";\n}\n.glyphicon-record:before {\n content: \"\\e165\";\n}\n.glyphicon-save:before {\n content: \"\\e166\";\n}\n.glyphicon-open:before {\n content: \"\\e167\";\n}\n.glyphicon-saved:before {\n content: \"\\e168\";\n}\n.glyphicon-import:before {\n content: \"\\e169\";\n}\n.glyphicon-export:before {\n content: \"\\e170\";\n}\n.glyphicon-send:before {\n content: \"\\e171\";\n}\n.glyphicon-floppy-disk:before {\n content: \"\\e172\";\n}\n.glyphicon-floppy-saved:before {\n content: \"\\e173\";\n}\n.glyphicon-floppy-remove:before {\n content: \"\\e174\";\n}\n.glyphicon-floppy-save:before {\n content: \"\\e175\";\n}\n.glyphicon-floppy-open:before {\n content: \"\\e176\";\n}\n.glyphicon-credit-card:before {\n content: \"\\e177\";\n}\n.glyphicon-transfer:before {\n content: \"\\e178\";\n}\n.glyphicon-cutlery:before {\n content: \"\\e179\";\n}\n.glyphicon-header:before {\n content: \"\\e180\";\n}\n.glyphicon-compressed:before {\n content: \"\\e181\";\n}\n.glyphicon-earphone:before {\n content: \"\\e182\";\n}\n.glyphicon-phone-alt:before {\n content: \"\\e183\";\n}\n.glyphicon-tower:before {\n content: \"\\e184\";\n}\n.glyphicon-stats:before {\n content: \"\\e185\";\n}\n.glyphicon-sd-video:before {\n content: \"\\e186\";\n}\n.glyphicon-hd-video:before {\n content: \"\\e187\";\n}\n.glyphicon-subtitles:before {\n content: \"\\e188\";\n}\n.glyphicon-sound-stereo:before {\n content: \"\\e189\";\n}\n.glyphicon-sound-dolby:before {\n content: \"\\e190\";\n}\n.glyphicon-sound-5-1:before {\n content: \"\\e191\";\n}\n.glyphicon-sound-6-1:before {\n content: \"\\e192\";\n}\n.glyphicon-sound-7-1:before {\n content: \"\\e193\";\n}\n.glyphicon-copyright-mark:before {\n content: \"\\e194\";\n}\n.glyphicon-registration-mark:before {\n content: \"\\e195\";\n}\n.glyphicon-cloud-download:before {\n content: \"\\e197\";\n}\n.glyphicon-cloud-upload:before {\n content: \"\\e198\";\n}\n.glyphicon-tree-conifer:before {\n content: \"\\e199\";\n}\n.glyphicon-tree-deciduous:before {\n content: \"\\e200\";\n}\n.glyphicon-cd:before {\n content: \"\\e201\";\n}\n.glyphicon-save-file:before {\n content: \"\\e202\";\n}\n.glyphicon-open-file:before {\n content: \"\\e203\";\n}\n.glyphicon-level-up:before {\n content: \"\\e204\";\n}\n.glyphicon-copy:before {\n content: \"\\e205\";\n}\n.glyphicon-paste:before {\n content: \"\\e206\";\n}\n.glyphicon-alert:before {\n content: \"\\e209\";\n}\n.glyphicon-equalizer:before {\n content: \"\\e210\";\n}\n.glyphicon-king:before {\n content: \"\\e211\";\n}\n.glyphicon-queen:before {\n content: \"\\e212\";\n}\n.glyphicon-pawn:before {\n content: \"\\e213\";\n}\n.glyphicon-bishop:before {\n content: \"\\e214\";\n}\n.glyphicon-knight:before {\n content: \"\\e215\";\n}\n.glyphicon-baby-formula:before {\n content: \"\\e216\";\n}\n.glyphicon-tent:before {\n content: \"\\26fa\";\n}\n.glyphicon-blackboard:before {\n content: \"\\e218\";\n}\n.glyphicon-bed:before {\n content: \"\\e219\";\n}\n.glyphicon-apple:before {\n content: \"\\f8ff\";\n}\n.glyphicon-erase:before {\n content: \"\\e221\";\n}\n.glyphicon-hourglass:before {\n content: \"\\231b\";\n}\n.glyphicon-lamp:before {\n content: \"\\e223\";\n}\n.glyphicon-duplicate:before {\n content: \"\\e224\";\n}\n.glyphicon-piggy-bank:before {\n content: \"\\e225\";\n}\n.glyphicon-scissors:before {\n content: \"\\e226\";\n}\n.glyphicon-bitcoin:before {\n content: \"\\e227\";\n}\n.glyphicon-btc:before {\n content: \"\\e227\";\n}\n.glyphicon-xbt:before {\n content: \"\\e227\";\n}\n.glyphicon-yen:before {\n content: \"\\00a5\";\n}\n.glyphicon-jpy:before {\n content: \"\\00a5\";\n}\n.glyphicon-ruble:before {\n content: \"\\20bd\";\n}\n.glyphicon-rub:before {\n content: \"\\20bd\";\n}\n.glyphicon-scale:before {\n content: \"\\e230\";\n}\n.glyphicon-ice-lolly:before {\n content: \"\\e231\";\n}\n.glyphicon-ice-lolly-tasted:before {\n content: \"\\e232\";\n}\n.glyphicon-education:before {\n content: \"\\e233\";\n}\n.glyphicon-option-horizontal:before {\n content: \"\\e234\";\n}\n.glyphicon-option-vertical:before {\n content: \"\\e235\";\n}\n.glyphicon-menu-hamburger:before {\n content: \"\\e236\";\n}\n.glyphicon-modal-window:before {\n content: \"\\e237\";\n}\n.glyphicon-oil:before {\n content: \"\\e238\";\n}\n.glyphicon-grain:before {\n content: \"\\e239\";\n}\n.glyphicon-sunglasses:before {\n content: \"\\e240\";\n}\n.glyphicon-text-size:before {\n content: \"\\e241\";\n}\n.glyphicon-text-color:before {\n content: \"\\e242\";\n}\n.glyphicon-text-background:before {\n content: \"\\e243\";\n}\n.glyphicon-object-align-top:before {\n content: \"\\e244\";\n}\n.glyphicon-object-align-bottom:before {\n content: \"\\e245\";\n}\n.glyphicon-object-align-horizontal:before {\n content: \"\\e246\";\n}\n.glyphicon-object-align-left:before {\n content: \"\\e247\";\n}\n.glyphicon-object-align-vertical:before {\n content: \"\\e248\";\n}\n.glyphicon-object-align-right:before {\n content: \"\\e249\";\n}\n.glyphicon-triangle-right:before {\n content: \"\\e250\";\n}\n.glyphicon-triangle-left:before {\n content: \"\\e251\";\n}\n.glyphicon-triangle-bottom:before {\n content: \"\\e252\";\n}\n.glyphicon-triangle-top:before {\n content: \"\\e253\";\n}\n.glyphicon-console:before {\n content: \"\\e254\";\n}\n.glyphicon-superscript:before {\n content: \"\\e255\";\n}\n.glyphicon-subscript:before {\n content: \"\\e256\";\n}\n.glyphicon-menu-left:before {\n content: \"\\e257\";\n}\n.glyphicon-menu-right:before {\n content: \"\\e258\";\n}\n.glyphicon-menu-down:before {\n content: \"\\e259\";\n}\n.glyphicon-menu-up:before {\n content: \"\\e260\";\n}\n* {\n -webkit-box-sizing: border-box;\n -moz-box-sizing: border-box;\n box-sizing: border-box;\n}\n*:before,\n*:after {\n -webkit-box-sizing: border-box;\n -moz-box-sizing: border-box;\n box-sizing: border-box;\n}\nhtml {\n font-size: 10px;\n -webkit-tap-highlight-color: rgba(0, 0, 0, 0);\n}\nbody {\n font-family: \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n font-size: 14px;\n line-height: 1.42857143;\n color: #333333;\n background-color: #fff;\n}\ninput,\nbutton,\nselect,\ntextarea {\n font-family: inherit;\n font-size: inherit;\n line-height: inherit;\n}\na {\n color: #337ab7;\n text-decoration: none;\n}\na:hover,\na:focus {\n color: #23527c;\n text-decoration: underline;\n}\na:focus {\n outline: 5px auto -webkit-focus-ring-color;\n outline-offset: -2px;\n}\nfigure {\n margin: 0;\n}\nimg {\n vertical-align: middle;\n}\n.img-responsive,\n.thumbnail > img,\n.thumbnail a > img,\n.carousel-inner > .item > img,\n.carousel-inner > .item > a > img {\n display: block;\n max-width: 100%;\n height: auto;\n}\n.img-rounded {\n border-radius: 6px;\n}\n.img-thumbnail {\n padding: 4px;\n line-height: 1.42857143;\n background-color: #fff;\n border: 1px solid #ddd;\n border-radius: 4px;\n -webkit-transition: all 0.2s ease-in-out;\n -o-transition: all 0.2s ease-in-out;\n transition: all 0.2s ease-in-out;\n display: inline-block;\n max-width: 100%;\n height: auto;\n}\n.img-circle {\n border-radius: 50%;\n}\nhr {\n margin-top: 20px;\n margin-bottom: 20px;\n border: 0;\n border-top: 1px solid #eeeeee;\n}\n.sr-only {\n position: absolute;\n width: 1px;\n height: 1px;\n margin: -1px;\n padding: 0;\n overflow: hidden;\n clip: rect(0, 0, 0, 0);\n border: 0;\n}\n.sr-only-focusable:active,\n.sr-only-focusable:focus {\n position: static;\n width: auto;\n height: auto;\n margin: 0;\n overflow: visible;\n clip: auto;\n}\n[role=\"button\"] {\n cursor: pointer;\n}\nh1,\nh2,\nh3,\nh4,\nh5,\nh6,\n.h1,\n.h2,\n.h3,\n.h4,\n.h5,\n.h6 {\n font-family: inherit;\n font-weight: 500;\n line-height: 1.1;\n color: inherit;\n}\nh1 small,\nh2 small,\nh3 small,\nh4 small,\nh5 small,\nh6 small,\n.h1 small,\n.h2 small,\n.h3 small,\n.h4 small,\n.h5 small,\n.h6 small,\nh1 .small,\nh2 .small,\nh3 .small,\nh4 .small,\nh5 .small,\nh6 .small,\n.h1 .small,\n.h2 .small,\n.h3 .small,\n.h4 .small,\n.h5 .small,\n.h6 .small {\n font-weight: normal;\n line-height: 1;\n color: #777777;\n}\nh1,\n.h1,\nh2,\n.h2,\nh3,\n.h3 {\n margin-top: 20px;\n margin-bottom: 10px;\n}\nh1 small,\n.h1 small,\nh2 small,\n.h2 small,\nh3 small,\n.h3 small,\nh1 .small,\n.h1 .small,\nh2 .small,\n.h2 .small,\nh3 .small,\n.h3 .small {\n font-size: 65%;\n}\nh4,\n.h4,\nh5,\n.h5,\nh6,\n.h6 {\n margin-top: 10px;\n margin-bottom: 10px;\n}\nh4 small,\n.h4 small,\nh5 small,\n.h5 small,\nh6 small,\n.h6 small,\nh4 .small,\n.h4 .small,\nh5 .small,\n.h5 .small,\nh6 .small,\n.h6 .small {\n font-size: 75%;\n}\nh1,\n.h1 {\n font-size: 36px;\n}\nh2,\n.h2 {\n font-size: 30px;\n}\nh3,\n.h3 {\n font-size: 24px;\n}\nh4,\n.h4 {\n font-size: 18px;\n}\nh5,\n.h5 {\n font-size: 14px;\n}\nh6,\n.h6 {\n font-size: 12px;\n}\np {\n margin: 0 0 10px;\n}\n.lead {\n margin-bottom: 20px;\n font-size: 16px;\n font-weight: 300;\n line-height: 1.4;\n}\n@media (min-width: 768px) {\n .lead {\n font-size: 21px;\n }\n}\nsmall,\n.small {\n font-size: 85%;\n}\nmark,\n.mark {\n background-color: #fcf8e3;\n padding: .2em;\n}\n.text-left {\n text-align: left;\n}\n.text-right {\n text-align: right;\n}\n.text-center {\n text-align: center;\n}\n.text-justify {\n text-align: justify;\n}\n.text-nowrap {\n white-space: nowrap;\n}\n.text-lowercase {\n text-transform: lowercase;\n}\n.text-uppercase {\n text-transform: uppercase;\n}\n.text-capitalize {\n text-transform: capitalize;\n}\n.text-muted {\n color: #777777;\n}\n.text-primary {\n color: #337ab7;\n}\na.text-primary:hover,\na.text-primary:focus {\n color: #286090;\n}\n.text-success {\n color: #3c763d;\n}\na.text-success:hover,\na.text-success:focus {\n color: #2b542c;\n}\n.text-info {\n color: #31708f;\n}\na.text-info:hover,\na.text-info:focus {\n color: #245269;\n}\n.text-warning {\n color: #8a6d3b;\n}\na.text-warning:hover,\na.text-warning:focus {\n color: #66512c;\n}\n.text-danger {\n color: #a94442;\n}\na.text-danger:hover,\na.text-danger:focus {\n color: #843534;\n}\n.bg-primary {\n color: #fff;\n background-color: #337ab7;\n}\na.bg-primary:hover,\na.bg-primary:focus {\n background-color: #286090;\n}\n.bg-success {\n background-color: #dff0d8;\n}\na.bg-success:hover,\na.bg-success:focus {\n background-color: #c1e2b3;\n}\n.bg-info {\n background-color: #d9edf7;\n}\na.bg-info:hover,\na.bg-info:focus {\n background-color: #afd9ee;\n}\n.bg-warning {\n background-color: #fcf8e3;\n}\na.bg-warning:hover,\na.bg-warning:focus {\n background-color: #f7ecb5;\n}\n.bg-danger {\n background-color: #f2dede;\n}\na.bg-danger:hover,\na.bg-danger:focus {\n background-color: #e4b9b9;\n}\n.page-header {\n padding-bottom: 9px;\n margin: 40px 0 20px;\n border-bottom: 1px solid #eeeeee;\n}\nul,\nol {\n margin-top: 0;\n margin-bottom: 10px;\n}\nul ul,\nol ul,\nul ol,\nol ol {\n margin-bottom: 0;\n}\n.list-unstyled {\n padding-left: 0;\n list-style: none;\n}\n.list-inline {\n padding-left: 0;\n list-style: none;\n margin-left: -5px;\n}\n.list-inline > li {\n display: inline-block;\n padding-left: 5px;\n padding-right: 5px;\n}\ndl {\n margin-top: 0;\n margin-bottom: 20px;\n}\ndt,\ndd {\n line-height: 1.42857143;\n}\ndt {\n font-weight: bold;\n}\ndd {\n margin-left: 0;\n}\n@media (min-width: 768px) {\n .dl-horizontal dt {\n float: left;\n width: 160px;\n clear: left;\n text-align: right;\n overflow: hidden;\n text-overflow: ellipsis;\n white-space: nowrap;\n }\n .dl-horizontal dd {\n margin-left: 180px;\n }\n}\nabbr[title],\nabbr[data-original-title] {\n cursor: help;\n border-bottom: 1px dotted #777777;\n}\n.initialism {\n font-size: 90%;\n text-transform: uppercase;\n}\nblockquote {\n padding: 10px 20px;\n margin: 0 0 20px;\n font-size: 17.5px;\n border-left: 5px solid #eeeeee;\n}\nblockquote p:last-child,\nblockquote ul:last-child,\nblockquote ol:last-child {\n margin-bottom: 0;\n}\nblockquote footer,\nblockquote small,\nblockquote .small {\n display: block;\n font-size: 80%;\n line-height: 1.42857143;\n color: #777777;\n}\nblockquote footer:before,\nblockquote small:before,\nblockquote .small:before {\n content: '\\2014 \\00A0';\n}\n.blockquote-reverse,\nblockquote.pull-right {\n padding-right: 15px;\n padding-left: 0;\n border-right: 5px solid #eeeeee;\n border-left: 0;\n text-align: right;\n}\n.blockquote-reverse footer:before,\nblockquote.pull-right footer:before,\n.blockquote-reverse small:before,\nblockquote.pull-right small:before,\n.blockquote-reverse .small:before,\nblockquote.pull-right .small:before {\n content: '';\n}\n.blockquote-reverse footer:after,\nblockquote.pull-right footer:after,\n.blockquote-reverse small:after,\nblockquote.pull-right small:after,\n.blockquote-reverse .small:after,\nblockquote.pull-right .small:after {\n content: '\\00A0 \\2014';\n}\naddress {\n margin-bottom: 20px;\n font-style: normal;\n line-height: 1.42857143;\n}\ncode,\nkbd,\npre,\nsamp {\n font-family: Menlo, Monaco, Consolas, \"Courier New\", monospace;\n}\ncode {\n padding: 2px 4px;\n font-size: 90%;\n color: #c7254e;\n background-color: #f9f2f4;\n border-radius: 4px;\n}\nkbd {\n padding: 2px 4px;\n font-size: 90%;\n color: #fff;\n background-color: #333;\n border-radius: 3px;\n box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.25);\n}\nkbd kbd {\n padding: 0;\n font-size: 100%;\n font-weight: bold;\n box-shadow: none;\n}\npre {\n display: block;\n padding: 9.5px;\n margin: 0 0 10px;\n font-size: 13px;\n line-height: 1.42857143;\n word-break: break-all;\n word-wrap: break-word;\n color: #333333;\n background-color: #f5f5f5;\n border: 1px solid #ccc;\n border-radius: 4px;\n}\npre code {\n padding: 0;\n font-size: inherit;\n color: inherit;\n white-space: pre-wrap;\n background-color: transparent;\n border-radius: 0;\n}\n.pre-scrollable {\n max-height: 340px;\n overflow-y: scroll;\n}\n.container {\n margin-right: auto;\n margin-left: auto;\n padding-left: 15px;\n padding-right: 15px;\n}\n@media (min-width: 768px) {\n .container {\n width: 750px;\n }\n}\n@media (min-width: 992px) {\n .container {\n width: 970px;\n }\n}\n@media (min-width: 1200px) {\n .container {\n width: 1170px;\n }\n}\n.container-fluid {\n margin-right: auto;\n margin-left: auto;\n padding-left: 15px;\n padding-right: 15px;\n}\n.row {\n margin-left: -15px;\n margin-right: -15px;\n}\n.col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12 {\n position: relative;\n min-height: 1px;\n padding-left: 15px;\n padding-right: 15px;\n}\n.col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12 {\n float: left;\n}\n.col-xs-12 {\n width: 100%;\n}\n.col-xs-11 {\n width: 91.66666667%;\n}\n.col-xs-10 {\n width: 83.33333333%;\n}\n.col-xs-9 {\n width: 75%;\n}\n.col-xs-8 {\n width: 66.66666667%;\n}\n.col-xs-7 {\n width: 58.33333333%;\n}\n.col-xs-6 {\n width: 50%;\n}\n.col-xs-5 {\n width: 41.66666667%;\n}\n.col-xs-4 {\n width: 33.33333333%;\n}\n.col-xs-3 {\n width: 25%;\n}\n.col-xs-2 {\n width: 16.66666667%;\n}\n.col-xs-1 {\n width: 8.33333333%;\n}\n.col-xs-pull-12 {\n right: 100%;\n}\n.col-xs-pull-11 {\n right: 91.66666667%;\n}\n.col-xs-pull-10 {\n right: 83.33333333%;\n}\n.col-xs-pull-9 {\n right: 75%;\n}\n.col-xs-pull-8 {\n right: 66.66666667%;\n}\n.col-xs-pull-7 {\n right: 58.33333333%;\n}\n.col-xs-pull-6 {\n right: 50%;\n}\n.col-xs-pull-5 {\n right: 41.66666667%;\n}\n.col-xs-pull-4 {\n right: 33.33333333%;\n}\n.col-xs-pull-3 {\n right: 25%;\n}\n.col-xs-pull-2 {\n right: 16.66666667%;\n}\n.col-xs-pull-1 {\n right: 8.33333333%;\n}\n.col-xs-pull-0 {\n right: auto;\n}\n.col-xs-push-12 {\n left: 100%;\n}\n.col-xs-push-11 {\n left: 91.66666667%;\n}\n.col-xs-push-10 {\n left: 83.33333333%;\n}\n.col-xs-push-9 {\n left: 75%;\n}\n.col-xs-push-8 {\n left: 66.66666667%;\n}\n.col-xs-push-7 {\n left: 58.33333333%;\n}\n.col-xs-push-6 {\n left: 50%;\n}\n.col-xs-push-5 {\n left: 41.66666667%;\n}\n.col-xs-push-4 {\n left: 33.33333333%;\n}\n.col-xs-push-3 {\n left: 25%;\n}\n.col-xs-push-2 {\n left: 16.66666667%;\n}\n.col-xs-push-1 {\n left: 8.33333333%;\n}\n.col-xs-push-0 {\n left: auto;\n}\n.col-xs-offset-12 {\n margin-left: 100%;\n}\n.col-xs-offset-11 {\n margin-left: 91.66666667%;\n}\n.col-xs-offset-10 {\n margin-left: 83.33333333%;\n}\n.col-xs-offset-9 {\n margin-left: 75%;\n}\n.col-xs-offset-8 {\n margin-left: 66.66666667%;\n}\n.col-xs-offset-7 {\n margin-left: 58.33333333%;\n}\n.col-xs-offset-6 {\n margin-left: 50%;\n}\n.col-xs-offset-5 {\n margin-left: 41.66666667%;\n}\n.col-xs-offset-4 {\n margin-left: 33.33333333%;\n}\n.col-xs-offset-3 {\n margin-left: 25%;\n}\n.col-xs-offset-2 {\n margin-left: 16.66666667%;\n}\n.col-xs-offset-1 {\n margin-left: 8.33333333%;\n}\n.col-xs-offset-0 {\n margin-left: 0%;\n}\n@media (min-width: 768px) {\n .col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12 {\n float: left;\n }\n .col-sm-12 {\n width: 100%;\n }\n .col-sm-11 {\n width: 91.66666667%;\n }\n .col-sm-10 {\n width: 83.33333333%;\n }\n .col-sm-9 {\n width: 75%;\n }\n .col-sm-8 {\n width: 66.66666667%;\n }\n .col-sm-7 {\n width: 58.33333333%;\n }\n .col-sm-6 {\n width: 50%;\n }\n .col-sm-5 {\n width: 41.66666667%;\n }\n .col-sm-4 {\n width: 33.33333333%;\n }\n .col-sm-3 {\n width: 25%;\n }\n .col-sm-2 {\n width: 16.66666667%;\n }\n .col-sm-1 {\n width: 8.33333333%;\n }\n .col-sm-pull-12 {\n right: 100%;\n }\n .col-sm-pull-11 {\n right: 91.66666667%;\n }\n .col-sm-pull-10 {\n right: 83.33333333%;\n }\n .col-sm-pull-9 {\n right: 75%;\n }\n .col-sm-pull-8 {\n right: 66.66666667%;\n }\n .col-sm-pull-7 {\n right: 58.33333333%;\n }\n .col-sm-pull-6 {\n right: 50%;\n }\n .col-sm-pull-5 {\n right: 41.66666667%;\n }\n .col-sm-pull-4 {\n right: 33.33333333%;\n }\n .col-sm-pull-3 {\n right: 25%;\n }\n .col-sm-pull-2 {\n right: 16.66666667%;\n }\n .col-sm-pull-1 {\n right: 8.33333333%;\n }\n .col-sm-pull-0 {\n right: auto;\n }\n .col-sm-push-12 {\n left: 100%;\n }\n .col-sm-push-11 {\n left: 91.66666667%;\n }\n .col-sm-push-10 {\n left: 83.33333333%;\n }\n .col-sm-push-9 {\n left: 75%;\n }\n .col-sm-push-8 {\n left: 66.66666667%;\n }\n .col-sm-push-7 {\n left: 58.33333333%;\n }\n .col-sm-push-6 {\n left: 50%;\n }\n .col-sm-push-5 {\n left: 41.66666667%;\n }\n .col-sm-push-4 {\n left: 33.33333333%;\n }\n .col-sm-push-3 {\n left: 25%;\n }\n .col-sm-push-2 {\n left: 16.66666667%;\n }\n .col-sm-push-1 {\n left: 8.33333333%;\n }\n .col-sm-push-0 {\n left: auto;\n }\n .col-sm-offset-12 {\n margin-left: 100%;\n }\n .col-sm-offset-11 {\n margin-left: 91.66666667%;\n }\n .col-sm-offset-10 {\n margin-left: 83.33333333%;\n }\n .col-sm-offset-9 {\n margin-left: 75%;\n }\n .col-sm-offset-8 {\n margin-left: 66.66666667%;\n }\n .col-sm-offset-7 {\n margin-left: 58.33333333%;\n }\n .col-sm-offset-6 {\n margin-left: 50%;\n }\n .col-sm-offset-5 {\n margin-left: 41.66666667%;\n }\n .col-sm-offset-4 {\n margin-left: 33.33333333%;\n }\n .col-sm-offset-3 {\n margin-left: 25%;\n }\n .col-sm-offset-2 {\n margin-left: 16.66666667%;\n }\n .col-sm-offset-1 {\n margin-left: 8.33333333%;\n }\n .col-sm-offset-0 {\n margin-left: 0%;\n }\n}\n@media (min-width: 992px) {\n .col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12 {\n float: left;\n }\n .col-md-12 {\n width: 100%;\n }\n .col-md-11 {\n width: 91.66666667%;\n }\n .col-md-10 {\n width: 83.33333333%;\n }\n .col-md-9 {\n width: 75%;\n }\n .col-md-8 {\n width: 66.66666667%;\n }\n .col-md-7 {\n width: 58.33333333%;\n }\n .col-md-6 {\n width: 50%;\n }\n .col-md-5 {\n width: 41.66666667%;\n }\n .col-md-4 {\n width: 33.33333333%;\n }\n .col-md-3 {\n width: 25%;\n }\n .col-md-2 {\n width: 16.66666667%;\n }\n .col-md-1 {\n width: 8.33333333%;\n }\n .col-md-pull-12 {\n right: 100%;\n }\n .col-md-pull-11 {\n right: 91.66666667%;\n }\n .col-md-pull-10 {\n right: 83.33333333%;\n }\n .col-md-pull-9 {\n right: 75%;\n }\n .col-md-pull-8 {\n right: 66.66666667%;\n }\n .col-md-pull-7 {\n right: 58.33333333%;\n }\n .col-md-pull-6 {\n right: 50%;\n }\n .col-md-pull-5 {\n right: 41.66666667%;\n }\n .col-md-pull-4 {\n right: 33.33333333%;\n }\n .col-md-pull-3 {\n right: 25%;\n }\n .col-md-pull-2 {\n right: 16.66666667%;\n }\n .col-md-pull-1 {\n right: 8.33333333%;\n }\n .col-md-pull-0 {\n right: auto;\n }\n .col-md-push-12 {\n left: 100%;\n }\n .col-md-push-11 {\n left: 91.66666667%;\n }\n .col-md-push-10 {\n left: 83.33333333%;\n }\n .col-md-push-9 {\n left: 75%;\n }\n .col-md-push-8 {\n left: 66.66666667%;\n }\n .col-md-push-7 {\n left: 58.33333333%;\n }\n .col-md-push-6 {\n left: 50%;\n }\n .col-md-push-5 {\n left: 41.66666667%;\n }\n .col-md-push-4 {\n left: 33.33333333%;\n }\n .col-md-push-3 {\n left: 25%;\n }\n .col-md-push-2 {\n left: 16.66666667%;\n }\n .col-md-push-1 {\n left: 8.33333333%;\n }\n .col-md-push-0 {\n left: auto;\n }\n .col-md-offset-12 {\n margin-left: 100%;\n }\n .col-md-offset-11 {\n margin-left: 91.66666667%;\n }\n .col-md-offset-10 {\n margin-left: 83.33333333%;\n }\n .col-md-offset-9 {\n margin-left: 75%;\n }\n .col-md-offset-8 {\n margin-left: 66.66666667%;\n }\n .col-md-offset-7 {\n margin-left: 58.33333333%;\n }\n .col-md-offset-6 {\n margin-left: 50%;\n }\n .col-md-offset-5 {\n margin-left: 41.66666667%;\n }\n .col-md-offset-4 {\n margin-left: 33.33333333%;\n }\n .col-md-offset-3 {\n margin-left: 25%;\n }\n .col-md-offset-2 {\n margin-left: 16.66666667%;\n }\n .col-md-offset-1 {\n margin-left: 8.33333333%;\n }\n .col-md-offset-0 {\n margin-left: 0%;\n }\n}\n@media (min-width: 1200px) {\n .col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12 {\n float: left;\n }\n .col-lg-12 {\n width: 100%;\n }\n .col-lg-11 {\n width: 91.66666667%;\n }\n .col-lg-10 {\n width: 83.33333333%;\n }\n .col-lg-9 {\n width: 75%;\n }\n .col-lg-8 {\n width: 66.66666667%;\n }\n .col-lg-7 {\n width: 58.33333333%;\n }\n .col-lg-6 {\n width: 50%;\n }\n .col-lg-5 {\n width: 41.66666667%;\n }\n .col-lg-4 {\n width: 33.33333333%;\n }\n .col-lg-3 {\n width: 25%;\n }\n .col-lg-2 {\n width: 16.66666667%;\n }\n .col-lg-1 {\n width: 8.33333333%;\n }\n .col-lg-pull-12 {\n right: 100%;\n }\n .col-lg-pull-11 {\n right: 91.66666667%;\n }\n .col-lg-pull-10 {\n right: 83.33333333%;\n }\n .col-lg-pull-9 {\n right: 75%;\n }\n .col-lg-pull-8 {\n right: 66.66666667%;\n }\n .col-lg-pull-7 {\n right: 58.33333333%;\n }\n .col-lg-pull-6 {\n right: 50%;\n }\n .col-lg-pull-5 {\n right: 41.66666667%;\n }\n .col-lg-pull-4 {\n right: 33.33333333%;\n }\n .col-lg-pull-3 {\n right: 25%;\n }\n .col-lg-pull-2 {\n right: 16.66666667%;\n }\n .col-lg-pull-1 {\n right: 8.33333333%;\n }\n .col-lg-pull-0 {\n right: auto;\n }\n .col-lg-push-12 {\n left: 100%;\n }\n .col-lg-push-11 {\n left: 91.66666667%;\n }\n .col-lg-push-10 {\n left: 83.33333333%;\n }\n .col-lg-push-9 {\n left: 75%;\n }\n .col-lg-push-8 {\n left: 66.66666667%;\n }\n .col-lg-push-7 {\n left: 58.33333333%;\n }\n .col-lg-push-6 {\n left: 50%;\n }\n .col-lg-push-5 {\n left: 41.66666667%;\n }\n .col-lg-push-4 {\n left: 33.33333333%;\n }\n .col-lg-push-3 {\n left: 25%;\n }\n .col-lg-push-2 {\n left: 16.66666667%;\n }\n .col-lg-push-1 {\n left: 8.33333333%;\n }\n .col-lg-push-0 {\n left: auto;\n }\n .col-lg-offset-12 {\n margin-left: 100%;\n }\n .col-lg-offset-11 {\n margin-left: 91.66666667%;\n }\n .col-lg-offset-10 {\n margin-left: 83.33333333%;\n }\n .col-lg-offset-9 {\n margin-left: 75%;\n }\n .col-lg-offset-8 {\n margin-left: 66.66666667%;\n }\n .col-lg-offset-7 {\n margin-left: 58.33333333%;\n }\n .col-lg-offset-6 {\n margin-left: 50%;\n }\n .col-lg-offset-5 {\n margin-left: 41.66666667%;\n }\n .col-lg-offset-4 {\n margin-left: 33.33333333%;\n }\n .col-lg-offset-3 {\n margin-left: 25%;\n }\n .col-lg-offset-2 {\n margin-left: 16.66666667%;\n }\n .col-lg-offset-1 {\n margin-left: 8.33333333%;\n }\n .col-lg-offset-0 {\n margin-left: 0%;\n }\n}\ntable {\n background-color: transparent;\n}\ncaption {\n padding-top: 8px;\n padding-bottom: 8px;\n color: #777777;\n text-align: left;\n}\nth {\n text-align: left;\n}\n.table {\n width: 100%;\n max-width: 100%;\n margin-bottom: 20px;\n}\n.table > thead > tr > th,\n.table > tbody > tr > th,\n.table > tfoot > tr > th,\n.table > thead > tr > td,\n.table > tbody > tr > td,\n.table > tfoot > tr > td {\n padding: 8px;\n line-height: 1.42857143;\n vertical-align: top;\n border-top: 1px solid #ddd;\n}\n.table > thead > tr > th {\n vertical-align: bottom;\n border-bottom: 2px solid #ddd;\n}\n.table > caption + thead > tr:first-child > th,\n.table > colgroup + thead > tr:first-child > th,\n.table > thead:first-child > tr:first-child > th,\n.table > caption + thead > tr:first-child > td,\n.table > colgroup + thead > tr:first-child > td,\n.table > thead:first-child > tr:first-child > td {\n border-top: 0;\n}\n.table > tbody + tbody {\n border-top: 2px solid #ddd;\n}\n.table .table {\n background-color: #fff;\n}\n.table-condensed > thead > tr > th,\n.table-condensed > tbody > tr > th,\n.table-condensed > tfoot > tr > th,\n.table-condensed > thead > tr > td,\n.table-condensed > tbody > tr > td,\n.table-condensed > tfoot > tr > td {\n padding: 5px;\n}\n.table-bordered {\n border: 1px solid #ddd;\n}\n.table-bordered > thead > tr > th,\n.table-bordered > tbody > tr > th,\n.table-bordered > tfoot > tr > th,\n.table-bordered > thead > tr > td,\n.table-bordered > tbody > tr > td,\n.table-bordered > tfoot > tr > td {\n border: 1px solid #ddd;\n}\n.table-bordered > thead > tr > th,\n.table-bordered > thead > tr > td {\n border-bottom-width: 2px;\n}\n.table-striped > tbody > tr:nth-of-type(odd) {\n background-color: #f9f9f9;\n}\n.table-hover > tbody > tr:hover {\n background-color: #f5f5f5;\n}\ntable col[class*=\"col-\"] {\n position: static;\n float: none;\n display: table-column;\n}\ntable td[class*=\"col-\"],\ntable th[class*=\"col-\"] {\n position: static;\n float: none;\n display: table-cell;\n}\n.table > thead > tr > td.active,\n.table > tbody > tr > td.active,\n.table > tfoot > tr > td.active,\n.table > thead > tr > th.active,\n.table > tbody > tr > th.active,\n.table > tfoot > tr > th.active,\n.table > thead > tr.active > td,\n.table > tbody > tr.active > td,\n.table > tfoot > tr.active > td,\n.table > thead > tr.active > th,\n.table > tbody > tr.active > th,\n.table > tfoot > tr.active > th {\n background-color: #f5f5f5;\n}\n.table-hover > tbody > tr > td.active:hover,\n.table-hover > tbody > tr > th.active:hover,\n.table-hover > tbody > tr.active:hover > td,\n.table-hover > tbody > tr:hover > .active,\n.table-hover > tbody > tr.active:hover > th {\n background-color: #e8e8e8;\n}\n.table > thead > tr > td.success,\n.table > tbody > tr > td.success,\n.table > tfoot > tr > td.success,\n.table > thead > tr > th.success,\n.table > tbody > tr > th.success,\n.table > tfoot > tr > th.success,\n.table > thead > tr.success > td,\n.table > tbody > tr.success > td,\n.table > tfoot > tr.success > td,\n.table > thead > tr.success > th,\n.table > tbody > tr.success > th,\n.table > tfoot > tr.success > th {\n background-color: #dff0d8;\n}\n.table-hover > tbody > tr > td.success:hover,\n.table-hover > tbody > tr > th.success:hover,\n.table-hover > tbody > tr.success:hover > td,\n.table-hover > tbody > tr:hover > .success,\n.table-hover > tbody > tr.success:hover > th {\n background-color: #d0e9c6;\n}\n.table > thead > tr > td.info,\n.table > tbody > tr > td.info,\n.table > tfoot > tr > td.info,\n.table > thead > tr > th.info,\n.table > tbody > tr > th.info,\n.table > tfoot > tr > th.info,\n.table > thead > tr.info > td,\n.table > tbody > tr.info > td,\n.table > tfoot > tr.info > td,\n.table > thead > tr.info > th,\n.table > tbody > tr.info > th,\n.table > tfoot > tr.info > th {\n background-color: #d9edf7;\n}\n.table-hover > tbody > tr > td.info:hover,\n.table-hover > tbody > tr > th.info:hover,\n.table-hover > tbody > tr.info:hover > td,\n.table-hover > tbody > tr:hover > .info,\n.table-hover > tbody > tr.info:hover > th {\n background-color: #c4e3f3;\n}\n.table > thead > tr > td.warning,\n.table > tbody > tr > td.warning,\n.table > tfoot > tr > td.warning,\n.table > thead > tr > th.warning,\n.table > tbody > tr > th.warning,\n.table > tfoot > tr > th.warning,\n.table > thead > tr.warning > td,\n.table > tbody > tr.warning > td,\n.table > tfoot > tr.warning > td,\n.table > thead > tr.warning > th,\n.table > tbody > tr.warning > th,\n.table > tfoot > tr.warning > th {\n background-color: #fcf8e3;\n}\n.table-hover > tbody > tr > td.warning:hover,\n.table-hover > tbody > tr > th.warning:hover,\n.table-hover > tbody > tr.warning:hover > td,\n.table-hover > tbody > tr:hover > .warning,\n.table-hover > tbody > tr.warning:hover > th {\n background-color: #faf2cc;\n}\n.table > thead > tr > td.danger,\n.table > tbody > tr > td.danger,\n.table > tfoot > tr > td.danger,\n.table > thead > tr > th.danger,\n.table > tbody > tr > th.danger,\n.table > tfoot > tr > th.danger,\n.table > thead > tr.danger > td,\n.table > tbody > tr.danger > td,\n.table > tfoot > tr.danger > td,\n.table > thead > tr.danger > th,\n.table > tbody > tr.danger > th,\n.table > tfoot > tr.danger > th {\n background-color: #f2dede;\n}\n.table-hover > tbody > tr > td.danger:hover,\n.table-hover > tbody > tr > th.danger:hover,\n.table-hover > tbody > tr.danger:hover > td,\n.table-hover > tbody > tr:hover > .danger,\n.table-hover > tbody > tr.danger:hover > th {\n background-color: #ebcccc;\n}\n.table-responsive {\n overflow-x: auto;\n min-height: 0.01%;\n}\n@media screen and (max-width: 767px) {\n .table-responsive {\n width: 100%;\n margin-bottom: 15px;\n overflow-y: hidden;\n -ms-overflow-style: -ms-autohiding-scrollbar;\n border: 1px solid #ddd;\n }\n .table-responsive > .table {\n margin-bottom: 0;\n }\n .table-responsive > .table > thead > tr > th,\n .table-responsive > .table > tbody > tr > th,\n .table-responsive > .table > tfoot > tr > th,\n .table-responsive > .table > thead > tr > td,\n .table-responsive > .table > tbody > tr > td,\n .table-responsive > .table > tfoot > tr > td {\n white-space: nowrap;\n }\n .table-responsive > .table-bordered {\n border: 0;\n }\n .table-responsive > .table-bordered > thead > tr > th:first-child,\n .table-responsive > .table-bordered > tbody > tr > th:first-child,\n .table-responsive > .table-bordered > tfoot > tr > th:first-child,\n .table-responsive > .table-bordered > thead > tr > td:first-child,\n .table-responsive > .table-bordered > tbody > tr > td:first-child,\n .table-responsive > .table-bordered > tfoot > tr > td:first-child {\n border-left: 0;\n }\n .table-responsive > .table-bordered > thead > tr > th:last-child,\n .table-responsive > .table-bordered > tbody > tr > th:last-child,\n .table-responsive > .table-bordered > tfoot > tr > th:last-child,\n .table-responsive > .table-bordered > thead > tr > td:last-child,\n .table-responsive > .table-bordered > tbody > tr > td:last-child,\n .table-responsive > .table-bordered > tfoot > tr > td:last-child {\n border-right: 0;\n }\n .table-responsive > .table-bordered > tbody > tr:last-child > th,\n .table-responsive > .table-bordered > tfoot > tr:last-child > th,\n .table-responsive > .table-bordered > tbody > tr:last-child > td,\n .table-responsive > .table-bordered > tfoot > tr:last-child > td {\n border-bottom: 0;\n }\n}\nfieldset {\n padding: 0;\n margin: 0;\n border: 0;\n min-width: 0;\n}\nlegend {\n display: block;\n width: 100%;\n padding: 0;\n margin-bottom: 20px;\n font-size: 21px;\n line-height: inherit;\n color: #333333;\n border: 0;\n border-bottom: 1px solid #e5e5e5;\n}\nlabel {\n display: inline-block;\n max-width: 100%;\n margin-bottom: 5px;\n font-weight: bold;\n}\ninput[type=\"search\"] {\n -webkit-box-sizing: border-box;\n -moz-box-sizing: border-box;\n box-sizing: border-box;\n}\ninput[type=\"radio\"],\ninput[type=\"checkbox\"] {\n margin: 4px 0 0;\n margin-top: 1px \\9;\n line-height: normal;\n}\ninput[type=\"file\"] {\n display: block;\n}\ninput[type=\"range\"] {\n display: block;\n width: 100%;\n}\nselect[multiple],\nselect[size] {\n height: auto;\n}\ninput[type=\"file\"]:focus,\ninput[type=\"radio\"]:focus,\ninput[type=\"checkbox\"]:focus {\n outline: 5px auto -webkit-focus-ring-color;\n outline-offset: -2px;\n}\noutput {\n display: block;\n padding-top: 7px;\n font-size: 14px;\n line-height: 1.42857143;\n color: #555555;\n}\n.form-control {\n display: block;\n width: 100%;\n height: 34px;\n padding: 6px 12px;\n font-size: 14px;\n line-height: 1.42857143;\n color: #555555;\n background-color: #fff;\n background-image: none;\n border: 1px solid #ccc;\n border-radius: 4px;\n -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);\n box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);\n -webkit-transition: border-color ease-in-out .15s, box-shadow ease-in-out .15s;\n -o-transition: border-color ease-in-out .15s, box-shadow ease-in-out .15s;\n transition: border-color ease-in-out .15s, box-shadow ease-in-out .15s;\n}\n.form-control:focus {\n border-color: #66afe9;\n outline: 0;\n -webkit-box-shadow: inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6);\n box-shadow: inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6);\n}\n.form-control::-moz-placeholder {\n color: #999;\n opacity: 1;\n}\n.form-control:-ms-input-placeholder {\n color: #999;\n}\n.form-control::-webkit-input-placeholder {\n color: #999;\n}\n.form-control::-ms-expand {\n border: 0;\n background-color: transparent;\n}\n.form-control[disabled],\n.form-control[readonly],\nfieldset[disabled] .form-control {\n background-color: #eeeeee;\n opacity: 1;\n}\n.form-control[disabled],\nfieldset[disabled] .form-control {\n cursor: not-allowed;\n}\ntextarea.form-control {\n height: auto;\n}\ninput[type=\"search\"] {\n -webkit-appearance: none;\n}\n@media screen and (-webkit-min-device-pixel-ratio: 0) {\n input[type=\"date\"].form-control,\n input[type=\"time\"].form-control,\n input[type=\"datetime-local\"].form-control,\n input[type=\"month\"].form-control {\n line-height: 34px;\n }\n input[type=\"date\"].input-sm,\n input[type=\"time\"].input-sm,\n input[type=\"datetime-local\"].input-sm,\n input[type=\"month\"].input-sm,\n .input-group-sm input[type=\"date\"],\n .input-group-sm input[type=\"time\"],\n .input-group-sm input[type=\"datetime-local\"],\n .input-group-sm input[type=\"month\"] {\n line-height: 30px;\n }\n input[type=\"date\"].input-lg,\n input[type=\"time\"].input-lg,\n input[type=\"datetime-local\"].input-lg,\n input[type=\"month\"].input-lg,\n .input-group-lg input[type=\"date\"],\n .input-group-lg input[type=\"time\"],\n .input-group-lg input[type=\"datetime-local\"],\n .input-group-lg input[type=\"month\"] {\n line-height: 46px;\n }\n}\n.form-group {\n margin-bottom: 15px;\n}\n.radio,\n.checkbox {\n position: relative;\n display: block;\n margin-top: 10px;\n margin-bottom: 10px;\n}\n.radio label,\n.checkbox label {\n min-height: 20px;\n padding-left: 20px;\n margin-bottom: 0;\n font-weight: normal;\n cursor: pointer;\n}\n.radio input[type=\"radio\"],\n.radio-inline input[type=\"radio\"],\n.checkbox input[type=\"checkbox\"],\n.checkbox-inline input[type=\"checkbox\"] {\n position: absolute;\n margin-left: -20px;\n margin-top: 4px \\9;\n}\n.radio + .radio,\n.checkbox + .checkbox {\n margin-top: -5px;\n}\n.radio-inline,\n.checkbox-inline {\n position: relative;\n display: inline-block;\n padding-left: 20px;\n margin-bottom: 0;\n vertical-align: middle;\n font-weight: normal;\n cursor: pointer;\n}\n.radio-inline + .radio-inline,\n.checkbox-inline + .checkbox-inline {\n margin-top: 0;\n margin-left: 10px;\n}\ninput[type=\"radio\"][disabled],\ninput[type=\"checkbox\"][disabled],\ninput[type=\"radio\"].disabled,\ninput[type=\"checkbox\"].disabled,\nfieldset[disabled] input[type=\"radio\"],\nfieldset[disabled] input[type=\"checkbox\"] {\n cursor: not-allowed;\n}\n.radio-inline.disabled,\n.checkbox-inline.disabled,\nfieldset[disabled] .radio-inline,\nfieldset[disabled] .checkbox-inline {\n cursor: not-allowed;\n}\n.radio.disabled label,\n.checkbox.disabled label,\nfieldset[disabled] .radio label,\nfieldset[disabled] .checkbox label {\n cursor: not-allowed;\n}\n.form-control-static {\n padding-top: 7px;\n padding-bottom: 7px;\n margin-bottom: 0;\n min-height: 34px;\n}\n.form-control-static.input-lg,\n.form-control-static.input-sm {\n padding-left: 0;\n padding-right: 0;\n}\n.input-sm {\n height: 30px;\n padding: 5px 10px;\n font-size: 12px;\n line-height: 1.5;\n border-radius: 3px;\n}\nselect.input-sm {\n height: 30px;\n line-height: 30px;\n}\ntextarea.input-sm,\nselect[multiple].input-sm {\n height: auto;\n}\n.form-group-sm .form-control {\n height: 30px;\n padding: 5px 10px;\n font-size: 12px;\n line-height: 1.5;\n border-radius: 3px;\n}\n.form-group-sm select.form-control {\n height: 30px;\n line-height: 30px;\n}\n.form-group-sm textarea.form-control,\n.form-group-sm select[multiple].form-control {\n height: auto;\n}\n.form-group-sm .form-control-static {\n height: 30px;\n min-height: 32px;\n padding: 6px 10px;\n font-size: 12px;\n line-height: 1.5;\n}\n.input-lg {\n height: 46px;\n padding: 10px 16px;\n font-size: 18px;\n line-height: 1.3333333;\n border-radius: 6px;\n}\nselect.input-lg {\n height: 46px;\n line-height: 46px;\n}\ntextarea.input-lg,\nselect[multiple].input-lg {\n height: auto;\n}\n.form-group-lg .form-control {\n height: 46px;\n padding: 10px 16px;\n font-size: 18px;\n line-height: 1.3333333;\n border-radius: 6px;\n}\n.form-group-lg select.form-control {\n height: 46px;\n line-height: 46px;\n}\n.form-group-lg textarea.form-control,\n.form-group-lg select[multiple].form-control {\n height: auto;\n}\n.form-group-lg .form-control-static {\n height: 46px;\n min-height: 38px;\n padding: 11px 16px;\n font-size: 18px;\n line-height: 1.3333333;\n}\n.has-feedback {\n position: relative;\n}\n.has-feedback .form-control {\n padding-right: 42.5px;\n}\n.form-control-feedback {\n position: absolute;\n top: 0;\n right: 0;\n z-index: 2;\n display: block;\n width: 34px;\n height: 34px;\n line-height: 34px;\n text-align: center;\n pointer-events: none;\n}\n.input-lg + .form-control-feedback,\n.input-group-lg + .form-control-feedback,\n.form-group-lg .form-control + .form-control-feedback {\n width: 46px;\n height: 46px;\n line-height: 46px;\n}\n.input-sm + .form-control-feedback,\n.input-group-sm + .form-control-feedback,\n.form-group-sm .form-control + .form-control-feedback {\n width: 30px;\n height: 30px;\n line-height: 30px;\n}\n.has-success .help-block,\n.has-success .control-label,\n.has-success .radio,\n.has-success .checkbox,\n.has-success .radio-inline,\n.has-success .checkbox-inline,\n.has-success.radio label,\n.has-success.checkbox label,\n.has-success.radio-inline label,\n.has-success.checkbox-inline label {\n color: #3c763d;\n}\n.has-success .form-control {\n border-color: #3c763d;\n -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);\n box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);\n}\n.has-success .form-control:focus {\n border-color: #2b542c;\n -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #67b168;\n box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #67b168;\n}\n.has-success .input-group-addon {\n color: #3c763d;\n border-color: #3c763d;\n background-color: #dff0d8;\n}\n.has-success .form-control-feedback {\n color: #3c763d;\n}\n.has-warning .help-block,\n.has-warning .control-label,\n.has-warning .radio,\n.has-warning .checkbox,\n.has-warning .radio-inline,\n.has-warning .checkbox-inline,\n.has-warning.radio label,\n.has-warning.checkbox label,\n.has-warning.radio-inline label,\n.has-warning.checkbox-inline label {\n color: #8a6d3b;\n}\n.has-warning .form-control {\n border-color: #8a6d3b;\n -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);\n box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);\n}\n.has-warning .form-control:focus {\n border-color: #66512c;\n -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #c0a16b;\n box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #c0a16b;\n}\n.has-warning .input-group-addon {\n color: #8a6d3b;\n border-color: #8a6d3b;\n background-color: #fcf8e3;\n}\n.has-warning .form-control-feedback {\n color: #8a6d3b;\n}\n.has-error .help-block,\n.has-error .control-label,\n.has-error .radio,\n.has-error .checkbox,\n.has-error .radio-inline,\n.has-error .checkbox-inline,\n.has-error.radio label,\n.has-error.checkbox label,\n.has-error.radio-inline label,\n.has-error.checkbox-inline label {\n color: #a94442;\n}\n.has-error .form-control {\n border-color: #a94442;\n -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);\n box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);\n}\n.has-error .form-control:focus {\n border-color: #843534;\n -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #ce8483;\n box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #ce8483;\n}\n.has-error .input-group-addon {\n color: #a94442;\n border-color: #a94442;\n background-color: #f2dede;\n}\n.has-error .form-control-feedback {\n color: #a94442;\n}\n.has-feedback label ~ .form-control-feedback {\n top: 25px;\n}\n.has-feedback label.sr-only ~ .form-control-feedback {\n top: 0;\n}\n.help-block {\n display: block;\n margin-top: 5px;\n margin-bottom: 10px;\n color: #737373;\n}\n@media (min-width: 768px) {\n .form-inline .form-group {\n display: inline-block;\n margin-bottom: 0;\n vertical-align: middle;\n }\n .form-inline .form-control {\n display: inline-block;\n width: auto;\n vertical-align: middle;\n }\n .form-inline .form-control-static {\n display: inline-block;\n }\n .form-inline .input-group {\n display: inline-table;\n vertical-align: middle;\n }\n .form-inline .input-group .input-group-addon,\n .form-inline .input-group .input-group-btn,\n .form-inline .input-group .form-control {\n width: auto;\n }\n .form-inline .input-group > .form-control {\n width: 100%;\n }\n .form-inline .control-label {\n margin-bottom: 0;\n vertical-align: middle;\n }\n .form-inline .radio,\n .form-inline .checkbox {\n display: inline-block;\n margin-top: 0;\n margin-bottom: 0;\n vertical-align: middle;\n }\n .form-inline .radio label,\n .form-inline .checkbox label {\n padding-left: 0;\n }\n .form-inline .radio input[type=\"radio\"],\n .form-inline .checkbox input[type=\"checkbox\"] {\n position: relative;\n margin-left: 0;\n }\n .form-inline .has-feedback .form-control-feedback {\n top: 0;\n }\n}\n.form-horizontal .radio,\n.form-horizontal .checkbox,\n.form-horizontal .radio-inline,\n.form-horizontal .checkbox-inline {\n margin-top: 0;\n margin-bottom: 0;\n padding-top: 7px;\n}\n.form-horizontal .radio,\n.form-horizontal .checkbox {\n min-height: 27px;\n}\n.form-horizontal .form-group {\n margin-left: -15px;\n margin-right: -15px;\n}\n@media (min-width: 768px) {\n .form-horizontal .control-label {\n text-align: right;\n margin-bottom: 0;\n padding-top: 7px;\n }\n}\n.form-horizontal .has-feedback .form-control-feedback {\n right: 15px;\n}\n@media (min-width: 768px) {\n .form-horizontal .form-group-lg .control-label {\n padding-top: 11px;\n font-size: 18px;\n }\n}\n@media (min-width: 768px) {\n .form-horizontal .form-group-sm .control-label {\n padding-top: 6px;\n font-size: 12px;\n }\n}\n.btn {\n display: inline-block;\n margin-bottom: 0;\n font-weight: normal;\n text-align: center;\n vertical-align: middle;\n touch-action: manipulation;\n cursor: pointer;\n background-image: none;\n border: 1px solid transparent;\n white-space: nowrap;\n padding: 6px 12px;\n font-size: 14px;\n line-height: 1.42857143;\n border-radius: 4px;\n -webkit-user-select: none;\n -moz-user-select: none;\n -ms-user-select: none;\n user-select: none;\n}\n.btn:focus,\n.btn:active:focus,\n.btn.active:focus,\n.btn.focus,\n.btn:active.focus,\n.btn.active.focus {\n outline: 5px auto -webkit-focus-ring-color;\n outline-offset: -2px;\n}\n.btn:hover,\n.btn:focus,\n.btn.focus {\n color: #333;\n text-decoration: none;\n}\n.btn:active,\n.btn.active {\n outline: 0;\n background-image: none;\n -webkit-box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);\n box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);\n}\n.btn.disabled,\n.btn[disabled],\nfieldset[disabled] .btn {\n cursor: not-allowed;\n opacity: 0.65;\n filter: alpha(opacity=65);\n -webkit-box-shadow: none;\n box-shadow: none;\n}\na.btn.disabled,\nfieldset[disabled] a.btn {\n pointer-events: none;\n}\n.btn-default {\n color: #333;\n background-color: #fff;\n border-color: #ccc;\n}\n.btn-default:focus,\n.btn-default.focus {\n color: #333;\n background-color: #e6e6e6;\n border-color: #8c8c8c;\n}\n.btn-default:hover {\n color: #333;\n background-color: #e6e6e6;\n border-color: #adadad;\n}\n.btn-default:active,\n.btn-default.active,\n.open > .dropdown-toggle.btn-default {\n color: #333;\n background-color: #e6e6e6;\n border-color: #adadad;\n}\n.btn-default:active:hover,\n.btn-default.active:hover,\n.open > .dropdown-toggle.btn-default:hover,\n.btn-default:active:focus,\n.btn-default.active:focus,\n.open > .dropdown-toggle.btn-default:focus,\n.btn-default:active.focus,\n.btn-default.active.focus,\n.open > .dropdown-toggle.btn-default.focus {\n color: #333;\n background-color: #d4d4d4;\n border-color: #8c8c8c;\n}\n.btn-default:active,\n.btn-default.active,\n.open > .dropdown-toggle.btn-default {\n background-image: none;\n}\n.btn-default.disabled:hover,\n.btn-default[disabled]:hover,\nfieldset[disabled] .btn-default:hover,\n.btn-default.disabled:focus,\n.btn-default[disabled]:focus,\nfieldset[disabled] .btn-default:focus,\n.btn-default.disabled.focus,\n.btn-default[disabled].focus,\nfieldset[disabled] .btn-default.focus {\n background-color: #fff;\n border-color: #ccc;\n}\n.btn-default .badge {\n color: #fff;\n background-color: #333;\n}\n.btn-primary {\n color: #fff;\n background-color: #337ab7;\n border-color: #2e6da4;\n}\n.btn-primary:focus,\n.btn-primary.focus {\n color: #fff;\n background-color: #286090;\n border-color: #122b40;\n}\n.btn-primary:hover {\n color: #fff;\n background-color: #286090;\n border-color: #204d74;\n}\n.btn-primary:active,\n.btn-primary.active,\n.open > .dropdown-toggle.btn-primary {\n color: #fff;\n background-color: #286090;\n border-color: #204d74;\n}\n.btn-primary:active:hover,\n.btn-primary.active:hover,\n.open > .dropdown-toggle.btn-primary:hover,\n.btn-primary:active:focus,\n.btn-primary.active:focus,\n.open > .dropdown-toggle.btn-primary:focus,\n.btn-primary:active.focus,\n.btn-primary.active.focus,\n.open > .dropdown-toggle.btn-primary.focus {\n color: #fff;\n background-color: #204d74;\n border-color: #122b40;\n}\n.btn-primary:active,\n.btn-primary.active,\n.open > .dropdown-toggle.btn-primary {\n background-image: none;\n}\n.btn-primary.disabled:hover,\n.btn-primary[disabled]:hover,\nfieldset[disabled] .btn-primary:hover,\n.btn-primary.disabled:focus,\n.btn-primary[disabled]:focus,\nfieldset[disabled] .btn-primary:focus,\n.btn-primary.disabled.focus,\n.btn-primary[disabled].focus,\nfieldset[disabled] .btn-primary.focus {\n background-color: #337ab7;\n border-color: #2e6da4;\n}\n.btn-primary .badge {\n color: #337ab7;\n background-color: #fff;\n}\n.btn-success {\n color: #fff;\n background-color: #5cb85c;\n border-color: #4cae4c;\n}\n.btn-success:focus,\n.btn-success.focus {\n color: #fff;\n background-color: #449d44;\n border-color: #255625;\n}\n.btn-success:hover {\n color: #fff;\n background-color: #449d44;\n border-color: #398439;\n}\n.btn-success:active,\n.btn-success.active,\n.open > .dropdown-toggle.btn-success {\n color: #fff;\n background-color: #449d44;\n border-color: #398439;\n}\n.btn-success:active:hover,\n.btn-success.active:hover,\n.open > .dropdown-toggle.btn-success:hover,\n.btn-success:active:focus,\n.btn-success.active:focus,\n.open > .dropdown-toggle.btn-success:focus,\n.btn-success:active.focus,\n.btn-success.active.focus,\n.open > .dropdown-toggle.btn-success.focus {\n color: #fff;\n background-color: #398439;\n border-color: #255625;\n}\n.btn-success:active,\n.btn-success.active,\n.open > .dropdown-toggle.btn-success {\n background-image: none;\n}\n.btn-success.disabled:hover,\n.btn-success[disabled]:hover,\nfieldset[disabled] .btn-success:hover,\n.btn-success.disabled:focus,\n.btn-success[disabled]:focus,\nfieldset[disabled] .btn-success:focus,\n.btn-success.disabled.focus,\n.btn-success[disabled].focus,\nfieldset[disabled] .btn-success.focus {\n background-color: #5cb85c;\n border-color: #4cae4c;\n}\n.btn-success .badge {\n color: #5cb85c;\n background-color: #fff;\n}\n.btn-info {\n color: #fff;\n background-color: #5bc0de;\n border-color: #46b8da;\n}\n.btn-info:focus,\n.btn-info.focus {\n color: #fff;\n background-color: #31b0d5;\n border-color: #1b6d85;\n}\n.btn-info:hover {\n color: #fff;\n background-color: #31b0d5;\n border-color: #269abc;\n}\n.btn-info:active,\n.btn-info.active,\n.open > .dropdown-toggle.btn-info {\n color: #fff;\n background-color: #31b0d5;\n border-color: #269abc;\n}\n.btn-info:active:hover,\n.btn-info.active:hover,\n.open > .dropdown-toggle.btn-info:hover,\n.btn-info:active:focus,\n.btn-info.active:focus,\n.open > .dropdown-toggle.btn-info:focus,\n.btn-info:active.focus,\n.btn-info.active.focus,\n.open > .dropdown-toggle.btn-info.focus {\n color: #fff;\n background-color: #269abc;\n border-color: #1b6d85;\n}\n.btn-info:active,\n.btn-info.active,\n.open > .dropdown-toggle.btn-info {\n background-image: none;\n}\n.btn-info.disabled:hover,\n.btn-info[disabled]:hover,\nfieldset[disabled] .btn-info:hover,\n.btn-info.disabled:focus,\n.btn-info[disabled]:focus,\nfieldset[disabled] .btn-info:focus,\n.btn-info.disabled.focus,\n.btn-info[disabled].focus,\nfieldset[disabled] .btn-info.focus {\n background-color: #5bc0de;\n border-color: #46b8da;\n}\n.btn-info .badge {\n color: #5bc0de;\n background-color: #fff;\n}\n.btn-warning {\n color: #fff;\n background-color: #f0ad4e;\n border-color: #eea236;\n}\n.btn-warning:focus,\n.btn-warning.focus {\n color: #fff;\n background-color: #ec971f;\n border-color: #985f0d;\n}\n.btn-warning:hover {\n color: #fff;\n background-color: #ec971f;\n border-color: #d58512;\n}\n.btn-warning:active,\n.btn-warning.active,\n.open > .dropdown-toggle.btn-warning {\n color: #fff;\n background-color: #ec971f;\n border-color: #d58512;\n}\n.btn-warning:active:hover,\n.btn-warning.active:hover,\n.open > .dropdown-toggle.btn-warning:hover,\n.btn-warning:active:focus,\n.btn-warning.active:focus,\n.open > .dropdown-toggle.btn-warning:focus,\n.btn-warning:active.focus,\n.btn-warning.active.focus,\n.open > .dropdown-toggle.btn-warning.focus {\n color: #fff;\n background-color: #d58512;\n border-color: #985f0d;\n}\n.btn-warning:active,\n.btn-warning.active,\n.open > .dropdown-toggle.btn-warning {\n background-image: none;\n}\n.btn-warning.disabled:hover,\n.btn-warning[disabled]:hover,\nfieldset[disabled] .btn-warning:hover,\n.btn-warning.disabled:focus,\n.btn-warning[disabled]:focus,\nfieldset[disabled] .btn-warning:focus,\n.btn-warning.disabled.focus,\n.btn-warning[disabled].focus,\nfieldset[disabled] .btn-warning.focus {\n background-color: #f0ad4e;\n border-color: #eea236;\n}\n.btn-warning .badge {\n color: #f0ad4e;\n background-color: #fff;\n}\n.btn-danger {\n color: #fff;\n background-color: #d9534f;\n border-color: #d43f3a;\n}\n.btn-danger:focus,\n.btn-danger.focus {\n color: #fff;\n background-color: #c9302c;\n border-color: #761c19;\n}\n.btn-danger:hover {\n color: #fff;\n background-color: #c9302c;\n border-color: #ac2925;\n}\n.btn-danger:active,\n.btn-danger.active,\n.open > .dropdown-toggle.btn-danger {\n color: #fff;\n background-color: #c9302c;\n border-color: #ac2925;\n}\n.btn-danger:active:hover,\n.btn-danger.active:hover,\n.open > .dropdown-toggle.btn-danger:hover,\n.btn-danger:active:focus,\n.btn-danger.active:focus,\n.open > .dropdown-toggle.btn-danger:focus,\n.btn-danger:active.focus,\n.btn-danger.active.focus,\n.open > .dropdown-toggle.btn-danger.focus {\n color: #fff;\n background-color: #ac2925;\n border-color: #761c19;\n}\n.btn-danger:active,\n.btn-danger.active,\n.open > .dropdown-toggle.btn-danger {\n background-image: none;\n}\n.btn-danger.disabled:hover,\n.btn-danger[disabled]:hover,\nfieldset[disabled] .btn-danger:hover,\n.btn-danger.disabled:focus,\n.btn-danger[disabled]:focus,\nfieldset[disabled] .btn-danger:focus,\n.btn-danger.disabled.focus,\n.btn-danger[disabled].focus,\nfieldset[disabled] .btn-danger.focus {\n background-color: #d9534f;\n border-color: #d43f3a;\n}\n.btn-danger .badge {\n color: #d9534f;\n background-color: #fff;\n}\n.btn-link {\n color: #337ab7;\n font-weight: normal;\n border-radius: 0;\n}\n.btn-link,\n.btn-link:active,\n.btn-link.active,\n.btn-link[disabled],\nfieldset[disabled] .btn-link {\n background-color: transparent;\n -webkit-box-shadow: none;\n box-shadow: none;\n}\n.btn-link,\n.btn-link:hover,\n.btn-link:focus,\n.btn-link:active {\n border-color: transparent;\n}\n.btn-link:hover,\n.btn-link:focus {\n color: #23527c;\n text-decoration: underline;\n background-color: transparent;\n}\n.btn-link[disabled]:hover,\nfieldset[disabled] .btn-link:hover,\n.btn-link[disabled]:focus,\nfieldset[disabled] .btn-link:focus {\n color: #777777;\n text-decoration: none;\n}\n.btn-lg,\n.btn-group-lg > .btn {\n padding: 10px 16px;\n font-size: 18px;\n line-height: 1.3333333;\n border-radius: 6px;\n}\n.btn-sm,\n.btn-group-sm > .btn {\n padding: 5px 10px;\n font-size: 12px;\n line-height: 1.5;\n border-radius: 3px;\n}\n.btn-xs,\n.btn-group-xs > .btn {\n padding: 1px 5px;\n font-size: 12px;\n line-height: 1.5;\n border-radius: 3px;\n}\n.btn-block {\n display: block;\n width: 100%;\n}\n.btn-block + .btn-block {\n margin-top: 5px;\n}\ninput[type=\"submit\"].btn-block,\ninput[type=\"reset\"].btn-block,\ninput[type=\"button\"].btn-block {\n width: 100%;\n}\n.fade {\n opacity: 0;\n -webkit-transition: opacity 0.15s linear;\n -o-transition: opacity 0.15s linear;\n transition: opacity 0.15s linear;\n}\n.fade.in {\n opacity: 1;\n}\n.collapse {\n display: none;\n}\n.collapse.in {\n display: block;\n}\ntr.collapse.in {\n display: table-row;\n}\ntbody.collapse.in {\n display: table-row-group;\n}\n.collapsing {\n position: relative;\n height: 0;\n overflow: hidden;\n -webkit-transition-property: height, visibility;\n transition-property: height, visibility;\n -webkit-transition-duration: 0.35s;\n transition-duration: 0.35s;\n -webkit-transition-timing-function: ease;\n transition-timing-function: ease;\n}\n.caret {\n display: inline-block;\n width: 0;\n height: 0;\n margin-left: 2px;\n vertical-align: middle;\n border-top: 4px dashed;\n border-top: 4px solid \\9;\n border-right: 4px solid transparent;\n border-left: 4px solid transparent;\n}\n.dropup,\n.dropdown {\n position: relative;\n}\n.dropdown-toggle:focus {\n outline: 0;\n}\n.dropdown-menu {\n position: absolute;\n top: 100%;\n left: 0;\n z-index: 1000;\n display: none;\n float: left;\n min-width: 160px;\n padding: 5px 0;\n margin: 2px 0 0;\n list-style: none;\n font-size: 14px;\n text-align: left;\n background-color: #fff;\n border: 1px solid #ccc;\n border: 1px solid rgba(0, 0, 0, 0.15);\n border-radius: 4px;\n -webkit-box-shadow: 0 6px 12px rgba(0, 0, 0, 0.175);\n box-shadow: 0 6px 12px rgba(0, 0, 0, 0.175);\n background-clip: padding-box;\n}\n.dropdown-menu.pull-right {\n right: 0;\n left: auto;\n}\n.dropdown-menu .divider {\n height: 1px;\n margin: 9px 0;\n overflow: hidden;\n background-color: #e5e5e5;\n}\n.dropdown-menu > li > a {\n display: block;\n padding: 3px 20px;\n clear: both;\n font-weight: normal;\n line-height: 1.42857143;\n color: #333333;\n white-space: nowrap;\n}\n.dropdown-menu > li > a:hover,\n.dropdown-menu > li > a:focus {\n text-decoration: none;\n color: #262626;\n background-color: #f5f5f5;\n}\n.dropdown-menu > .active > a,\n.dropdown-menu > .active > a:hover,\n.dropdown-menu > .active > a:focus {\n color: #fff;\n text-decoration: none;\n outline: 0;\n background-color: #337ab7;\n}\n.dropdown-menu > .disabled > a,\n.dropdown-menu > .disabled > a:hover,\n.dropdown-menu > .disabled > a:focus {\n color: #777777;\n}\n.dropdown-menu > .disabled > a:hover,\n.dropdown-menu > .disabled > a:focus {\n text-decoration: none;\n background-color: transparent;\n background-image: none;\n filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);\n cursor: not-allowed;\n}\n.open > .dropdown-menu {\n display: block;\n}\n.open > a {\n outline: 0;\n}\n.dropdown-menu-right {\n left: auto;\n right: 0;\n}\n.dropdown-menu-left {\n left: 0;\n right: auto;\n}\n.dropdown-header {\n display: block;\n padding: 3px 20px;\n font-size: 12px;\n line-height: 1.42857143;\n color: #777777;\n white-space: nowrap;\n}\n.dropdown-backdrop {\n position: fixed;\n left: 0;\n right: 0;\n bottom: 0;\n top: 0;\n z-index: 990;\n}\n.pull-right > .dropdown-menu {\n right: 0;\n left: auto;\n}\n.dropup .caret,\n.navbar-fixed-bottom .dropdown .caret {\n border-top: 0;\n border-bottom: 4px dashed;\n border-bottom: 4px solid \\9;\n content: \"\";\n}\n.dropup .dropdown-menu,\n.navbar-fixed-bottom .dropdown .dropdown-menu {\n top: auto;\n bottom: 100%;\n margin-bottom: 2px;\n}\n@media (min-width: 768px) {\n .navbar-right .dropdown-menu {\n left: auto;\n right: 0;\n }\n .navbar-right .dropdown-menu-left {\n left: 0;\n right: auto;\n }\n}\n.btn-group,\n.btn-group-vertical {\n position: relative;\n display: inline-block;\n vertical-align: middle;\n}\n.btn-group > .btn,\n.btn-group-vertical > .btn {\n position: relative;\n float: left;\n}\n.btn-group > .btn:hover,\n.btn-group-vertical > .btn:hover,\n.btn-group > .btn:focus,\n.btn-group-vertical > .btn:focus,\n.btn-group > .btn:active,\n.btn-group-vertical > .btn:active,\n.btn-group > .btn.active,\n.btn-group-vertical > .btn.active {\n z-index: 2;\n}\n.btn-group .btn + .btn,\n.btn-group .btn + .btn-group,\n.btn-group .btn-group + .btn,\n.btn-group .btn-group + .btn-group {\n margin-left: -1px;\n}\n.btn-toolbar {\n margin-left: -5px;\n}\n.btn-toolbar .btn,\n.btn-toolbar .btn-group,\n.btn-toolbar .input-group {\n float: left;\n}\n.btn-toolbar > .btn,\n.btn-toolbar > .btn-group,\n.btn-toolbar > .input-group {\n margin-left: 5px;\n}\n.btn-group > .btn:not(:first-child):not(:last-child):not(.dropdown-toggle) {\n border-radius: 0;\n}\n.btn-group > .btn:first-child {\n margin-left: 0;\n}\n.btn-group > .btn:first-child:not(:last-child):not(.dropdown-toggle) {\n border-bottom-right-radius: 0;\n border-top-right-radius: 0;\n}\n.btn-group > .btn:last-child:not(:first-child),\n.btn-group > .dropdown-toggle:not(:first-child) {\n border-bottom-left-radius: 0;\n border-top-left-radius: 0;\n}\n.btn-group > .btn-group {\n float: left;\n}\n.btn-group > .btn-group:not(:first-child):not(:last-child) > .btn {\n border-radius: 0;\n}\n.btn-group > .btn-group:first-child:not(:last-child) > .btn:last-child,\n.btn-group > .btn-group:first-child:not(:last-child) > .dropdown-toggle {\n border-bottom-right-radius: 0;\n border-top-right-radius: 0;\n}\n.btn-group > .btn-group:last-child:not(:first-child) > .btn:first-child {\n border-bottom-left-radius: 0;\n border-top-left-radius: 0;\n}\n.btn-group .dropdown-toggle:active,\n.btn-group.open .dropdown-toggle {\n outline: 0;\n}\n.btn-group > .btn + .dropdown-toggle {\n padding-left: 8px;\n padding-right: 8px;\n}\n.btn-group > .btn-lg + .dropdown-toggle {\n padding-left: 12px;\n padding-right: 12px;\n}\n.btn-group.open .dropdown-toggle {\n -webkit-box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);\n box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);\n}\n.btn-group.open .dropdown-toggle.btn-link {\n -webkit-box-shadow: none;\n box-shadow: none;\n}\n.btn .caret {\n margin-left: 0;\n}\n.btn-lg .caret {\n border-width: 5px 5px 0;\n border-bottom-width: 0;\n}\n.dropup .btn-lg .caret {\n border-width: 0 5px 5px;\n}\n.btn-group-vertical > .btn,\n.btn-group-vertical > .btn-group,\n.btn-group-vertical > .btn-group > .btn {\n display: block;\n float: none;\n width: 100%;\n max-width: 100%;\n}\n.btn-group-vertical > .btn-group > .btn {\n float: none;\n}\n.btn-group-vertical > .btn + .btn,\n.btn-group-vertical > .btn + .btn-group,\n.btn-group-vertical > .btn-group + .btn,\n.btn-group-vertical > .btn-group + .btn-group {\n margin-top: -1px;\n margin-left: 0;\n}\n.btn-group-vertical > .btn:not(:first-child):not(:last-child) {\n border-radius: 0;\n}\n.btn-group-vertical > .btn:first-child:not(:last-child) {\n border-top-right-radius: 4px;\n border-top-left-radius: 4px;\n border-bottom-right-radius: 0;\n border-bottom-left-radius: 0;\n}\n.btn-group-vertical > .btn:last-child:not(:first-child) {\n border-top-right-radius: 0;\n border-top-left-radius: 0;\n border-bottom-right-radius: 4px;\n border-bottom-left-radius: 4px;\n}\n.btn-group-vertical > .btn-group:not(:first-child):not(:last-child) > .btn {\n border-radius: 0;\n}\n.btn-group-vertical > .btn-group:first-child:not(:last-child) > .btn:last-child,\n.btn-group-vertical > .btn-group:first-child:not(:last-child) > .dropdown-toggle {\n border-bottom-right-radius: 0;\n border-bottom-left-radius: 0;\n}\n.btn-group-vertical > .btn-group:last-child:not(:first-child) > .btn:first-child {\n border-top-right-radius: 0;\n border-top-left-radius: 0;\n}\n.btn-group-justified {\n display: table;\n width: 100%;\n table-layout: fixed;\n border-collapse: separate;\n}\n.btn-group-justified > .btn,\n.btn-group-justified > .btn-group {\n float: none;\n display: table-cell;\n width: 1%;\n}\n.btn-group-justified > .btn-group .btn {\n width: 100%;\n}\n.btn-group-justified > .btn-group .dropdown-menu {\n left: auto;\n}\n[data-toggle=\"buttons\"] > .btn input[type=\"radio\"],\n[data-toggle=\"buttons\"] > .btn-group > .btn input[type=\"radio\"],\n[data-toggle=\"buttons\"] > .btn input[type=\"checkbox\"],\n[data-toggle=\"buttons\"] > .btn-group > .btn input[type=\"checkbox\"] {\n position: absolute;\n clip: rect(0, 0, 0, 0);\n pointer-events: none;\n}\n.input-group {\n position: relative;\n display: table;\n border-collapse: separate;\n}\n.input-group[class*=\"col-\"] {\n float: none;\n padding-left: 0;\n padding-right: 0;\n}\n.input-group .form-control {\n position: relative;\n z-index: 2;\n float: left;\n width: 100%;\n margin-bottom: 0;\n}\n.input-group .form-control:focus {\n z-index: 3;\n}\n.input-group-lg > .form-control,\n.input-group-lg > .input-group-addon,\n.input-group-lg > .input-group-btn > .btn {\n height: 46px;\n padding: 10px 16px;\n font-size: 18px;\n line-height: 1.3333333;\n border-radius: 6px;\n}\nselect.input-group-lg > .form-control,\nselect.input-group-lg > .input-group-addon,\nselect.input-group-lg > .input-group-btn > .btn {\n height: 46px;\n line-height: 46px;\n}\ntextarea.input-group-lg > .form-control,\ntextarea.input-group-lg > .input-group-addon,\ntextarea.input-group-lg > .input-group-btn > .btn,\nselect[multiple].input-group-lg > .form-control,\nselect[multiple].input-group-lg > .input-group-addon,\nselect[multiple].input-group-lg > .input-group-btn > .btn {\n height: auto;\n}\n.input-group-sm > .form-control,\n.input-group-sm > .input-group-addon,\n.input-group-sm > .input-group-btn > .btn {\n height: 30px;\n padding: 5px 10px;\n font-size: 12px;\n line-height: 1.5;\n border-radius: 3px;\n}\nselect.input-group-sm > .form-control,\nselect.input-group-sm > .input-group-addon,\nselect.input-group-sm > .input-group-btn > .btn {\n height: 30px;\n line-height: 30px;\n}\ntextarea.input-group-sm > .form-control,\ntextarea.input-group-sm > .input-group-addon,\ntextarea.input-group-sm > .input-group-btn > .btn,\nselect[multiple].input-group-sm > .form-control,\nselect[multiple].input-group-sm > .input-group-addon,\nselect[multiple].input-group-sm > .input-group-btn > .btn {\n height: auto;\n}\n.input-group-addon,\n.input-group-btn,\n.input-group .form-control {\n display: table-cell;\n}\n.input-group-addon:not(:first-child):not(:last-child),\n.input-group-btn:not(:first-child):not(:last-child),\n.input-group .form-control:not(:first-child):not(:last-child) {\n border-radius: 0;\n}\n.input-group-addon,\n.input-group-btn {\n width: 1%;\n white-space: nowrap;\n vertical-align: middle;\n}\n.input-group-addon {\n padding: 6px 12px;\n font-size: 14px;\n font-weight: normal;\n line-height: 1;\n color: #555555;\n text-align: center;\n background-color: #eeeeee;\n border: 1px solid #ccc;\n border-radius: 4px;\n}\n.input-group-addon.input-sm {\n padding: 5px 10px;\n font-size: 12px;\n border-radius: 3px;\n}\n.input-group-addon.input-lg {\n padding: 10px 16px;\n font-size: 18px;\n border-radius: 6px;\n}\n.input-group-addon input[type=\"radio\"],\n.input-group-addon input[type=\"checkbox\"] {\n margin-top: 0;\n}\n.input-group .form-control:first-child,\n.input-group-addon:first-child,\n.input-group-btn:first-child > .btn,\n.input-group-btn:first-child > .btn-group > .btn,\n.input-group-btn:first-child > .dropdown-toggle,\n.input-group-btn:last-child > .btn:not(:last-child):not(.dropdown-toggle),\n.input-group-btn:last-child > .btn-group:not(:last-child) > .btn {\n border-bottom-right-radius: 0;\n border-top-right-radius: 0;\n}\n.input-group-addon:first-child {\n border-right: 0;\n}\n.input-group .form-control:last-child,\n.input-group-addon:last-child,\n.input-group-btn:last-child > .btn,\n.input-group-btn:last-child > .btn-group > .btn,\n.input-group-btn:last-child > .dropdown-toggle,\n.input-group-btn:first-child > .btn:not(:first-child),\n.input-group-btn:first-child > .btn-group:not(:first-child) > .btn {\n border-bottom-left-radius: 0;\n border-top-left-radius: 0;\n}\n.input-group-addon:last-child {\n border-left: 0;\n}\n.input-group-btn {\n position: relative;\n font-size: 0;\n white-space: nowrap;\n}\n.input-group-btn > .btn {\n position: relative;\n}\n.input-group-btn > .btn + .btn {\n margin-left: -1px;\n}\n.input-group-btn > .btn:hover,\n.input-group-btn > .btn:focus,\n.input-group-btn > .btn:active {\n z-index: 2;\n}\n.input-group-btn:first-child > .btn,\n.input-group-btn:first-child > .btn-group {\n margin-right: -1px;\n}\n.input-group-btn:last-child > .btn,\n.input-group-btn:last-child > .btn-group {\n z-index: 2;\n margin-left: -1px;\n}\n.nav {\n margin-bottom: 0;\n padding-left: 0;\n list-style: none;\n}\n.nav > li {\n position: relative;\n display: block;\n}\n.nav > li > a {\n position: relative;\n display: block;\n padding: 10px 15px;\n}\n.nav > li > a:hover,\n.nav > li > a:focus {\n text-decoration: none;\n background-color: #eeeeee;\n}\n.nav > li.disabled > a {\n color: #777777;\n}\n.nav > li.disabled > a:hover,\n.nav > li.disabled > a:focus {\n color: #777777;\n text-decoration: none;\n background-color: transparent;\n cursor: not-allowed;\n}\n.nav .open > a,\n.nav .open > a:hover,\n.nav .open > a:focus {\n background-color: #eeeeee;\n border-color: #337ab7;\n}\n.nav .nav-divider {\n height: 1px;\n margin: 9px 0;\n overflow: hidden;\n background-color: #e5e5e5;\n}\n.nav > li > a > img {\n max-width: none;\n}\n.nav-tabs {\n border-bottom: 1px solid #ddd;\n}\n.nav-tabs > li {\n float: left;\n margin-bottom: -1px;\n}\n.nav-tabs > li > a {\n margin-right: 2px;\n line-height: 1.42857143;\n border: 1px solid transparent;\n border-radius: 4px 4px 0 0;\n}\n.nav-tabs > li > a:hover {\n border-color: #eeeeee #eeeeee #ddd;\n}\n.nav-tabs > li.active > a,\n.nav-tabs > li.active > a:hover,\n.nav-tabs > li.active > a:focus {\n color: #555555;\n background-color: #fff;\n border: 1px solid #ddd;\n border-bottom-color: transparent;\n cursor: default;\n}\n.nav-tabs.nav-justified {\n width: 100%;\n border-bottom: 0;\n}\n.nav-tabs.nav-justified > li {\n float: none;\n}\n.nav-tabs.nav-justified > li > a {\n text-align: center;\n margin-bottom: 5px;\n}\n.nav-tabs.nav-justified > .dropdown .dropdown-menu {\n top: auto;\n left: auto;\n}\n@media (min-width: 768px) {\n .nav-tabs.nav-justified > li {\n display: table-cell;\n width: 1%;\n }\n .nav-tabs.nav-justified > li > a {\n margin-bottom: 0;\n }\n}\n.nav-tabs.nav-justified > li > a {\n margin-right: 0;\n border-radius: 4px;\n}\n.nav-tabs.nav-justified > .active > a,\n.nav-tabs.nav-justified > .active > a:hover,\n.nav-tabs.nav-justified > .active > a:focus {\n border: 1px solid #ddd;\n}\n@media (min-width: 768px) {\n .nav-tabs.nav-justified > li > a {\n border-bottom: 1px solid #ddd;\n border-radius: 4px 4px 0 0;\n }\n .nav-tabs.nav-justified > .active > a,\n .nav-tabs.nav-justified > .active > a:hover,\n .nav-tabs.nav-justified > .active > a:focus {\n border-bottom-color: #fff;\n }\n}\n.nav-pills > li {\n float: left;\n}\n.nav-pills > li > a {\n border-radius: 4px;\n}\n.nav-pills > li + li {\n margin-left: 2px;\n}\n.nav-pills > li.active > a,\n.nav-pills > li.active > a:hover,\n.nav-pills > li.active > a:focus {\n color: #fff;\n background-color: #337ab7;\n}\n.nav-stacked > li {\n float: none;\n}\n.nav-stacked > li + li {\n margin-top: 2px;\n margin-left: 0;\n}\n.nav-justified {\n width: 100%;\n}\n.nav-justified > li {\n float: none;\n}\n.nav-justified > li > a {\n text-align: center;\n margin-bottom: 5px;\n}\n.nav-justified > .dropdown .dropdown-menu {\n top: auto;\n left: auto;\n}\n@media (min-width: 768px) {\n .nav-justified > li {\n display: table-cell;\n width: 1%;\n }\n .nav-justified > li > a {\n margin-bottom: 0;\n }\n}\n.nav-tabs-justified {\n border-bottom: 0;\n}\n.nav-tabs-justified > li > a {\n margin-right: 0;\n border-radius: 4px;\n}\n.nav-tabs-justified > .active > a,\n.nav-tabs-justified > .active > a:hover,\n.nav-tabs-justified > .active > a:focus {\n border: 1px solid #ddd;\n}\n@media (min-width: 768px) {\n .nav-tabs-justified > li > a {\n border-bottom: 1px solid #ddd;\n border-radius: 4px 4px 0 0;\n }\n .nav-tabs-justified > .active > a,\n .nav-tabs-justified > .active > a:hover,\n .nav-tabs-justified > .active > a:focus {\n border-bottom-color: #fff;\n }\n}\n.tab-content > .tab-pane {\n display: none;\n}\n.tab-content > .active {\n display: block;\n}\n.nav-tabs .dropdown-menu {\n margin-top: -1px;\n border-top-right-radius: 0;\n border-top-left-radius: 0;\n}\n.navbar {\n position: relative;\n min-height: 50px;\n margin-bottom: 20px;\n border: 1px solid transparent;\n}\n@media (min-width: 768px) {\n .navbar {\n border-radius: 4px;\n }\n}\n@media (min-width: 768px) {\n .navbar-header {\n float: left;\n }\n}\n.navbar-collapse {\n overflow-x: visible;\n padding-right: 15px;\n padding-left: 15px;\n border-top: 1px solid transparent;\n box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1);\n -webkit-overflow-scrolling: touch;\n}\n.navbar-collapse.in {\n overflow-y: auto;\n}\n@media (min-width: 768px) {\n .navbar-collapse {\n width: auto;\n border-top: 0;\n box-shadow: none;\n }\n .navbar-collapse.collapse {\n display: block !important;\n height: auto !important;\n padding-bottom: 0;\n overflow: visible !important;\n }\n .navbar-collapse.in {\n overflow-y: visible;\n }\n .navbar-fixed-top .navbar-collapse,\n .navbar-static-top .navbar-collapse,\n .navbar-fixed-bottom .navbar-collapse {\n padding-left: 0;\n padding-right: 0;\n }\n}\n.navbar-fixed-top .navbar-collapse,\n.navbar-fixed-bottom .navbar-collapse {\n max-height: 340px;\n}\n@media (max-device-width: 480px) and (orientation: landscape) {\n .navbar-fixed-top .navbar-collapse,\n .navbar-fixed-bottom .navbar-collapse {\n max-height: 200px;\n }\n}\n.container > .navbar-header,\n.container-fluid > .navbar-header,\n.container > .navbar-collapse,\n.container-fluid > .navbar-collapse {\n margin-right: -15px;\n margin-left: -15px;\n}\n@media (min-width: 768px) {\n .container > .navbar-header,\n .container-fluid > .navbar-header,\n .container > .navbar-collapse,\n .container-fluid > .navbar-collapse {\n margin-right: 0;\n margin-left: 0;\n }\n}\n.navbar-static-top {\n z-index: 1000;\n border-width: 0 0 1px;\n}\n@media (min-width: 768px) {\n .navbar-static-top {\n border-radius: 0;\n }\n}\n.navbar-fixed-top,\n.navbar-fixed-bottom {\n position: fixed;\n right: 0;\n left: 0;\n z-index: 1030;\n}\n@media (min-width: 768px) {\n .navbar-fixed-top,\n .navbar-fixed-bottom {\n border-radius: 0;\n }\n}\n.navbar-fixed-top {\n top: 0;\n border-width: 0 0 1px;\n}\n.navbar-fixed-bottom {\n bottom: 0;\n margin-bottom: 0;\n border-width: 1px 0 0;\n}\n.navbar-brand {\n float: left;\n padding: 15px 15px;\n font-size: 18px;\n line-height: 20px;\n height: 50px;\n}\n.navbar-brand:hover,\n.navbar-brand:focus {\n text-decoration: none;\n}\n.navbar-brand > img {\n display: block;\n}\n@media (min-width: 768px) {\n .navbar > .container .navbar-brand,\n .navbar > .container-fluid .navbar-brand {\n margin-left: -15px;\n }\n}\n.navbar-toggle {\n position: relative;\n float: right;\n margin-right: 15px;\n padding: 9px 10px;\n margin-top: 8px;\n margin-bottom: 8px;\n background-color: transparent;\n background-image: none;\n border: 1px solid transparent;\n border-radius: 4px;\n}\n.navbar-toggle:focus {\n outline: 0;\n}\n.navbar-toggle .icon-bar {\n display: block;\n width: 22px;\n height: 2px;\n border-radius: 1px;\n}\n.navbar-toggle .icon-bar + .icon-bar {\n margin-top: 4px;\n}\n@media (min-width: 768px) {\n .navbar-toggle {\n display: none;\n }\n}\n.navbar-nav {\n margin: 7.5px -15px;\n}\n.navbar-nav > li > a {\n padding-top: 10px;\n padding-bottom: 10px;\n line-height: 20px;\n}\n@media (max-width: 767px) {\n .navbar-nav .open .dropdown-menu {\n position: static;\n float: none;\n width: auto;\n margin-top: 0;\n background-color: transparent;\n border: 0;\n box-shadow: none;\n }\n .navbar-nav .open .dropdown-menu > li > a,\n .navbar-nav .open .dropdown-menu .dropdown-header {\n padding: 5px 15px 5px 25px;\n }\n .navbar-nav .open .dropdown-menu > li > a {\n line-height: 20px;\n }\n .navbar-nav .open .dropdown-menu > li > a:hover,\n .navbar-nav .open .dropdown-menu > li > a:focus {\n background-image: none;\n }\n}\n@media (min-width: 768px) {\n .navbar-nav {\n float: left;\n margin: 0;\n }\n .navbar-nav > li {\n float: left;\n }\n .navbar-nav > li > a {\n padding-top: 15px;\n padding-bottom: 15px;\n }\n}\n.navbar-form {\n margin-left: -15px;\n margin-right: -15px;\n padding: 10px 15px;\n border-top: 1px solid transparent;\n border-bottom: 1px solid transparent;\n -webkit-box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1), 0 1px 0 rgba(255, 255, 255, 0.1);\n box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1), 0 1px 0 rgba(255, 255, 255, 0.1);\n margin-top: 8px;\n margin-bottom: 8px;\n}\n@media (min-width: 768px) {\n .navbar-form .form-group {\n display: inline-block;\n margin-bottom: 0;\n vertical-align: middle;\n }\n .navbar-form .form-control {\n display: inline-block;\n width: auto;\n vertical-align: middle;\n }\n .navbar-form .form-control-static {\n display: inline-block;\n }\n .navbar-form .input-group {\n display: inline-table;\n vertical-align: middle;\n }\n .navbar-form .input-group .input-group-addon,\n .navbar-form .input-group .input-group-btn,\n .navbar-form .input-group .form-control {\n width: auto;\n }\n .navbar-form .input-group > .form-control {\n width: 100%;\n }\n .navbar-form .control-label {\n margin-bottom: 0;\n vertical-align: middle;\n }\n .navbar-form .radio,\n .navbar-form .checkbox {\n display: inline-block;\n margin-top: 0;\n margin-bottom: 0;\n vertical-align: middle;\n }\n .navbar-form .radio label,\n .navbar-form .checkbox label {\n padding-left: 0;\n }\n .navbar-form .radio input[type=\"radio\"],\n .navbar-form .checkbox input[type=\"checkbox\"] {\n position: relative;\n margin-left: 0;\n }\n .navbar-form .has-feedback .form-control-feedback {\n top: 0;\n }\n}\n@media (max-width: 767px) {\n .navbar-form .form-group {\n margin-bottom: 5px;\n }\n .navbar-form .form-group:last-child {\n margin-bottom: 0;\n }\n}\n@media (min-width: 768px) {\n .navbar-form {\n width: auto;\n border: 0;\n margin-left: 0;\n margin-right: 0;\n padding-top: 0;\n padding-bottom: 0;\n -webkit-box-shadow: none;\n box-shadow: none;\n }\n}\n.navbar-nav > li > .dropdown-menu {\n margin-top: 0;\n border-top-right-radius: 0;\n border-top-left-radius: 0;\n}\n.navbar-fixed-bottom .navbar-nav > li > .dropdown-menu {\n margin-bottom: 0;\n border-top-right-radius: 4px;\n border-top-left-radius: 4px;\n border-bottom-right-radius: 0;\n border-bottom-left-radius: 0;\n}\n.navbar-btn {\n margin-top: 8px;\n margin-bottom: 8px;\n}\n.navbar-btn.btn-sm {\n margin-top: 10px;\n margin-bottom: 10px;\n}\n.navbar-btn.btn-xs {\n margin-top: 14px;\n margin-bottom: 14px;\n}\n.navbar-text {\n margin-top: 15px;\n margin-bottom: 15px;\n}\n@media (min-width: 768px) {\n .navbar-text {\n float: left;\n margin-left: 15px;\n margin-right: 15px;\n }\n}\n@media (min-width: 768px) {\n .navbar-left {\n float: left !important;\n }\n .navbar-right {\n float: right !important;\n margin-right: -15px;\n }\n .navbar-right ~ .navbar-right {\n margin-right: 0;\n }\n}\n.navbar-default {\n background-color: #f8f8f8;\n border-color: #e7e7e7;\n}\n.navbar-default .navbar-brand {\n color: #777;\n}\n.navbar-default .navbar-brand:hover,\n.navbar-default .navbar-brand:focus {\n color: #5e5e5e;\n background-color: transparent;\n}\n.navbar-default .navbar-text {\n color: #777;\n}\n.navbar-default .navbar-nav > li > a {\n color: #777;\n}\n.navbar-default .navbar-nav > li > a:hover,\n.navbar-default .navbar-nav > li > a:focus {\n color: #333;\n background-color: transparent;\n}\n.navbar-default .navbar-nav > .active > a,\n.navbar-default .navbar-nav > .active > a:hover,\n.navbar-default .navbar-nav > .active > a:focus {\n color: #555;\n background-color: #e7e7e7;\n}\n.navbar-default .navbar-nav > .disabled > a,\n.navbar-default .navbar-nav > .disabled > a:hover,\n.navbar-default .navbar-nav > .disabled > a:focus {\n color: #ccc;\n background-color: transparent;\n}\n.navbar-default .navbar-toggle {\n border-color: #ddd;\n}\n.navbar-default .navbar-toggle:hover,\n.navbar-default .navbar-toggle:focus {\n background-color: #ddd;\n}\n.navbar-default .navbar-toggle .icon-bar {\n background-color: #888;\n}\n.navbar-default .navbar-collapse,\n.navbar-default .navbar-form {\n border-color: #e7e7e7;\n}\n.navbar-default .navbar-nav > .open > a,\n.navbar-default .navbar-nav > .open > a:hover,\n.navbar-default .navbar-nav > .open > a:focus {\n background-color: #e7e7e7;\n color: #555;\n}\n@media (max-width: 767px) {\n .navbar-default .navbar-nav .open .dropdown-menu > li > a {\n color: #777;\n }\n .navbar-default .navbar-nav .open .dropdown-menu > li > a:hover,\n .navbar-default .navbar-nav .open .dropdown-menu > li > a:focus {\n color: #333;\n background-color: transparent;\n }\n .navbar-default .navbar-nav .open .dropdown-menu > .active > a,\n .navbar-default .navbar-nav .open .dropdown-menu > .active > a:hover,\n .navbar-default .navbar-nav .open .dropdown-menu > .active > a:focus {\n color: #555;\n background-color: #e7e7e7;\n }\n .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a,\n .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:hover,\n .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:focus {\n color: #ccc;\n background-color: transparent;\n }\n}\n.navbar-default .navbar-link {\n color: #777;\n}\n.navbar-default .navbar-link:hover {\n color: #333;\n}\n.navbar-default .btn-link {\n color: #777;\n}\n.navbar-default .btn-link:hover,\n.navbar-default .btn-link:focus {\n color: #333;\n}\n.navbar-default .btn-link[disabled]:hover,\nfieldset[disabled] .navbar-default .btn-link:hover,\n.navbar-default .btn-link[disabled]:focus,\nfieldset[disabled] .navbar-default .btn-link:focus {\n color: #ccc;\n}\n.navbar-inverse {\n background-color: #222;\n border-color: #080808;\n}\n.navbar-inverse .navbar-brand {\n color: #9d9d9d;\n}\n.navbar-inverse .navbar-brand:hover,\n.navbar-inverse .navbar-brand:focus {\n color: #fff;\n background-color: transparent;\n}\n.navbar-inverse .navbar-text {\n color: #9d9d9d;\n}\n.navbar-inverse .navbar-nav > li > a {\n color: #9d9d9d;\n}\n.navbar-inverse .navbar-nav > li > a:hover,\n.navbar-inverse .navbar-nav > li > a:focus {\n color: #fff;\n background-color: transparent;\n}\n.navbar-inverse .navbar-nav > .active > a,\n.navbar-inverse .navbar-nav > .active > a:hover,\n.navbar-inverse .navbar-nav > .active > a:focus {\n color: #fff;\n background-color: #080808;\n}\n.navbar-inverse .navbar-nav > .disabled > a,\n.navbar-inverse .navbar-nav > .disabled > a:hover,\n.navbar-inverse .navbar-nav > .disabled > a:focus {\n color: #444;\n background-color: transparent;\n}\n.navbar-inverse .navbar-toggle {\n border-color: #333;\n}\n.navbar-inverse .navbar-toggle:hover,\n.navbar-inverse .navbar-toggle:focus {\n background-color: #333;\n}\n.navbar-inverse .navbar-toggle .icon-bar {\n background-color: #fff;\n}\n.navbar-inverse .navbar-collapse,\n.navbar-inverse .navbar-form {\n border-color: #101010;\n}\n.navbar-inverse .navbar-nav > .open > a,\n.navbar-inverse .navbar-nav > .open > a:hover,\n.navbar-inverse .navbar-nav > .open > a:focus {\n background-color: #080808;\n color: #fff;\n}\n@media (max-width: 767px) {\n .navbar-inverse .navbar-nav .open .dropdown-menu > .dropdown-header {\n border-color: #080808;\n }\n .navbar-inverse .navbar-nav .open .dropdown-menu .divider {\n background-color: #080808;\n }\n .navbar-inverse .navbar-nav .open .dropdown-menu > li > a {\n color: #9d9d9d;\n }\n .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:hover,\n .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:focus {\n color: #fff;\n background-color: transparent;\n }\n .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a,\n .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:hover,\n .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:focus {\n color: #fff;\n background-color: #080808;\n }\n .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a,\n .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:hover,\n .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:focus {\n color: #444;\n background-color: transparent;\n }\n}\n.navbar-inverse .navbar-link {\n color: #9d9d9d;\n}\n.navbar-inverse .navbar-link:hover {\n color: #fff;\n}\n.navbar-inverse .btn-link {\n color: #9d9d9d;\n}\n.navbar-inverse .btn-link:hover,\n.navbar-inverse .btn-link:focus {\n color: #fff;\n}\n.navbar-inverse .btn-link[disabled]:hover,\nfieldset[disabled] .navbar-inverse .btn-link:hover,\n.navbar-inverse .btn-link[disabled]:focus,\nfieldset[disabled] .navbar-inverse .btn-link:focus {\n color: #444;\n}\n.breadcrumb {\n padding: 8px 15px;\n margin-bottom: 20px;\n list-style: none;\n background-color: #f5f5f5;\n border-radius: 4px;\n}\n.breadcrumb > li {\n display: inline-block;\n}\n.breadcrumb > li + li:before {\n content: \"/\\00a0\";\n padding: 0 5px;\n color: #ccc;\n}\n.breadcrumb > .active {\n color: #777777;\n}\n.pagination {\n display: inline-block;\n padding-left: 0;\n margin: 20px 0;\n border-radius: 4px;\n}\n.pagination > li {\n display: inline;\n}\n.pagination > li > a,\n.pagination > li > span {\n position: relative;\n float: left;\n padding: 6px 12px;\n line-height: 1.42857143;\n text-decoration: none;\n color: #337ab7;\n background-color: #fff;\n border: 1px solid #ddd;\n margin-left: -1px;\n}\n.pagination > li:first-child > a,\n.pagination > li:first-child > span {\n margin-left: 0;\n border-bottom-left-radius: 4px;\n border-top-left-radius: 4px;\n}\n.pagination > li:last-child > a,\n.pagination > li:last-child > span {\n border-bottom-right-radius: 4px;\n border-top-right-radius: 4px;\n}\n.pagination > li > a:hover,\n.pagination > li > span:hover,\n.pagination > li > a:focus,\n.pagination > li > span:focus {\n z-index: 2;\n color: #23527c;\n background-color: #eeeeee;\n border-color: #ddd;\n}\n.pagination > .active > a,\n.pagination > .active > span,\n.pagination > .active > a:hover,\n.pagination > .active > span:hover,\n.pagination > .active > a:focus,\n.pagination > .active > span:focus {\n z-index: 3;\n color: #fff;\n background-color: #337ab7;\n border-color: #337ab7;\n cursor: default;\n}\n.pagination > .disabled > span,\n.pagination > .disabled > span:hover,\n.pagination > .disabled > span:focus,\n.pagination > .disabled > a,\n.pagination > .disabled > a:hover,\n.pagination > .disabled > a:focus {\n color: #777777;\n background-color: #fff;\n border-color: #ddd;\n cursor: not-allowed;\n}\n.pagination-lg > li > a,\n.pagination-lg > li > span {\n padding: 10px 16px;\n font-size: 18px;\n line-height: 1.3333333;\n}\n.pagination-lg > li:first-child > a,\n.pagination-lg > li:first-child > span {\n border-bottom-left-radius: 6px;\n border-top-left-radius: 6px;\n}\n.pagination-lg > li:last-child > a,\n.pagination-lg > li:last-child > span {\n border-bottom-right-radius: 6px;\n border-top-right-radius: 6px;\n}\n.pagination-sm > li > a,\n.pagination-sm > li > span {\n padding: 5px 10px;\n font-size: 12px;\n line-height: 1.5;\n}\n.pagination-sm > li:first-child > a,\n.pagination-sm > li:first-child > span {\n border-bottom-left-radius: 3px;\n border-top-left-radius: 3px;\n}\n.pagination-sm > li:last-child > a,\n.pagination-sm > li:last-child > span {\n border-bottom-right-radius: 3px;\n border-top-right-radius: 3px;\n}\n.pager {\n padding-left: 0;\n margin: 20px 0;\n list-style: none;\n text-align: center;\n}\n.pager li {\n display: inline;\n}\n.pager li > a,\n.pager li > span {\n display: inline-block;\n padding: 5px 14px;\n background-color: #fff;\n border: 1px solid #ddd;\n border-radius: 15px;\n}\n.pager li > a:hover,\n.pager li > a:focus {\n text-decoration: none;\n background-color: #eeeeee;\n}\n.pager .next > a,\n.pager .next > span {\n float: right;\n}\n.pager .previous > a,\n.pager .previous > span {\n float: left;\n}\n.pager .disabled > a,\n.pager .disabled > a:hover,\n.pager .disabled > a:focus,\n.pager .disabled > span {\n color: #777777;\n background-color: #fff;\n cursor: not-allowed;\n}\n.label {\n display: inline;\n padding: .2em .6em .3em;\n font-size: 75%;\n font-weight: bold;\n line-height: 1;\n color: #fff;\n text-align: center;\n white-space: nowrap;\n vertical-align: baseline;\n border-radius: .25em;\n}\na.label:hover,\na.label:focus {\n color: #fff;\n text-decoration: none;\n cursor: pointer;\n}\n.label:empty {\n display: none;\n}\n.btn .label {\n position: relative;\n top: -1px;\n}\n.label-default {\n background-color: #777777;\n}\n.label-default[href]:hover,\n.label-default[href]:focus {\n background-color: #5e5e5e;\n}\n.label-primary {\n background-color: #337ab7;\n}\n.label-primary[href]:hover,\n.label-primary[href]:focus {\n background-color: #286090;\n}\n.label-success {\n background-color: #5cb85c;\n}\n.label-success[href]:hover,\n.label-success[href]:focus {\n background-color: #449d44;\n}\n.label-info {\n background-color: #5bc0de;\n}\n.label-info[href]:hover,\n.label-info[href]:focus {\n background-color: #31b0d5;\n}\n.label-warning {\n background-color: #f0ad4e;\n}\n.label-warning[href]:hover,\n.label-warning[href]:focus {\n background-color: #ec971f;\n}\n.label-danger {\n background-color: #d9534f;\n}\n.label-danger[href]:hover,\n.label-danger[href]:focus {\n background-color: #c9302c;\n}\n.badge {\n display: inline-block;\n min-width: 10px;\n padding: 3px 7px;\n font-size: 12px;\n font-weight: bold;\n color: #fff;\n line-height: 1;\n vertical-align: middle;\n white-space: nowrap;\n text-align: center;\n background-color: #777777;\n border-radius: 10px;\n}\n.badge:empty {\n display: none;\n}\n.btn .badge {\n position: relative;\n top: -1px;\n}\n.btn-xs .badge,\n.btn-group-xs > .btn .badge {\n top: 0;\n padding: 1px 5px;\n}\na.badge:hover,\na.badge:focus {\n color: #fff;\n text-decoration: none;\n cursor: pointer;\n}\n.list-group-item.active > .badge,\n.nav-pills > .active > a > .badge {\n color: #337ab7;\n background-color: #fff;\n}\n.list-group-item > .badge {\n float: right;\n}\n.list-group-item > .badge + .badge {\n margin-right: 5px;\n}\n.nav-pills > li > a > .badge {\n margin-left: 3px;\n}\n.jumbotron {\n padding-top: 30px;\n padding-bottom: 30px;\n margin-bottom: 30px;\n color: inherit;\n background-color: #eeeeee;\n}\n.jumbotron h1,\n.jumbotron .h1 {\n color: inherit;\n}\n.jumbotron p {\n margin-bottom: 15px;\n font-size: 21px;\n font-weight: 200;\n}\n.jumbotron > hr {\n border-top-color: #d5d5d5;\n}\n.container .jumbotron,\n.container-fluid .jumbotron {\n border-radius: 6px;\n padding-left: 15px;\n padding-right: 15px;\n}\n.jumbotron .container {\n max-width: 100%;\n}\n@media screen and (min-width: 768px) {\n .jumbotron {\n padding-top: 48px;\n padding-bottom: 48px;\n }\n .container .jumbotron,\n .container-fluid .jumbotron {\n padding-left: 60px;\n padding-right: 60px;\n }\n .jumbotron h1,\n .jumbotron .h1 {\n font-size: 63px;\n }\n}\n.thumbnail {\n display: block;\n padding: 4px;\n margin-bottom: 20px;\n line-height: 1.42857143;\n background-color: #fff;\n border: 1px solid #ddd;\n border-radius: 4px;\n -webkit-transition: border 0.2s ease-in-out;\n -o-transition: border 0.2s ease-in-out;\n transition: border 0.2s ease-in-out;\n}\n.thumbnail > img,\n.thumbnail a > img {\n margin-left: auto;\n margin-right: auto;\n}\na.thumbnail:hover,\na.thumbnail:focus,\na.thumbnail.active {\n border-color: #337ab7;\n}\n.thumbnail .caption {\n padding: 9px;\n color: #333333;\n}\n.alert {\n padding: 15px;\n margin-bottom: 20px;\n border: 1px solid transparent;\n border-radius: 4px;\n}\n.alert h4 {\n margin-top: 0;\n color: inherit;\n}\n.alert .alert-link {\n font-weight: bold;\n}\n.alert > p,\n.alert > ul {\n margin-bottom: 0;\n}\n.alert > p + p {\n margin-top: 5px;\n}\n.alert-dismissable,\n.alert-dismissible {\n padding-right: 35px;\n}\n.alert-dismissable .close,\n.alert-dismissible .close {\n position: relative;\n top: -2px;\n right: -21px;\n color: inherit;\n}\n.alert-success {\n background-color: #dff0d8;\n border-color: #d6e9c6;\n color: #3c763d;\n}\n.alert-success hr {\n border-top-color: #c9e2b3;\n}\n.alert-success .alert-link {\n color: #2b542c;\n}\n.alert-info {\n background-color: #d9edf7;\n border-color: #bce8f1;\n color: #31708f;\n}\n.alert-info hr {\n border-top-color: #a6e1ec;\n}\n.alert-info .alert-link {\n color: #245269;\n}\n.alert-warning {\n background-color: #fcf8e3;\n border-color: #faebcc;\n color: #8a6d3b;\n}\n.alert-warning hr {\n border-top-color: #f7e1b5;\n}\n.alert-warning .alert-link {\n color: #66512c;\n}\n.alert-danger {\n background-color: #f2dede;\n border-color: #ebccd1;\n color: #a94442;\n}\n.alert-danger hr {\n border-top-color: #e4b9c0;\n}\n.alert-danger .alert-link {\n color: #843534;\n}\n@-webkit-keyframes progress-bar-stripes {\n from {\n background-position: 40px 0;\n }\n to {\n background-position: 0 0;\n }\n}\n@keyframes progress-bar-stripes {\n from {\n background-position: 40px 0;\n }\n to {\n background-position: 0 0;\n }\n}\n.progress {\n overflow: hidden;\n height: 20px;\n margin-bottom: 20px;\n background-color: #f5f5f5;\n border-radius: 4px;\n -webkit-box-shadow: inset 0 1px 2px rgba(0, 0, 0, 0.1);\n box-shadow: inset 0 1px 2px rgba(0, 0, 0, 0.1);\n}\n.progress-bar {\n float: left;\n width: 0%;\n height: 100%;\n font-size: 12px;\n line-height: 20px;\n color: #fff;\n text-align: center;\n background-color: #337ab7;\n -webkit-box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.15);\n box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.15);\n -webkit-transition: width 0.6s ease;\n -o-transition: width 0.6s ease;\n transition: width 0.6s ease;\n}\n.progress-striped .progress-bar,\n.progress-bar-striped {\n background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);\n background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);\n background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);\n background-size: 40px 40px;\n}\n.progress.active .progress-bar,\n.progress-bar.active {\n -webkit-animation: progress-bar-stripes 2s linear infinite;\n -o-animation: progress-bar-stripes 2s linear infinite;\n animation: progress-bar-stripes 2s linear infinite;\n}\n.progress-bar-success {\n background-color: #5cb85c;\n}\n.progress-striped .progress-bar-success {\n background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);\n background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);\n background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);\n}\n.progress-bar-info {\n background-color: #5bc0de;\n}\n.progress-striped .progress-bar-info {\n background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);\n background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);\n background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);\n}\n.progress-bar-warning {\n background-color: #f0ad4e;\n}\n.progress-striped .progress-bar-warning {\n background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);\n background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);\n background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);\n}\n.progress-bar-danger {\n background-color: #d9534f;\n}\n.progress-striped .progress-bar-danger {\n background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);\n background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);\n background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);\n}\n.media {\n margin-top: 15px;\n}\n.media:first-child {\n margin-top: 0;\n}\n.media,\n.media-body {\n zoom: 1;\n overflow: hidden;\n}\n.media-body {\n width: 10000px;\n}\n.media-object {\n display: block;\n}\n.media-object.img-thumbnail {\n max-width: none;\n}\n.media-right,\n.media > .pull-right {\n padding-left: 10px;\n}\n.media-left,\n.media > .pull-left {\n padding-right: 10px;\n}\n.media-left,\n.media-right,\n.media-body {\n display: table-cell;\n vertical-align: top;\n}\n.media-middle {\n vertical-align: middle;\n}\n.media-bottom {\n vertical-align: bottom;\n}\n.media-heading {\n margin-top: 0;\n margin-bottom: 5px;\n}\n.media-list {\n padding-left: 0;\n list-style: none;\n}\n.list-group {\n margin-bottom: 20px;\n padding-left: 0;\n}\n.list-group-item {\n position: relative;\n display: block;\n padding: 10px 15px;\n margin-bottom: -1px;\n background-color: #fff;\n border: 1px solid #ddd;\n}\n.list-group-item:first-child {\n border-top-right-radius: 4px;\n border-top-left-radius: 4px;\n}\n.list-group-item:last-child {\n margin-bottom: 0;\n border-bottom-right-radius: 4px;\n border-bottom-left-radius: 4px;\n}\na.list-group-item,\nbutton.list-group-item {\n color: #555;\n}\na.list-group-item .list-group-item-heading,\nbutton.list-group-item .list-group-item-heading {\n color: #333;\n}\na.list-group-item:hover,\nbutton.list-group-item:hover,\na.list-group-item:focus,\nbutton.list-group-item:focus {\n text-decoration: none;\n color: #555;\n background-color: #f5f5f5;\n}\nbutton.list-group-item {\n width: 100%;\n text-align: left;\n}\n.list-group-item.disabled,\n.list-group-item.disabled:hover,\n.list-group-item.disabled:focus {\n background-color: #eeeeee;\n color: #777777;\n cursor: not-allowed;\n}\n.list-group-item.disabled .list-group-item-heading,\n.list-group-item.disabled:hover .list-group-item-heading,\n.list-group-item.disabled:focus .list-group-item-heading {\n color: inherit;\n}\n.list-group-item.disabled .list-group-item-text,\n.list-group-item.disabled:hover .list-group-item-text,\n.list-group-item.disabled:focus .list-group-item-text {\n color: #777777;\n}\n.list-group-item.active,\n.list-group-item.active:hover,\n.list-group-item.active:focus {\n z-index: 2;\n color: #fff;\n background-color: #337ab7;\n border-color: #337ab7;\n}\n.list-group-item.active .list-group-item-heading,\n.list-group-item.active:hover .list-group-item-heading,\n.list-group-item.active:focus .list-group-item-heading,\n.list-group-item.active .list-group-item-heading > small,\n.list-group-item.active:hover .list-group-item-heading > small,\n.list-group-item.active:focus .list-group-item-heading > small,\n.list-group-item.active .list-group-item-heading > .small,\n.list-group-item.active:hover .list-group-item-heading > .small,\n.list-group-item.active:focus .list-group-item-heading > .small {\n color: inherit;\n}\n.list-group-item.active .list-group-item-text,\n.list-group-item.active:hover .list-group-item-text,\n.list-group-item.active:focus .list-group-item-text {\n color: #c7ddef;\n}\n.list-group-item-success {\n color: #3c763d;\n background-color: #dff0d8;\n}\na.list-group-item-success,\nbutton.list-group-item-success {\n color: #3c763d;\n}\na.list-group-item-success .list-group-item-heading,\nbutton.list-group-item-success .list-group-item-heading {\n color: inherit;\n}\na.list-group-item-success:hover,\nbutton.list-group-item-success:hover,\na.list-group-item-success:focus,\nbutton.list-group-item-success:focus {\n color: #3c763d;\n background-color: #d0e9c6;\n}\na.list-group-item-success.active,\nbutton.list-group-item-success.active,\na.list-group-item-success.active:hover,\nbutton.list-group-item-success.active:hover,\na.list-group-item-success.active:focus,\nbutton.list-group-item-success.active:focus {\n color: #fff;\n background-color: #3c763d;\n border-color: #3c763d;\n}\n.list-group-item-info {\n color: #31708f;\n background-color: #d9edf7;\n}\na.list-group-item-info,\nbutton.list-group-item-info {\n color: #31708f;\n}\na.list-group-item-info .list-group-item-heading,\nbutton.list-group-item-info .list-group-item-heading {\n color: inherit;\n}\na.list-group-item-info:hover,\nbutton.list-group-item-info:hover,\na.list-group-item-info:focus,\nbutton.list-group-item-info:focus {\n color: #31708f;\n background-color: #c4e3f3;\n}\na.list-group-item-info.active,\nbutton.list-group-item-info.active,\na.list-group-item-info.active:hover,\nbutton.list-group-item-info.active:hover,\na.list-group-item-info.active:focus,\nbutton.list-group-item-info.active:focus {\n color: #fff;\n background-color: #31708f;\n border-color: #31708f;\n}\n.list-group-item-warning {\n color: #8a6d3b;\n background-color: #fcf8e3;\n}\na.list-group-item-warning,\nbutton.list-group-item-warning {\n color: #8a6d3b;\n}\na.list-group-item-warning .list-group-item-heading,\nbutton.list-group-item-warning .list-group-item-heading {\n color: inherit;\n}\na.list-group-item-warning:hover,\nbutton.list-group-item-warning:hover,\na.list-group-item-warning:focus,\nbutton.list-group-item-warning:focus {\n color: #8a6d3b;\n background-color: #faf2cc;\n}\na.list-group-item-warning.active,\nbutton.list-group-item-warning.active,\na.list-group-item-warning.active:hover,\nbutton.list-group-item-warning.active:hover,\na.list-group-item-warning.active:focus,\nbutton.list-group-item-warning.active:focus {\n color: #fff;\n background-color: #8a6d3b;\n border-color: #8a6d3b;\n}\n.list-group-item-danger {\n color: #a94442;\n background-color: #f2dede;\n}\na.list-group-item-danger,\nbutton.list-group-item-danger {\n color: #a94442;\n}\na.list-group-item-danger .list-group-item-heading,\nbutton.list-group-item-danger .list-group-item-heading {\n color: inherit;\n}\na.list-group-item-danger:hover,\nbutton.list-group-item-danger:hover,\na.list-group-item-danger:focus,\nbutton.list-group-item-danger:focus {\n color: #a94442;\n background-color: #ebcccc;\n}\na.list-group-item-danger.active,\nbutton.list-group-item-danger.active,\na.list-group-item-danger.active:hover,\nbutton.list-group-item-danger.active:hover,\na.list-group-item-danger.active:focus,\nbutton.list-group-item-danger.active:focus {\n color: #fff;\n background-color: #a94442;\n border-color: #a94442;\n}\n.list-group-item-heading {\n margin-top: 0;\n margin-bottom: 5px;\n}\n.list-group-item-text {\n margin-bottom: 0;\n line-height: 1.3;\n}\n.panel {\n margin-bottom: 20px;\n background-color: #fff;\n border: 1px solid transparent;\n border-radius: 4px;\n -webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, 0.05);\n box-shadow: 0 1px 1px rgba(0, 0, 0, 0.05);\n}\n.panel-body {\n padding: 15px;\n}\n.panel-heading {\n padding: 10px 15px;\n border-bottom: 1px solid transparent;\n border-top-right-radius: 3px;\n border-top-left-radius: 3px;\n}\n.panel-heading > .dropdown .dropdown-toggle {\n color: inherit;\n}\n.panel-title {\n margin-top: 0;\n margin-bottom: 0;\n font-size: 16px;\n color: inherit;\n}\n.panel-title > a,\n.panel-title > small,\n.panel-title > .small,\n.panel-title > small > a,\n.panel-title > .small > a {\n color: inherit;\n}\n.panel-footer {\n padding: 10px 15px;\n background-color: #f5f5f5;\n border-top: 1px solid #ddd;\n border-bottom-right-radius: 3px;\n border-bottom-left-radius: 3px;\n}\n.panel > .list-group,\n.panel > .panel-collapse > .list-group {\n margin-bottom: 0;\n}\n.panel > .list-group .list-group-item,\n.panel > .panel-collapse > .list-group .list-group-item {\n border-width: 1px 0;\n border-radius: 0;\n}\n.panel > .list-group:first-child .list-group-item:first-child,\n.panel > .panel-collapse > .list-group:first-child .list-group-item:first-child {\n border-top: 0;\n border-top-right-radius: 3px;\n border-top-left-radius: 3px;\n}\n.panel > .list-group:last-child .list-group-item:last-child,\n.panel > .panel-collapse > .list-group:last-child .list-group-item:last-child {\n border-bottom: 0;\n border-bottom-right-radius: 3px;\n border-bottom-left-radius: 3px;\n}\n.panel > .panel-heading + .panel-collapse > .list-group .list-group-item:first-child {\n border-top-right-radius: 0;\n border-top-left-radius: 0;\n}\n.panel-heading + .list-group .list-group-item:first-child {\n border-top-width: 0;\n}\n.list-group + .panel-footer {\n border-top-width: 0;\n}\n.panel > .table,\n.panel > .table-responsive > .table,\n.panel > .panel-collapse > .table {\n margin-bottom: 0;\n}\n.panel > .table caption,\n.panel > .table-responsive > .table caption,\n.panel > .panel-collapse > .table caption {\n padding-left: 15px;\n padding-right: 15px;\n}\n.panel > .table:first-child,\n.panel > .table-responsive:first-child > .table:first-child {\n border-top-right-radius: 3px;\n border-top-left-radius: 3px;\n}\n.panel > .table:first-child > thead:first-child > tr:first-child,\n.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child,\n.panel > .table:first-child > tbody:first-child > tr:first-child,\n.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child {\n border-top-left-radius: 3px;\n border-top-right-radius: 3px;\n}\n.panel > .table:first-child > thead:first-child > tr:first-child td:first-child,\n.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:first-child,\n.panel > .table:first-child > tbody:first-child > tr:first-child td:first-child,\n.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:first-child,\n.panel > .table:first-child > thead:first-child > tr:first-child th:first-child,\n.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:first-child,\n.panel > .table:first-child > tbody:first-child > tr:first-child th:first-child,\n.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:first-child {\n border-top-left-radius: 3px;\n}\n.panel > .table:first-child > thead:first-child > tr:first-child td:last-child,\n.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:last-child,\n.panel > .table:first-child > tbody:first-child > tr:first-child td:last-child,\n.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:last-child,\n.panel > .table:first-child > thead:first-child > tr:first-child th:last-child,\n.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:last-child,\n.panel > .table:first-child > tbody:first-child > tr:first-child th:last-child,\n.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:last-child {\n border-top-right-radius: 3px;\n}\n.panel > .table:last-child,\n.panel > .table-responsive:last-child > .table:last-child {\n border-bottom-right-radius: 3px;\n border-bottom-left-radius: 3px;\n}\n.panel > .table:last-child > tbody:last-child > tr:last-child,\n.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child,\n.panel > .table:last-child > tfoot:last-child > tr:last-child,\n.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child {\n border-bottom-left-radius: 3px;\n border-bottom-right-radius: 3px;\n}\n.panel > .table:last-child > tbody:last-child > tr:last-child td:first-child,\n.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:first-child,\n.panel > .table:last-child > tfoot:last-child > tr:last-child td:first-child,\n.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:first-child,\n.panel > .table:last-child > tbody:last-child > tr:last-child th:first-child,\n.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:first-child,\n.panel > .table:last-child > tfoot:last-child > tr:last-child th:first-child,\n.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:first-child {\n border-bottom-left-radius: 3px;\n}\n.panel > .table:last-child > tbody:last-child > tr:last-child td:last-child,\n.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:last-child,\n.panel > .table:last-child > tfoot:last-child > tr:last-child td:last-child,\n.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:last-child,\n.panel > .table:last-child > tbody:last-child > tr:last-child th:last-child,\n.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:last-child,\n.panel > .table:last-child > tfoot:last-child > tr:last-child th:last-child,\n.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:last-child {\n border-bottom-right-radius: 3px;\n}\n.panel > .panel-body + .table,\n.panel > .panel-body + .table-responsive,\n.panel > .table + .panel-body,\n.panel > .table-responsive + .panel-body {\n border-top: 1px solid #ddd;\n}\n.panel > .table > tbody:first-child > tr:first-child th,\n.panel > .table > tbody:first-child > tr:first-child td {\n border-top: 0;\n}\n.panel > .table-bordered,\n.panel > .table-responsive > .table-bordered {\n border: 0;\n}\n.panel > .table-bordered > thead > tr > th:first-child,\n.panel > .table-responsive > .table-bordered > thead > tr > th:first-child,\n.panel > .table-bordered > tbody > tr > th:first-child,\n.panel > .table-responsive > .table-bordered > tbody > tr > th:first-child,\n.panel > .table-bordered > tfoot > tr > th:first-child,\n.panel > .table-responsive > .table-bordered > tfoot > tr > th:first-child,\n.panel > .table-bordered > thead > tr > td:first-child,\n.panel > .table-responsive > .table-bordered > thead > tr > td:first-child,\n.panel > .table-bordered > tbody > tr > td:first-child,\n.panel > .table-responsive > .table-bordered > tbody > tr > td:first-child,\n.panel > .table-bordered > tfoot > tr > td:first-child,\n.panel > .table-responsive > .table-bordered > tfoot > tr > td:first-child {\n border-left: 0;\n}\n.panel > .table-bordered > thead > tr > th:last-child,\n.panel > .table-responsive > .table-bordered > thead > tr > th:last-child,\n.panel > .table-bordered > tbody > tr > th:last-child,\n.panel > .table-responsive > .table-bordered > tbody > tr > th:last-child,\n.panel > .table-bordered > tfoot > tr > th:last-child,\n.panel > .table-responsive > .table-bordered > tfoot > tr > th:last-child,\n.panel > .table-bordered > thead > tr > td:last-child,\n.panel > .table-responsive > .table-bordered > thead > tr > td:last-child,\n.panel > .table-bordered > tbody > tr > td:last-child,\n.panel > .table-responsive > .table-bordered > tbody > tr > td:last-child,\n.panel > .table-bordered > tfoot > tr > td:last-child,\n.panel > .table-responsive > .table-bordered > tfoot > tr > td:last-child {\n border-right: 0;\n}\n.panel > .table-bordered > thead > tr:first-child > td,\n.panel > .table-responsive > .table-bordered > thead > tr:first-child > td,\n.panel > .table-bordered > tbody > tr:first-child > td,\n.panel > .table-responsive > .table-bordered > tbody > tr:first-child > td,\n.panel > .table-bordered > thead > tr:first-child > th,\n.panel > .table-responsive > .table-bordered > thead > tr:first-child > th,\n.panel > .table-bordered > tbody > tr:first-child > th,\n.panel > .table-responsive > .table-bordered > tbody > tr:first-child > th {\n border-bottom: 0;\n}\n.panel > .table-bordered > tbody > tr:last-child > td,\n.panel > .table-responsive > .table-bordered > tbody > tr:last-child > td,\n.panel > .table-bordered > tfoot > tr:last-child > td,\n.panel > .table-responsive > .table-bordered > tfoot > tr:last-child > td,\n.panel > .table-bordered > tbody > tr:last-child > th,\n.panel > .table-responsive > .table-bordered > tbody > tr:last-child > th,\n.panel > .table-bordered > tfoot > tr:last-child > th,\n.panel > .table-responsive > .table-bordered > tfoot > tr:last-child > th {\n border-bottom: 0;\n}\n.panel > .table-responsive {\n border: 0;\n margin-bottom: 0;\n}\n.panel-group {\n margin-bottom: 20px;\n}\n.panel-group .panel {\n margin-bottom: 0;\n border-radius: 4px;\n}\n.panel-group .panel + .panel {\n margin-top: 5px;\n}\n.panel-group .panel-heading {\n border-bottom: 0;\n}\n.panel-group .panel-heading + .panel-collapse > .panel-body,\n.panel-group .panel-heading + .panel-collapse > .list-group {\n border-top: 1px solid #ddd;\n}\n.panel-group .panel-footer {\n border-top: 0;\n}\n.panel-group .panel-footer + .panel-collapse .panel-body {\n border-bottom: 1px solid #ddd;\n}\n.panel-default {\n border-color: #ddd;\n}\n.panel-default > .panel-heading {\n color: #333333;\n background-color: #f5f5f5;\n border-color: #ddd;\n}\n.panel-default > .panel-heading + .panel-collapse > .panel-body {\n border-top-color: #ddd;\n}\n.panel-default > .panel-heading .badge {\n color: #f5f5f5;\n background-color: #333333;\n}\n.panel-default > .panel-footer + .panel-collapse > .panel-body {\n border-bottom-color: #ddd;\n}\n.panel-primary {\n border-color: #337ab7;\n}\n.panel-primary > .panel-heading {\n color: #fff;\n background-color: #337ab7;\n border-color: #337ab7;\n}\n.panel-primary > .panel-heading + .panel-collapse > .panel-body {\n border-top-color: #337ab7;\n}\n.panel-primary > .panel-heading .badge {\n color: #337ab7;\n background-color: #fff;\n}\n.panel-primary > .panel-footer + .panel-collapse > .panel-body {\n border-bottom-color: #337ab7;\n}\n.panel-success {\n border-color: #d6e9c6;\n}\n.panel-success > .panel-heading {\n color: #3c763d;\n background-color: #dff0d8;\n border-color: #d6e9c6;\n}\n.panel-success > .panel-heading + .panel-collapse > .panel-body {\n border-top-color: #d6e9c6;\n}\n.panel-success > .panel-heading .badge {\n color: #dff0d8;\n background-color: #3c763d;\n}\n.panel-success > .panel-footer + .panel-collapse > .panel-body {\n border-bottom-color: #d6e9c6;\n}\n.panel-info {\n border-color: #bce8f1;\n}\n.panel-info > .panel-heading {\n color: #31708f;\n background-color: #d9edf7;\n border-color: #bce8f1;\n}\n.panel-info > .panel-heading + .panel-collapse > .panel-body {\n border-top-color: #bce8f1;\n}\n.panel-info > .panel-heading .badge {\n color: #d9edf7;\n background-color: #31708f;\n}\n.panel-info > .panel-footer + .panel-collapse > .panel-body {\n border-bottom-color: #bce8f1;\n}\n.panel-warning {\n border-color: #faebcc;\n}\n.panel-warning > .panel-heading {\n color: #8a6d3b;\n background-color: #fcf8e3;\n border-color: #faebcc;\n}\n.panel-warning > .panel-heading + .panel-collapse > .panel-body {\n border-top-color: #faebcc;\n}\n.panel-warning > .panel-heading .badge {\n color: #fcf8e3;\n background-color: #8a6d3b;\n}\n.panel-warning > .panel-footer + .panel-collapse > .panel-body {\n border-bottom-color: #faebcc;\n}\n.panel-danger {\n border-color: #ebccd1;\n}\n.panel-danger > .panel-heading {\n color: #a94442;\n background-color: #f2dede;\n border-color: #ebccd1;\n}\n.panel-danger > .panel-heading + .panel-collapse > .panel-body {\n border-top-color: #ebccd1;\n}\n.panel-danger > .panel-heading .badge {\n color: #f2dede;\n background-color: #a94442;\n}\n.panel-danger > .panel-footer + .panel-collapse > .panel-body {\n border-bottom-color: #ebccd1;\n}\n.embed-responsive {\n position: relative;\n display: block;\n height: 0;\n padding: 0;\n overflow: hidden;\n}\n.embed-responsive .embed-responsive-item,\n.embed-responsive iframe,\n.embed-responsive embed,\n.embed-responsive object,\n.embed-responsive video {\n position: absolute;\n top: 0;\n left: 0;\n bottom: 0;\n height: 100%;\n width: 100%;\n border: 0;\n}\n.embed-responsive-16by9 {\n padding-bottom: 56.25%;\n}\n.embed-responsive-4by3 {\n padding-bottom: 75%;\n}\n.well {\n min-height: 20px;\n padding: 19px;\n margin-bottom: 20px;\n background-color: #f5f5f5;\n border: 1px solid #e3e3e3;\n border-radius: 4px;\n -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);\n box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);\n}\n.well blockquote {\n border-color: #ddd;\n border-color: rgba(0, 0, 0, 0.15);\n}\n.well-lg {\n padding: 24px;\n border-radius: 6px;\n}\n.well-sm {\n padding: 9px;\n border-radius: 3px;\n}\n.close {\n float: right;\n font-size: 21px;\n font-weight: bold;\n line-height: 1;\n color: #000;\n text-shadow: 0 1px 0 #fff;\n opacity: 0.2;\n filter: alpha(opacity=20);\n}\n.close:hover,\n.close:focus {\n color: #000;\n text-decoration: none;\n cursor: pointer;\n opacity: 0.5;\n filter: alpha(opacity=50);\n}\nbutton.close {\n padding: 0;\n cursor: pointer;\n background: transparent;\n border: 0;\n -webkit-appearance: none;\n}\n.modal-open {\n overflow: hidden;\n}\n.modal {\n display: none;\n overflow: hidden;\n position: fixed;\n top: 0;\n right: 0;\n bottom: 0;\n left: 0;\n z-index: 1050;\n -webkit-overflow-scrolling: touch;\n outline: 0;\n}\n.modal.fade .modal-dialog {\n -webkit-transform: translate(0, -25%);\n -ms-transform: translate(0, -25%);\n -o-transform: translate(0, -25%);\n transform: translate(0, -25%);\n -webkit-transition: -webkit-transform 0.3s ease-out;\n -moz-transition: -moz-transform 0.3s ease-out;\n -o-transition: -o-transform 0.3s ease-out;\n transition: transform 0.3s ease-out;\n}\n.modal.in .modal-dialog {\n -webkit-transform: translate(0, 0);\n -ms-transform: translate(0, 0);\n -o-transform: translate(0, 0);\n transform: translate(0, 0);\n}\n.modal-open .modal {\n overflow-x: hidden;\n overflow-y: auto;\n}\n.modal-dialog {\n position: relative;\n width: auto;\n margin: 10px;\n}\n.modal-content {\n position: relative;\n background-color: #fff;\n border: 1px solid #999;\n border: 1px solid rgba(0, 0, 0, 0.2);\n border-radius: 6px;\n -webkit-box-shadow: 0 3px 9px rgba(0, 0, 0, 0.5);\n box-shadow: 0 3px 9px rgba(0, 0, 0, 0.5);\n background-clip: padding-box;\n outline: 0;\n}\n.modal-backdrop {\n position: fixed;\n top: 0;\n right: 0;\n bottom: 0;\n left: 0;\n z-index: 1040;\n background-color: #000;\n}\n.modal-backdrop.fade {\n opacity: 0;\n filter: alpha(opacity=0);\n}\n.modal-backdrop.in {\n opacity: 0.5;\n filter: alpha(opacity=50);\n}\n.modal-header {\n padding: 15px;\n border-bottom: 1px solid #e5e5e5;\n}\n.modal-header .close {\n margin-top: -2px;\n}\n.modal-title {\n margin: 0;\n line-height: 1.42857143;\n}\n.modal-body {\n position: relative;\n padding: 15px;\n}\n.modal-footer {\n padding: 15px;\n text-align: right;\n border-top: 1px solid #e5e5e5;\n}\n.modal-footer .btn + .btn {\n margin-left: 5px;\n margin-bottom: 0;\n}\n.modal-footer .btn-group .btn + .btn {\n margin-left: -1px;\n}\n.modal-footer .btn-block + .btn-block {\n margin-left: 0;\n}\n.modal-scrollbar-measure {\n position: absolute;\n top: -9999px;\n width: 50px;\n height: 50px;\n overflow: scroll;\n}\n@media (min-width: 768px) {\n .modal-dialog {\n width: 600px;\n margin: 30px auto;\n }\n .modal-content {\n -webkit-box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5);\n box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5);\n }\n .modal-sm {\n width: 300px;\n }\n}\n@media (min-width: 992px) {\n .modal-lg {\n width: 900px;\n }\n}\n.tooltip {\n position: absolute;\n z-index: 1070;\n display: block;\n font-family: \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n font-style: normal;\n font-weight: normal;\n letter-spacing: normal;\n line-break: auto;\n line-height: 1.42857143;\n text-align: left;\n text-align: start;\n text-decoration: none;\n text-shadow: none;\n text-transform: none;\n white-space: normal;\n word-break: normal;\n word-spacing: normal;\n word-wrap: normal;\n font-size: 12px;\n opacity: 0;\n filter: alpha(opacity=0);\n}\n.tooltip.in {\n opacity: 0.9;\n filter: alpha(opacity=90);\n}\n.tooltip.top {\n margin-top: -3px;\n padding: 5px 0;\n}\n.tooltip.right {\n margin-left: 3px;\n padding: 0 5px;\n}\n.tooltip.bottom {\n margin-top: 3px;\n padding: 5px 0;\n}\n.tooltip.left {\n margin-left: -3px;\n padding: 0 5px;\n}\n.tooltip-inner {\n max-width: 200px;\n padding: 3px 8px;\n color: #fff;\n text-align: center;\n background-color: #000;\n border-radius: 4px;\n}\n.tooltip-arrow {\n position: absolute;\n width: 0;\n height: 0;\n border-color: transparent;\n border-style: solid;\n}\n.tooltip.top .tooltip-arrow {\n bottom: 0;\n left: 50%;\n margin-left: -5px;\n border-width: 5px 5px 0;\n border-top-color: #000;\n}\n.tooltip.top-left .tooltip-arrow {\n bottom: 0;\n right: 5px;\n margin-bottom: -5px;\n border-width: 5px 5px 0;\n border-top-color: #000;\n}\n.tooltip.top-right .tooltip-arrow {\n bottom: 0;\n left: 5px;\n margin-bottom: -5px;\n border-width: 5px 5px 0;\n border-top-color: #000;\n}\n.tooltip.right .tooltip-arrow {\n top: 50%;\n left: 0;\n margin-top: -5px;\n border-width: 5px 5px 5px 0;\n border-right-color: #000;\n}\n.tooltip.left .tooltip-arrow {\n top: 50%;\n right: 0;\n margin-top: -5px;\n border-width: 5px 0 5px 5px;\n border-left-color: #000;\n}\n.tooltip.bottom .tooltip-arrow {\n top: 0;\n left: 50%;\n margin-left: -5px;\n border-width: 0 5px 5px;\n border-bottom-color: #000;\n}\n.tooltip.bottom-left .tooltip-arrow {\n top: 0;\n right: 5px;\n margin-top: -5px;\n border-width: 0 5px 5px;\n border-bottom-color: #000;\n}\n.tooltip.bottom-right .tooltip-arrow {\n top: 0;\n left: 5px;\n margin-top: -5px;\n border-width: 0 5px 5px;\n border-bottom-color: #000;\n}\n.popover {\n position: absolute;\n top: 0;\n left: 0;\n z-index: 1060;\n display: none;\n max-width: 276px;\n padding: 1px;\n font-family: \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n font-style: normal;\n font-weight: normal;\n letter-spacing: normal;\n line-break: auto;\n line-height: 1.42857143;\n text-align: left;\n text-align: start;\n text-decoration: none;\n text-shadow: none;\n text-transform: none;\n white-space: normal;\n word-break: normal;\n word-spacing: normal;\n word-wrap: normal;\n font-size: 14px;\n background-color: #fff;\n background-clip: padding-box;\n border: 1px solid #ccc;\n border: 1px solid rgba(0, 0, 0, 0.2);\n border-radius: 6px;\n -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.2);\n box-shadow: 0 5px 10px rgba(0, 0, 0, 0.2);\n}\n.popover.top {\n margin-top: -10px;\n}\n.popover.right {\n margin-left: 10px;\n}\n.popover.bottom {\n margin-top: 10px;\n}\n.popover.left {\n margin-left: -10px;\n}\n.popover-title {\n margin: 0;\n padding: 8px 14px;\n font-size: 14px;\n background-color: #f7f7f7;\n border-bottom: 1px solid #ebebeb;\n border-radius: 5px 5px 0 0;\n}\n.popover-content {\n padding: 9px 14px;\n}\n.popover > .arrow,\n.popover > .arrow:after {\n position: absolute;\n display: block;\n width: 0;\n height: 0;\n border-color: transparent;\n border-style: solid;\n}\n.popover > .arrow {\n border-width: 11px;\n}\n.popover > .arrow:after {\n border-width: 10px;\n content: \"\";\n}\n.popover.top > .arrow {\n left: 50%;\n margin-left: -11px;\n border-bottom-width: 0;\n border-top-color: #999999;\n border-top-color: rgba(0, 0, 0, 0.25);\n bottom: -11px;\n}\n.popover.top > .arrow:after {\n content: \" \";\n bottom: 1px;\n margin-left: -10px;\n border-bottom-width: 0;\n border-top-color: #fff;\n}\n.popover.right > .arrow {\n top: 50%;\n left: -11px;\n margin-top: -11px;\n border-left-width: 0;\n border-right-color: #999999;\n border-right-color: rgba(0, 0, 0, 0.25);\n}\n.popover.right > .arrow:after {\n content: \" \";\n left: 1px;\n bottom: -10px;\n border-left-width: 0;\n border-right-color: #fff;\n}\n.popover.bottom > .arrow {\n left: 50%;\n margin-left: -11px;\n border-top-width: 0;\n border-bottom-color: #999999;\n border-bottom-color: rgba(0, 0, 0, 0.25);\n top: -11px;\n}\n.popover.bottom > .arrow:after {\n content: \" \";\n top: 1px;\n margin-left: -10px;\n border-top-width: 0;\n border-bottom-color: #fff;\n}\n.popover.left > .arrow {\n top: 50%;\n right: -11px;\n margin-top: -11px;\n border-right-width: 0;\n border-left-color: #999999;\n border-left-color: rgba(0, 0, 0, 0.25);\n}\n.popover.left > .arrow:after {\n content: \" \";\n right: 1px;\n border-right-width: 0;\n border-left-color: #fff;\n bottom: -10px;\n}\n.carousel {\n position: relative;\n}\n.carousel-inner {\n position: relative;\n overflow: hidden;\n width: 100%;\n}\n.carousel-inner > .item {\n display: none;\n position: relative;\n -webkit-transition: 0.6s ease-in-out left;\n -o-transition: 0.6s ease-in-out left;\n transition: 0.6s ease-in-out left;\n}\n.carousel-inner > .item > img,\n.carousel-inner > .item > a > img {\n line-height: 1;\n}\n@media all and (transform-3d), (-webkit-transform-3d) {\n .carousel-inner > .item {\n -webkit-transition: -webkit-transform 0.6s ease-in-out;\n -moz-transition: -moz-transform 0.6s ease-in-out;\n -o-transition: -o-transform 0.6s ease-in-out;\n transition: transform 0.6s ease-in-out;\n -webkit-backface-visibility: hidden;\n -moz-backface-visibility: hidden;\n backface-visibility: hidden;\n -webkit-perspective: 1000px;\n -moz-perspective: 1000px;\n perspective: 1000px;\n }\n .carousel-inner > .item.next,\n .carousel-inner > .item.active.right {\n -webkit-transform: translate3d(100%, 0, 0);\n transform: translate3d(100%, 0, 0);\n left: 0;\n }\n .carousel-inner > .item.prev,\n .carousel-inner > .item.active.left {\n -webkit-transform: translate3d(-100%, 0, 0);\n transform: translate3d(-100%, 0, 0);\n left: 0;\n }\n .carousel-inner > .item.next.left,\n .carousel-inner > .item.prev.right,\n .carousel-inner > .item.active {\n -webkit-transform: translate3d(0, 0, 0);\n transform: translate3d(0, 0, 0);\n left: 0;\n }\n}\n.carousel-inner > .active,\n.carousel-inner > .next,\n.carousel-inner > .prev {\n display: block;\n}\n.carousel-inner > .active {\n left: 0;\n}\n.carousel-inner > .next,\n.carousel-inner > .prev {\n position: absolute;\n top: 0;\n width: 100%;\n}\n.carousel-inner > .next {\n left: 100%;\n}\n.carousel-inner > .prev {\n left: -100%;\n}\n.carousel-inner > .next.left,\n.carousel-inner > .prev.right {\n left: 0;\n}\n.carousel-inner > .active.left {\n left: -100%;\n}\n.carousel-inner > .active.right {\n left: 100%;\n}\n.carousel-control {\n position: absolute;\n top: 0;\n left: 0;\n bottom: 0;\n width: 15%;\n opacity: 0.5;\n filter: alpha(opacity=50);\n font-size: 20px;\n color: #fff;\n text-align: center;\n text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6);\n background-color: rgba(0, 0, 0, 0);\n}\n.carousel-control.left {\n background-image: -webkit-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);\n background-image: -o-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);\n background-image: linear-gradient(to right, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);\n background-repeat: repeat-x;\n filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);\n}\n.carousel-control.right {\n left: auto;\n right: 0;\n background-image: -webkit-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);\n background-image: -o-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);\n background-image: linear-gradient(to right, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);\n background-repeat: repeat-x;\n filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);\n}\n.carousel-control:hover,\n.carousel-control:focus {\n outline: 0;\n color: #fff;\n text-decoration: none;\n opacity: 0.9;\n filter: alpha(opacity=90);\n}\n.carousel-control .icon-prev,\n.carousel-control .icon-next,\n.carousel-control .glyphicon-chevron-left,\n.carousel-control .glyphicon-chevron-right {\n position: absolute;\n top: 50%;\n margin-top: -10px;\n z-index: 5;\n display: inline-block;\n}\n.carousel-control .icon-prev,\n.carousel-control .glyphicon-chevron-left {\n left: 50%;\n margin-left: -10px;\n}\n.carousel-control .icon-next,\n.carousel-control .glyphicon-chevron-right {\n right: 50%;\n margin-right: -10px;\n}\n.carousel-control .icon-prev,\n.carousel-control .icon-next {\n width: 20px;\n height: 20px;\n line-height: 1;\n font-family: serif;\n}\n.carousel-control .icon-prev:before {\n content: '\\2039';\n}\n.carousel-control .icon-next:before {\n content: '\\203a';\n}\n.carousel-indicators {\n position: absolute;\n bottom: 10px;\n left: 50%;\n z-index: 15;\n width: 60%;\n margin-left: -30%;\n padding-left: 0;\n list-style: none;\n text-align: center;\n}\n.carousel-indicators li {\n display: inline-block;\n width: 10px;\n height: 10px;\n margin: 1px;\n text-indent: -999px;\n border: 1px solid #fff;\n border-radius: 10px;\n cursor: pointer;\n background-color: #000 \\9;\n background-color: rgba(0, 0, 0, 0);\n}\n.carousel-indicators .active {\n margin: 0;\n width: 12px;\n height: 12px;\n background-color: #fff;\n}\n.carousel-caption {\n position: absolute;\n left: 15%;\n right: 15%;\n bottom: 20px;\n z-index: 10;\n padding-top: 20px;\n padding-bottom: 20px;\n color: #fff;\n text-align: center;\n text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6);\n}\n.carousel-caption .btn {\n text-shadow: none;\n}\n@media screen and (min-width: 768px) {\n .carousel-control .glyphicon-chevron-left,\n .carousel-control .glyphicon-chevron-right,\n .carousel-control .icon-prev,\n .carousel-control .icon-next {\n width: 30px;\n height: 30px;\n margin-top: -10px;\n font-size: 30px;\n }\n .carousel-control .glyphicon-chevron-left,\n .carousel-control .icon-prev {\n margin-left: -10px;\n }\n .carousel-control .glyphicon-chevron-right,\n .carousel-control .icon-next {\n margin-right: -10px;\n }\n .carousel-caption {\n left: 20%;\n right: 20%;\n padding-bottom: 30px;\n }\n .carousel-indicators {\n bottom: 20px;\n }\n}\n.clearfix:before,\n.clearfix:after,\n.dl-horizontal dd:before,\n.dl-horizontal dd:after,\n.container:before,\n.container:after,\n.container-fluid:before,\n.container-fluid:after,\n.row:before,\n.row:after,\n.form-horizontal .form-group:before,\n.form-horizontal .form-group:after,\n.btn-toolbar:before,\n.btn-toolbar:after,\n.btn-group-vertical > .btn-group:before,\n.btn-group-vertical > .btn-group:after,\n.nav:before,\n.nav:after,\n.navbar:before,\n.navbar:after,\n.navbar-header:before,\n.navbar-header:after,\n.navbar-collapse:before,\n.navbar-collapse:after,\n.pager:before,\n.pager:after,\n.panel-body:before,\n.panel-body:after,\n.modal-header:before,\n.modal-header:after,\n.modal-footer:before,\n.modal-footer:after {\n content: \" \";\n display: table;\n}\n.clearfix:after,\n.dl-horizontal dd:after,\n.container:after,\n.container-fluid:after,\n.row:after,\n.form-horizontal .form-group:after,\n.btn-toolbar:after,\n.btn-group-vertical > .btn-group:after,\n.nav:after,\n.navbar:after,\n.navbar-header:after,\n.navbar-collapse:after,\n.pager:after,\n.panel-body:after,\n.modal-header:after,\n.modal-footer:after {\n clear: both;\n}\n.center-block {\n display: block;\n margin-left: auto;\n margin-right: auto;\n}\n.pull-right {\n float: right !important;\n}\n.pull-left {\n float: left !important;\n}\n.hide {\n display: none !important;\n}\n.show {\n display: block !important;\n}\n.invisible {\n visibility: hidden;\n}\n.text-hide {\n font: 0/0 a;\n color: transparent;\n text-shadow: none;\n background-color: transparent;\n border: 0;\n}\n.hidden {\n display: none !important;\n}\n.affix {\n position: fixed;\n}\n@-ms-viewport {\n width: device-width;\n}\n.visible-xs,\n.visible-sm,\n.visible-md,\n.visible-lg {\n display: none !important;\n}\n.visible-xs-block,\n.visible-xs-inline,\n.visible-xs-inline-block,\n.visible-sm-block,\n.visible-sm-inline,\n.visible-sm-inline-block,\n.visible-md-block,\n.visible-md-inline,\n.visible-md-inline-block,\n.visible-lg-block,\n.visible-lg-inline,\n.visible-lg-inline-block {\n display: none !important;\n}\n@media (max-width: 767px) {\n .visible-xs {\n display: block !important;\n }\n table.visible-xs {\n display: table !important;\n }\n tr.visible-xs {\n display: table-row !important;\n }\n th.visible-xs,\n td.visible-xs {\n display: table-cell !important;\n }\n}\n@media (max-width: 767px) {\n .visible-xs-block {\n display: block !important;\n }\n}\n@media (max-width: 767px) {\n .visible-xs-inline {\n display: inline !important;\n }\n}\n@media (max-width: 767px) {\n .visible-xs-inline-block {\n display: inline-block !important;\n }\n}\n@media (min-width: 768px) and (max-width: 991px) {\n .visible-sm {\n display: block !important;\n }\n table.visible-sm {\n display: table !important;\n }\n tr.visible-sm {\n display: table-row !important;\n }\n th.visible-sm,\n td.visible-sm {\n display: table-cell !important;\n }\n}\n@media (min-width: 768px) and (max-width: 991px) {\n .visible-sm-block {\n display: block !important;\n }\n}\n@media (min-width: 768px) and (max-width: 991px) {\n .visible-sm-inline {\n display: inline !important;\n }\n}\n@media (min-width: 768px) and (max-width: 991px) {\n .visible-sm-inline-block {\n display: inline-block !important;\n }\n}\n@media (min-width: 992px) and (max-width: 1199px) {\n .visible-md {\n display: block !important;\n }\n table.visible-md {\n display: table !important;\n }\n tr.visible-md {\n display: table-row !important;\n }\n th.visible-md,\n td.visible-md {\n display: table-cell !important;\n }\n}\n@media (min-width: 992px) and (max-width: 1199px) {\n .visible-md-block {\n display: block !important;\n }\n}\n@media (min-width: 992px) and (max-width: 1199px) {\n .visible-md-inline {\n display: inline !important;\n }\n}\n@media (min-width: 992px) and (max-width: 1199px) {\n .visible-md-inline-block {\n display: inline-block !important;\n }\n}\n@media (min-width: 1200px) {\n .visible-lg {\n display: block !important;\n }\n table.visible-lg {\n display: table !important;\n }\n tr.visible-lg {\n display: table-row !important;\n }\n th.visible-lg,\n td.visible-lg {\n display: table-cell !important;\n }\n}\n@media (min-width: 1200px) {\n .visible-lg-block {\n display: block !important;\n }\n}\n@media (min-width: 1200px) {\n .visible-lg-inline {\n display: inline !important;\n }\n}\n@media (min-width: 1200px) {\n .visible-lg-inline-block {\n display: inline-block !important;\n }\n}\n@media (max-width: 767px) {\n .hidden-xs {\n display: none !important;\n }\n}\n@media (min-width: 768px) and (max-width: 991px) {\n .hidden-sm {\n display: none !important;\n }\n}\n@media (min-width: 992px) and (max-width: 1199px) {\n .hidden-md {\n display: none !important;\n }\n}\n@media (min-width: 1200px) {\n .hidden-lg {\n display: none !important;\n }\n}\n.visible-print {\n display: none !important;\n}\n@media print {\n .visible-print {\n display: block !important;\n }\n table.visible-print {\n display: table !important;\n }\n tr.visible-print {\n display: table-row !important;\n }\n th.visible-print,\n td.visible-print {\n display: table-cell !important;\n }\n}\n.visible-print-block {\n display: none !important;\n}\n@media print {\n .visible-print-block {\n display: block !important;\n }\n}\n.visible-print-inline {\n display: none !important;\n}\n@media print {\n .visible-print-inline {\n display: inline !important;\n }\n}\n.visible-print-inline-block {\n display: none !important;\n}\n@media print {\n .visible-print-inline-block {\n display: inline-block !important;\n }\n}\n@media print {\n .hidden-print {\n display: none !important;\n }\n}\n/*# sourceMappingURL=bootstrap.css.map */","/*!\n * Bootstrap v3.3.7 (http://getbootstrap.com)\n * Copyright 2011-2017 Twitter, Inc.\n * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)\n */\n/*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */\nhtml {\n font-family: sans-serif;\n -webkit-text-size-adjust: 100%;\n -ms-text-size-adjust: 100%;\n}\nbody {\n margin: 0;\n}\narticle,\naside,\ndetails,\nfigcaption,\nfigure,\nfooter,\nheader,\nhgroup,\nmain,\nmenu,\nnav,\nsection,\nsummary {\n display: block;\n}\naudio,\ncanvas,\nprogress,\nvideo {\n display: inline-block;\n vertical-align: baseline;\n}\naudio:not([controls]) {\n display: none;\n height: 0;\n}\n[hidden],\ntemplate {\n display: none;\n}\na {\n background-color: transparent;\n}\na:active,\na:hover {\n outline: 0;\n}\nabbr[title] {\n border-bottom: 1px dotted;\n}\nb,\nstrong {\n font-weight: bold;\n}\ndfn {\n font-style: italic;\n}\nh1 {\n margin: .67em 0;\n font-size: 2em;\n}\nmark {\n color: #000;\n background: #ff0;\n}\nsmall {\n font-size: 80%;\n}\nsub,\nsup {\n position: relative;\n font-size: 75%;\n line-height: 0;\n vertical-align: baseline;\n}\nsup {\n top: -.5em;\n}\nsub {\n bottom: -.25em;\n}\nimg {\n border: 0;\n}\nsvg:not(:root) {\n overflow: hidden;\n}\nfigure {\n margin: 1em 40px;\n}\nhr {\n height: 0;\n -webkit-box-sizing: content-box;\n -moz-box-sizing: content-box;\n box-sizing: content-box;\n}\npre {\n overflow: auto;\n}\ncode,\nkbd,\npre,\nsamp {\n font-family: monospace, monospace;\n font-size: 1em;\n}\nbutton,\ninput,\noptgroup,\nselect,\ntextarea {\n margin: 0;\n font: inherit;\n color: inherit;\n}\nbutton {\n overflow: visible;\n}\nbutton,\nselect {\n text-transform: none;\n}\nbutton,\nhtml input[type=\"button\"],\ninput[type=\"reset\"],\ninput[type=\"submit\"] {\n -webkit-appearance: button;\n cursor: pointer;\n}\nbutton[disabled],\nhtml input[disabled] {\n cursor: default;\n}\nbutton::-moz-focus-inner,\ninput::-moz-focus-inner {\n padding: 0;\n border: 0;\n}\ninput {\n line-height: normal;\n}\ninput[type=\"checkbox\"],\ninput[type=\"radio\"] {\n -webkit-box-sizing: border-box;\n -moz-box-sizing: border-box;\n box-sizing: border-box;\n padding: 0;\n}\ninput[type=\"number\"]::-webkit-inner-spin-button,\ninput[type=\"number\"]::-webkit-outer-spin-button {\n height: auto;\n}\ninput[type=\"search\"] {\n -webkit-box-sizing: content-box;\n -moz-box-sizing: content-box;\n box-sizing: content-box;\n -webkit-appearance: textfield;\n}\ninput[type=\"search\"]::-webkit-search-cancel-button,\ninput[type=\"search\"]::-webkit-search-decoration {\n -webkit-appearance: none;\n}\nfieldset {\n padding: .35em .625em .75em;\n margin: 0 2px;\n border: 1px solid #c0c0c0;\n}\nlegend {\n padding: 0;\n border: 0;\n}\ntextarea {\n overflow: auto;\n}\noptgroup {\n font-weight: bold;\n}\ntable {\n border-spacing: 0;\n border-collapse: collapse;\n}\ntd,\nth {\n padding: 0;\n}\n/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */\n@media print {\n *,\n *:before,\n *:after {\n color: #000 !important;\n text-shadow: none !important;\n background: transparent !important;\n -webkit-box-shadow: none !important;\n box-shadow: none !important;\n }\n a,\n a:visited {\n text-decoration: underline;\n }\n a[href]:after {\n content: \" (\" attr(href) \")\";\n }\n abbr[title]:after {\n content: \" (\" attr(title) \")\";\n }\n a[href^=\"#\"]:after,\n a[href^=\"javascript:\"]:after {\n content: \"\";\n }\n pre,\n blockquote {\n border: 1px solid #999;\n\n page-break-inside: avoid;\n }\n thead {\n display: table-header-group;\n }\n tr,\n img {\n page-break-inside: avoid;\n }\n img {\n max-width: 100% !important;\n }\n p,\n h2,\n h3 {\n orphans: 3;\n widows: 3;\n }\n h2,\n h3 {\n page-break-after: avoid;\n }\n .navbar {\n display: none;\n }\n .btn > .caret,\n .dropup > .btn > .caret {\n border-top-color: #000 !important;\n }\n .label {\n border: 1px solid #000;\n }\n .table {\n border-collapse: collapse !important;\n }\n .table td,\n .table th {\n background-color: #fff !important;\n }\n .table-bordered th,\n .table-bordered td {\n border: 1px solid #ddd !important;\n }\n}\n@font-face {\n font-family: 'Glyphicons Halflings';\n\n src: url('../fonts/glyphicons-halflings-regular.eot');\n src: url('../fonts/glyphicons-halflings-regular.eot?#iefix') format('embedded-opentype'), url('../fonts/glyphicons-halflings-regular.woff2') format('woff2'), url('../fonts/glyphicons-halflings-regular.woff') format('woff'), url('../fonts/glyphicons-halflings-regular.ttf') format('truetype'), url('../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular') format('svg');\n}\n.glyphicon {\n position: relative;\n top: 1px;\n display: inline-block;\n font-family: 'Glyphicons Halflings';\n font-style: normal;\n font-weight: normal;\n line-height: 1;\n\n -webkit-font-smoothing: antialiased;\n -moz-osx-font-smoothing: grayscale;\n}\n.glyphicon-asterisk:before {\n content: \"\\002a\";\n}\n.glyphicon-plus:before {\n content: \"\\002b\";\n}\n.glyphicon-euro:before,\n.glyphicon-eur:before {\n content: \"\\20ac\";\n}\n.glyphicon-minus:before {\n content: \"\\2212\";\n}\n.glyphicon-cloud:before {\n content: \"\\2601\";\n}\n.glyphicon-envelope:before {\n content: \"\\2709\";\n}\n.glyphicon-pencil:before {\n content: \"\\270f\";\n}\n.glyphicon-glass:before {\n content: \"\\e001\";\n}\n.glyphicon-music:before {\n content: \"\\e002\";\n}\n.glyphicon-search:before {\n content: \"\\e003\";\n}\n.glyphicon-heart:before {\n content: \"\\e005\";\n}\n.glyphicon-star:before {\n content: \"\\e006\";\n}\n.glyphicon-star-empty:before {\n content: \"\\e007\";\n}\n.glyphicon-user:before {\n content: \"\\e008\";\n}\n.glyphicon-film:before {\n content: \"\\e009\";\n}\n.glyphicon-th-large:before {\n content: \"\\e010\";\n}\n.glyphicon-th:before {\n content: \"\\e011\";\n}\n.glyphicon-th-list:before {\n content: \"\\e012\";\n}\n.glyphicon-ok:before {\n content: \"\\e013\";\n}\n.glyphicon-remove:before {\n content: \"\\e014\";\n}\n.glyphicon-zoom-in:before {\n content: \"\\e015\";\n}\n.glyphicon-zoom-out:before {\n content: \"\\e016\";\n}\n.glyphicon-off:before {\n content: \"\\e017\";\n}\n.glyphicon-signal:before {\n content: \"\\e018\";\n}\n.glyphicon-cog:before {\n content: \"\\e019\";\n}\n.glyphicon-trash:before {\n content: \"\\e020\";\n}\n.glyphicon-home:before {\n content: \"\\e021\";\n}\n.glyphicon-file:before {\n content: \"\\e022\";\n}\n.glyphicon-time:before {\n content: \"\\e023\";\n}\n.glyphicon-road:before {\n content: \"\\e024\";\n}\n.glyphicon-download-alt:before {\n content: \"\\e025\";\n}\n.glyphicon-download:before {\n content: \"\\e026\";\n}\n.glyphicon-upload:before {\n content: \"\\e027\";\n}\n.glyphicon-inbox:before {\n content: \"\\e028\";\n}\n.glyphicon-play-circle:before {\n content: \"\\e029\";\n}\n.glyphicon-repeat:before {\n content: \"\\e030\";\n}\n.glyphicon-refresh:before {\n content: \"\\e031\";\n}\n.glyphicon-list-alt:before {\n content: \"\\e032\";\n}\n.glyphicon-lock:before {\n content: \"\\e033\";\n}\n.glyphicon-flag:before {\n content: \"\\e034\";\n}\n.glyphicon-headphones:before {\n content: \"\\e035\";\n}\n.glyphicon-volume-off:before {\n content: \"\\e036\";\n}\n.glyphicon-volume-down:before {\n content: \"\\e037\";\n}\n.glyphicon-volume-up:before {\n content: \"\\e038\";\n}\n.glyphicon-qrcode:before {\n content: \"\\e039\";\n}\n.glyphicon-barcode:before {\n content: \"\\e040\";\n}\n.glyphicon-tag:before {\n content: \"\\e041\";\n}\n.glyphicon-tags:before {\n content: \"\\e042\";\n}\n.glyphicon-book:before {\n content: \"\\e043\";\n}\n.glyphicon-bookmark:before {\n content: \"\\e044\";\n}\n.glyphicon-print:before {\n content: \"\\e045\";\n}\n.glyphicon-camera:before {\n content: \"\\e046\";\n}\n.glyphicon-font:before {\n content: \"\\e047\";\n}\n.glyphicon-bold:before {\n content: \"\\e048\";\n}\n.glyphicon-italic:before {\n content: \"\\e049\";\n}\n.glyphicon-text-height:before {\n content: \"\\e050\";\n}\n.glyphicon-text-width:before {\n content: \"\\e051\";\n}\n.glyphicon-align-left:before {\n content: \"\\e052\";\n}\n.glyphicon-align-center:before {\n content: \"\\e053\";\n}\n.glyphicon-align-right:before {\n content: \"\\e054\";\n}\n.glyphicon-align-justify:before {\n content: \"\\e055\";\n}\n.glyphicon-list:before {\n content: \"\\e056\";\n}\n.glyphicon-indent-left:before {\n content: \"\\e057\";\n}\n.glyphicon-indent-right:before {\n content: \"\\e058\";\n}\n.glyphicon-facetime-video:before {\n content: \"\\e059\";\n}\n.glyphicon-picture:before {\n content: \"\\e060\";\n}\n.glyphicon-map-marker:before {\n content: \"\\e062\";\n}\n.glyphicon-adjust:before {\n content: \"\\e063\";\n}\n.glyphicon-tint:before {\n content: \"\\e064\";\n}\n.glyphicon-edit:before {\n content: \"\\e065\";\n}\n.glyphicon-share:before {\n content: \"\\e066\";\n}\n.glyphicon-check:before {\n content: \"\\e067\";\n}\n.glyphicon-move:before {\n content: \"\\e068\";\n}\n.glyphicon-step-backward:before {\n content: \"\\e069\";\n}\n.glyphicon-fast-backward:before {\n content: \"\\e070\";\n}\n.glyphicon-backward:before {\n content: \"\\e071\";\n}\n.glyphicon-play:before {\n content: \"\\e072\";\n}\n.glyphicon-pause:before {\n content: \"\\e073\";\n}\n.glyphicon-stop:before {\n content: \"\\e074\";\n}\n.glyphicon-forward:before {\n content: \"\\e075\";\n}\n.glyphicon-fast-forward:before {\n content: \"\\e076\";\n}\n.glyphicon-step-forward:before {\n content: \"\\e077\";\n}\n.glyphicon-eject:before {\n content: \"\\e078\";\n}\n.glyphicon-chevron-left:before {\n content: \"\\e079\";\n}\n.glyphicon-chevron-right:before {\n content: \"\\e080\";\n}\n.glyphicon-plus-sign:before {\n content: \"\\e081\";\n}\n.glyphicon-minus-sign:before {\n content: \"\\e082\";\n}\n.glyphicon-remove-sign:before {\n content: \"\\e083\";\n}\n.glyphicon-ok-sign:before {\n content: \"\\e084\";\n}\n.glyphicon-question-sign:before {\n content: \"\\e085\";\n}\n.glyphicon-info-sign:before {\n content: \"\\e086\";\n}\n.glyphicon-screenshot:before {\n content: \"\\e087\";\n}\n.glyphicon-remove-circle:before {\n content: \"\\e088\";\n}\n.glyphicon-ok-circle:before {\n content: \"\\e089\";\n}\n.glyphicon-ban-circle:before {\n content: \"\\e090\";\n}\n.glyphicon-arrow-left:before {\n content: \"\\e091\";\n}\n.glyphicon-arrow-right:before {\n content: \"\\e092\";\n}\n.glyphicon-arrow-up:before {\n content: \"\\e093\";\n}\n.glyphicon-arrow-down:before {\n content: \"\\e094\";\n}\n.glyphicon-share-alt:before {\n content: \"\\e095\";\n}\n.glyphicon-resize-full:before {\n content: \"\\e096\";\n}\n.glyphicon-resize-small:before {\n content: \"\\e097\";\n}\n.glyphicon-exclamation-sign:before {\n content: \"\\e101\";\n}\n.glyphicon-gift:before {\n content: \"\\e102\";\n}\n.glyphicon-leaf:before {\n content: \"\\e103\";\n}\n.glyphicon-fire:before {\n content: \"\\e104\";\n}\n.glyphicon-eye-open:before {\n content: \"\\e105\";\n}\n.glyphicon-eye-close:before {\n content: \"\\e106\";\n}\n.glyphicon-warning-sign:before {\n content: \"\\e107\";\n}\n.glyphicon-plane:before {\n content: \"\\e108\";\n}\n.glyphicon-calendar:before {\n content: \"\\e109\";\n}\n.glyphicon-random:before {\n content: \"\\e110\";\n}\n.glyphicon-comment:before {\n content: \"\\e111\";\n}\n.glyphicon-magnet:before {\n content: \"\\e112\";\n}\n.glyphicon-chevron-up:before {\n content: \"\\e113\";\n}\n.glyphicon-chevron-down:before {\n content: \"\\e114\";\n}\n.glyphicon-retweet:before {\n content: \"\\e115\";\n}\n.glyphicon-shopping-cart:before {\n content: \"\\e116\";\n}\n.glyphicon-folder-close:before {\n content: \"\\e117\";\n}\n.glyphicon-folder-open:before {\n content: \"\\e118\";\n}\n.glyphicon-resize-vertical:before {\n content: \"\\e119\";\n}\n.glyphicon-resize-horizontal:before {\n content: \"\\e120\";\n}\n.glyphicon-hdd:before {\n content: \"\\e121\";\n}\n.glyphicon-bullhorn:before {\n content: \"\\e122\";\n}\n.glyphicon-bell:before {\n content: \"\\e123\";\n}\n.glyphicon-certificate:before {\n content: \"\\e124\";\n}\n.glyphicon-thumbs-up:before {\n content: \"\\e125\";\n}\n.glyphicon-thumbs-down:before {\n content: \"\\e126\";\n}\n.glyphicon-hand-right:before {\n content: \"\\e127\";\n}\n.glyphicon-hand-left:before {\n content: \"\\e128\";\n}\n.glyphicon-hand-up:before {\n content: \"\\e129\";\n}\n.glyphicon-hand-down:before {\n content: \"\\e130\";\n}\n.glyphicon-circle-arrow-right:before {\n content: \"\\e131\";\n}\n.glyphicon-circle-arrow-left:before {\n content: \"\\e132\";\n}\n.glyphicon-circle-arrow-up:before {\n content: \"\\e133\";\n}\n.glyphicon-circle-arrow-down:before {\n content: \"\\e134\";\n}\n.glyphicon-globe:before {\n content: \"\\e135\";\n}\n.glyphicon-wrench:before {\n content: \"\\e136\";\n}\n.glyphicon-tasks:before {\n content: \"\\e137\";\n}\n.glyphicon-filter:before {\n content: \"\\e138\";\n}\n.glyphicon-briefcase:before {\n content: \"\\e139\";\n}\n.glyphicon-fullscreen:before {\n content: \"\\e140\";\n}\n.glyphicon-dashboard:before {\n content: \"\\e141\";\n}\n.glyphicon-paperclip:before {\n content: \"\\e142\";\n}\n.glyphicon-heart-empty:before {\n content: \"\\e143\";\n}\n.glyphicon-link:before {\n content: \"\\e144\";\n}\n.glyphicon-phone:before {\n content: \"\\e145\";\n}\n.glyphicon-pushpin:before {\n content: \"\\e146\";\n}\n.glyphicon-usd:before {\n content: \"\\e148\";\n}\n.glyphicon-gbp:before {\n content: \"\\e149\";\n}\n.glyphicon-sort:before {\n content: \"\\e150\";\n}\n.glyphicon-sort-by-alphabet:before {\n content: \"\\e151\";\n}\n.glyphicon-sort-by-alphabet-alt:before {\n content: \"\\e152\";\n}\n.glyphicon-sort-by-order:before {\n content: \"\\e153\";\n}\n.glyphicon-sort-by-order-alt:before {\n content: \"\\e154\";\n}\n.glyphicon-sort-by-attributes:before {\n content: \"\\e155\";\n}\n.glyphicon-sort-by-attributes-alt:before {\n content: \"\\e156\";\n}\n.glyphicon-unchecked:before {\n content: \"\\e157\";\n}\n.glyphicon-expand:before {\n content: \"\\e158\";\n}\n.glyphicon-collapse-down:before {\n content: \"\\e159\";\n}\n.glyphicon-collapse-up:before {\n content: \"\\e160\";\n}\n.glyphicon-log-in:before {\n content: \"\\e161\";\n}\n.glyphicon-flash:before {\n content: \"\\e162\";\n}\n.glyphicon-log-out:before {\n content: \"\\e163\";\n}\n.glyphicon-new-window:before {\n content: \"\\e164\";\n}\n.glyphicon-record:before {\n content: \"\\e165\";\n}\n.glyphicon-save:before {\n content: \"\\e166\";\n}\n.glyphicon-open:before {\n content: \"\\e167\";\n}\n.glyphicon-saved:before {\n content: \"\\e168\";\n}\n.glyphicon-import:before {\n content: \"\\e169\";\n}\n.glyphicon-export:before {\n content: \"\\e170\";\n}\n.glyphicon-send:before {\n content: \"\\e171\";\n}\n.glyphicon-floppy-disk:before {\n content: \"\\e172\";\n}\n.glyphicon-floppy-saved:before {\n content: \"\\e173\";\n}\n.glyphicon-floppy-remove:before {\n content: \"\\e174\";\n}\n.glyphicon-floppy-save:before {\n content: \"\\e175\";\n}\n.glyphicon-floppy-open:before {\n content: \"\\e176\";\n}\n.glyphicon-credit-card:before {\n content: \"\\e177\";\n}\n.glyphicon-transfer:before {\n content: \"\\e178\";\n}\n.glyphicon-cutlery:before {\n content: \"\\e179\";\n}\n.glyphicon-header:before {\n content: \"\\e180\";\n}\n.glyphicon-compressed:before {\n content: \"\\e181\";\n}\n.glyphicon-earphone:before {\n content: \"\\e182\";\n}\n.glyphicon-phone-alt:before {\n content: \"\\e183\";\n}\n.glyphicon-tower:before {\n content: \"\\e184\";\n}\n.glyphicon-stats:before {\n content: \"\\e185\";\n}\n.glyphicon-sd-video:before {\n content: \"\\e186\";\n}\n.glyphicon-hd-video:before {\n content: \"\\e187\";\n}\n.glyphicon-subtitles:before {\n content: \"\\e188\";\n}\n.glyphicon-sound-stereo:before {\n content: \"\\e189\";\n}\n.glyphicon-sound-dolby:before {\n content: \"\\e190\";\n}\n.glyphicon-sound-5-1:before {\n content: \"\\e191\";\n}\n.glyphicon-sound-6-1:before {\n content: \"\\e192\";\n}\n.glyphicon-sound-7-1:before {\n content: \"\\e193\";\n}\n.glyphicon-copyright-mark:before {\n content: \"\\e194\";\n}\n.glyphicon-registration-mark:before {\n content: \"\\e195\";\n}\n.glyphicon-cloud-download:before {\n content: \"\\e197\";\n}\n.glyphicon-cloud-upload:before {\n content: \"\\e198\";\n}\n.glyphicon-tree-conifer:before {\n content: \"\\e199\";\n}\n.glyphicon-tree-deciduous:before {\n content: \"\\e200\";\n}\n.glyphicon-cd:before {\n content: \"\\e201\";\n}\n.glyphicon-save-file:before {\n content: \"\\e202\";\n}\n.glyphicon-open-file:before {\n content: \"\\e203\";\n}\n.glyphicon-level-up:before {\n content: \"\\e204\";\n}\n.glyphicon-copy:before {\n content: \"\\e205\";\n}\n.glyphicon-paste:before {\n content: \"\\e206\";\n}\n.glyphicon-alert:before {\n content: \"\\e209\";\n}\n.glyphicon-equalizer:before {\n content: \"\\e210\";\n}\n.glyphicon-king:before {\n content: \"\\e211\";\n}\n.glyphicon-queen:before {\n content: \"\\e212\";\n}\n.glyphicon-pawn:before {\n content: \"\\e213\";\n}\n.glyphicon-bishop:before {\n content: \"\\e214\";\n}\n.glyphicon-knight:before {\n content: \"\\e215\";\n}\n.glyphicon-baby-formula:before {\n content: \"\\e216\";\n}\n.glyphicon-tent:before {\n content: \"\\26fa\";\n}\n.glyphicon-blackboard:before {\n content: \"\\e218\";\n}\n.glyphicon-bed:before {\n content: \"\\e219\";\n}\n.glyphicon-apple:before {\n content: \"\\f8ff\";\n}\n.glyphicon-erase:before {\n content: \"\\e221\";\n}\n.glyphicon-hourglass:before {\n content: \"\\231b\";\n}\n.glyphicon-lamp:before {\n content: \"\\e223\";\n}\n.glyphicon-duplicate:before {\n content: \"\\e224\";\n}\n.glyphicon-piggy-bank:before {\n content: \"\\e225\";\n}\n.glyphicon-scissors:before {\n content: \"\\e226\";\n}\n.glyphicon-bitcoin:before {\n content: \"\\e227\";\n}\n.glyphicon-btc:before {\n content: \"\\e227\";\n}\n.glyphicon-xbt:before {\n content: \"\\e227\";\n}\n.glyphicon-yen:before {\n content: \"\\00a5\";\n}\n.glyphicon-jpy:before {\n content: \"\\00a5\";\n}\n.glyphicon-ruble:before {\n content: \"\\20bd\";\n}\n.glyphicon-rub:before {\n content: \"\\20bd\";\n}\n.glyphicon-scale:before {\n content: \"\\e230\";\n}\n.glyphicon-ice-lolly:before {\n content: \"\\e231\";\n}\n.glyphicon-ice-lolly-tasted:before {\n content: \"\\e232\";\n}\n.glyphicon-education:before {\n content: \"\\e233\";\n}\n.glyphicon-option-horizontal:before {\n content: \"\\e234\";\n}\n.glyphicon-option-vertical:before {\n content: \"\\e235\";\n}\n.glyphicon-menu-hamburger:before {\n content: \"\\e236\";\n}\n.glyphicon-modal-window:before {\n content: \"\\e237\";\n}\n.glyphicon-oil:before {\n content: \"\\e238\";\n}\n.glyphicon-grain:before {\n content: \"\\e239\";\n}\n.glyphicon-sunglasses:before {\n content: \"\\e240\";\n}\n.glyphicon-text-size:before {\n content: \"\\e241\";\n}\n.glyphicon-text-color:before {\n content: \"\\e242\";\n}\n.glyphicon-text-background:before {\n content: \"\\e243\";\n}\n.glyphicon-object-align-top:before {\n content: \"\\e244\";\n}\n.glyphicon-object-align-bottom:before {\n content: \"\\e245\";\n}\n.glyphicon-object-align-horizontal:before {\n content: \"\\e246\";\n}\n.glyphicon-object-align-left:before {\n content: \"\\e247\";\n}\n.glyphicon-object-align-vertical:before {\n content: \"\\e248\";\n}\n.glyphicon-object-align-right:before {\n content: \"\\e249\";\n}\n.glyphicon-triangle-right:before {\n content: \"\\e250\";\n}\n.glyphicon-triangle-left:before {\n content: \"\\e251\";\n}\n.glyphicon-triangle-bottom:before {\n content: \"\\e252\";\n}\n.glyphicon-triangle-top:before {\n content: \"\\e253\";\n}\n.glyphicon-console:before {\n content: \"\\e254\";\n}\n.glyphicon-superscript:before {\n content: \"\\e255\";\n}\n.glyphicon-subscript:before {\n content: \"\\e256\";\n}\n.glyphicon-menu-left:before {\n content: \"\\e257\";\n}\n.glyphicon-menu-right:before {\n content: \"\\e258\";\n}\n.glyphicon-menu-down:before {\n content: \"\\e259\";\n}\n.glyphicon-menu-up:before {\n content: \"\\e260\";\n}\n* {\n -webkit-box-sizing: border-box;\n -moz-box-sizing: border-box;\n box-sizing: border-box;\n}\n*:before,\n*:after {\n -webkit-box-sizing: border-box;\n -moz-box-sizing: border-box;\n box-sizing: border-box;\n}\nhtml {\n font-size: 10px;\n\n -webkit-tap-highlight-color: rgba(0, 0, 0, 0);\n}\nbody {\n font-family: \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n font-size: 14px;\n line-height: 1.42857143;\n color: #333;\n background-color: #fff;\n}\ninput,\nbutton,\nselect,\ntextarea {\n font-family: inherit;\n font-size: inherit;\n line-height: inherit;\n}\na {\n color: #337ab7;\n text-decoration: none;\n}\na:hover,\na:focus {\n color: #23527c;\n text-decoration: underline;\n}\na:focus {\n outline: 5px auto -webkit-focus-ring-color;\n outline-offset: -2px;\n}\nfigure {\n margin: 0;\n}\nimg {\n vertical-align: middle;\n}\n.img-responsive,\n.thumbnail > img,\n.thumbnail a > img,\n.carousel-inner > .item > img,\n.carousel-inner > .item > a > img {\n display: block;\n max-width: 100%;\n height: auto;\n}\n.img-rounded {\n border-radius: 6px;\n}\n.img-thumbnail {\n display: inline-block;\n max-width: 100%;\n height: auto;\n padding: 4px;\n line-height: 1.42857143;\n background-color: #fff;\n border: 1px solid #ddd;\n border-radius: 4px;\n -webkit-transition: all .2s ease-in-out;\n -o-transition: all .2s ease-in-out;\n transition: all .2s ease-in-out;\n}\n.img-circle {\n border-radius: 50%;\n}\nhr {\n margin-top: 20px;\n margin-bottom: 20px;\n border: 0;\n border-top: 1px solid #eee;\n}\n.sr-only {\n position: absolute;\n width: 1px;\n height: 1px;\n padding: 0;\n margin: -1px;\n overflow: hidden;\n clip: rect(0, 0, 0, 0);\n border: 0;\n}\n.sr-only-focusable:active,\n.sr-only-focusable:focus {\n position: static;\n width: auto;\n height: auto;\n margin: 0;\n overflow: visible;\n clip: auto;\n}\n[role=\"button\"] {\n cursor: pointer;\n}\nh1,\nh2,\nh3,\nh4,\nh5,\nh6,\n.h1,\n.h2,\n.h3,\n.h4,\n.h5,\n.h6 {\n font-family: inherit;\n font-weight: 500;\n line-height: 1.1;\n color: inherit;\n}\nh1 small,\nh2 small,\nh3 small,\nh4 small,\nh5 small,\nh6 small,\n.h1 small,\n.h2 small,\n.h3 small,\n.h4 small,\n.h5 small,\n.h6 small,\nh1 .small,\nh2 .small,\nh3 .small,\nh4 .small,\nh5 .small,\nh6 .small,\n.h1 .small,\n.h2 .small,\n.h3 .small,\n.h4 .small,\n.h5 .small,\n.h6 .small {\n font-weight: normal;\n line-height: 1;\n color: #777;\n}\nh1,\n.h1,\nh2,\n.h2,\nh3,\n.h3 {\n margin-top: 20px;\n margin-bottom: 10px;\n}\nh1 small,\n.h1 small,\nh2 small,\n.h2 small,\nh3 small,\n.h3 small,\nh1 .small,\n.h1 .small,\nh2 .small,\n.h2 .small,\nh3 .small,\n.h3 .small {\n font-size: 65%;\n}\nh4,\n.h4,\nh5,\n.h5,\nh6,\n.h6 {\n margin-top: 10px;\n margin-bottom: 10px;\n}\nh4 small,\n.h4 small,\nh5 small,\n.h5 small,\nh6 small,\n.h6 small,\nh4 .small,\n.h4 .small,\nh5 .small,\n.h5 .small,\nh6 .small,\n.h6 .small {\n font-size: 75%;\n}\nh1,\n.h1 {\n font-size: 36px;\n}\nh2,\n.h2 {\n font-size: 30px;\n}\nh3,\n.h3 {\n font-size: 24px;\n}\nh4,\n.h4 {\n font-size: 18px;\n}\nh5,\n.h5 {\n font-size: 14px;\n}\nh6,\n.h6 {\n font-size: 12px;\n}\np {\n margin: 0 0 10px;\n}\n.lead {\n margin-bottom: 20px;\n font-size: 16px;\n font-weight: 300;\n line-height: 1.4;\n}\n@media (min-width: 768px) {\n .lead {\n font-size: 21px;\n }\n}\nsmall,\n.small {\n font-size: 85%;\n}\nmark,\n.mark {\n padding: .2em;\n background-color: #fcf8e3;\n}\n.text-left {\n text-align: left;\n}\n.text-right {\n text-align: right;\n}\n.text-center {\n text-align: center;\n}\n.text-justify {\n text-align: justify;\n}\n.text-nowrap {\n white-space: nowrap;\n}\n.text-lowercase {\n text-transform: lowercase;\n}\n.text-uppercase {\n text-transform: uppercase;\n}\n.text-capitalize {\n text-transform: capitalize;\n}\n.text-muted {\n color: #777;\n}\n.text-primary {\n color: #337ab7;\n}\na.text-primary:hover,\na.text-primary:focus {\n color: #286090;\n}\n.text-success {\n color: #3c763d;\n}\na.text-success:hover,\na.text-success:focus {\n color: #2b542c;\n}\n.text-info {\n color: #31708f;\n}\na.text-info:hover,\na.text-info:focus {\n color: #245269;\n}\n.text-warning {\n color: #8a6d3b;\n}\na.text-warning:hover,\na.text-warning:focus {\n color: #66512c;\n}\n.text-danger {\n color: #a94442;\n}\na.text-danger:hover,\na.text-danger:focus {\n color: #843534;\n}\n.bg-primary {\n color: #fff;\n background-color: #337ab7;\n}\na.bg-primary:hover,\na.bg-primary:focus {\n background-color: #286090;\n}\n.bg-success {\n background-color: #dff0d8;\n}\na.bg-success:hover,\na.bg-success:focus {\n background-color: #c1e2b3;\n}\n.bg-info {\n background-color: #d9edf7;\n}\na.bg-info:hover,\na.bg-info:focus {\n background-color: #afd9ee;\n}\n.bg-warning {\n background-color: #fcf8e3;\n}\na.bg-warning:hover,\na.bg-warning:focus {\n background-color: #f7ecb5;\n}\n.bg-danger {\n background-color: #f2dede;\n}\na.bg-danger:hover,\na.bg-danger:focus {\n background-color: #e4b9b9;\n}\n.page-header {\n padding-bottom: 9px;\n margin: 40px 0 20px;\n border-bottom: 1px solid #eee;\n}\nul,\nol {\n margin-top: 0;\n margin-bottom: 10px;\n}\nul ul,\nol ul,\nul ol,\nol ol {\n margin-bottom: 0;\n}\n.list-unstyled {\n padding-left: 0;\n list-style: none;\n}\n.list-inline {\n padding-left: 0;\n margin-left: -5px;\n list-style: none;\n}\n.list-inline > li {\n display: inline-block;\n padding-right: 5px;\n padding-left: 5px;\n}\ndl {\n margin-top: 0;\n margin-bottom: 20px;\n}\ndt,\ndd {\n line-height: 1.42857143;\n}\ndt {\n font-weight: bold;\n}\ndd {\n margin-left: 0;\n}\n@media (min-width: 768px) {\n .dl-horizontal dt {\n float: left;\n width: 160px;\n overflow: hidden;\n clear: left;\n text-align: right;\n text-overflow: ellipsis;\n white-space: nowrap;\n }\n .dl-horizontal dd {\n margin-left: 180px;\n }\n}\nabbr[title],\nabbr[data-original-title] {\n cursor: help;\n border-bottom: 1px dotted #777;\n}\n.initialism {\n font-size: 90%;\n text-transform: uppercase;\n}\nblockquote {\n padding: 10px 20px;\n margin: 0 0 20px;\n font-size: 17.5px;\n border-left: 5px solid #eee;\n}\nblockquote p:last-child,\nblockquote ul:last-child,\nblockquote ol:last-child {\n margin-bottom: 0;\n}\nblockquote footer,\nblockquote small,\nblockquote .small {\n display: block;\n font-size: 80%;\n line-height: 1.42857143;\n color: #777;\n}\nblockquote footer:before,\nblockquote small:before,\nblockquote .small:before {\n content: '\\2014 \\00A0';\n}\n.blockquote-reverse,\nblockquote.pull-right {\n padding-right: 15px;\n padding-left: 0;\n text-align: right;\n border-right: 5px solid #eee;\n border-left: 0;\n}\n.blockquote-reverse footer:before,\nblockquote.pull-right footer:before,\n.blockquote-reverse small:before,\nblockquote.pull-right small:before,\n.blockquote-reverse .small:before,\nblockquote.pull-right .small:before {\n content: '';\n}\n.blockquote-reverse footer:after,\nblockquote.pull-right footer:after,\n.blockquote-reverse small:after,\nblockquote.pull-right small:after,\n.blockquote-reverse .small:after,\nblockquote.pull-right .small:after {\n content: '\\00A0 \\2014';\n}\naddress {\n margin-bottom: 20px;\n font-style: normal;\n line-height: 1.42857143;\n}\ncode,\nkbd,\npre,\nsamp {\n font-family: Menlo, Monaco, Consolas, \"Courier New\", monospace;\n}\ncode {\n padding: 2px 4px;\n font-size: 90%;\n color: #c7254e;\n background-color: #f9f2f4;\n border-radius: 4px;\n}\nkbd {\n padding: 2px 4px;\n font-size: 90%;\n color: #fff;\n background-color: #333;\n border-radius: 3px;\n -webkit-box-shadow: inset 0 -1px 0 rgba(0, 0, 0, .25);\n box-shadow: inset 0 -1px 0 rgba(0, 0, 0, .25);\n}\nkbd kbd {\n padding: 0;\n font-size: 100%;\n font-weight: bold;\n -webkit-box-shadow: none;\n box-shadow: none;\n}\npre {\n display: block;\n padding: 9.5px;\n margin: 0 0 10px;\n font-size: 13px;\n line-height: 1.42857143;\n color: #333;\n word-break: break-all;\n word-wrap: break-word;\n background-color: #f5f5f5;\n border: 1px solid #ccc;\n border-radius: 4px;\n}\npre code {\n padding: 0;\n font-size: inherit;\n color: inherit;\n white-space: pre-wrap;\n background-color: transparent;\n border-radius: 0;\n}\n.pre-scrollable {\n max-height: 340px;\n overflow-y: scroll;\n}\n.container {\n padding-right: 15px;\n padding-left: 15px;\n margin-right: auto;\n margin-left: auto;\n}\n@media (min-width: 768px) {\n .container {\n width: 750px;\n }\n}\n@media (min-width: 992px) {\n .container {\n width: 970px;\n }\n}\n@media (min-width: 1200px) {\n .container {\n width: 1170px;\n }\n}\n.container-fluid {\n padding-right: 15px;\n padding-left: 15px;\n margin-right: auto;\n margin-left: auto;\n}\n.row {\n margin-right: -15px;\n margin-left: -15px;\n}\n.col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12 {\n position: relative;\n min-height: 1px;\n padding-right: 15px;\n padding-left: 15px;\n}\n.col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12 {\n float: left;\n}\n.col-xs-12 {\n width: 100%;\n}\n.col-xs-11 {\n width: 91.66666667%;\n}\n.col-xs-10 {\n width: 83.33333333%;\n}\n.col-xs-9 {\n width: 75%;\n}\n.col-xs-8 {\n width: 66.66666667%;\n}\n.col-xs-7 {\n width: 58.33333333%;\n}\n.col-xs-6 {\n width: 50%;\n}\n.col-xs-5 {\n width: 41.66666667%;\n}\n.col-xs-4 {\n width: 33.33333333%;\n}\n.col-xs-3 {\n width: 25%;\n}\n.col-xs-2 {\n width: 16.66666667%;\n}\n.col-xs-1 {\n width: 8.33333333%;\n}\n.col-xs-pull-12 {\n right: 100%;\n}\n.col-xs-pull-11 {\n right: 91.66666667%;\n}\n.col-xs-pull-10 {\n right: 83.33333333%;\n}\n.col-xs-pull-9 {\n right: 75%;\n}\n.col-xs-pull-8 {\n right: 66.66666667%;\n}\n.col-xs-pull-7 {\n right: 58.33333333%;\n}\n.col-xs-pull-6 {\n right: 50%;\n}\n.col-xs-pull-5 {\n right: 41.66666667%;\n}\n.col-xs-pull-4 {\n right: 33.33333333%;\n}\n.col-xs-pull-3 {\n right: 25%;\n}\n.col-xs-pull-2 {\n right: 16.66666667%;\n}\n.col-xs-pull-1 {\n right: 8.33333333%;\n}\n.col-xs-pull-0 {\n right: auto;\n}\n.col-xs-push-12 {\n left: 100%;\n}\n.col-xs-push-11 {\n left: 91.66666667%;\n}\n.col-xs-push-10 {\n left: 83.33333333%;\n}\n.col-xs-push-9 {\n left: 75%;\n}\n.col-xs-push-8 {\n left: 66.66666667%;\n}\n.col-xs-push-7 {\n left: 58.33333333%;\n}\n.col-xs-push-6 {\n left: 50%;\n}\n.col-xs-push-5 {\n left: 41.66666667%;\n}\n.col-xs-push-4 {\n left: 33.33333333%;\n}\n.col-xs-push-3 {\n left: 25%;\n}\n.col-xs-push-2 {\n left: 16.66666667%;\n}\n.col-xs-push-1 {\n left: 8.33333333%;\n}\n.col-xs-push-0 {\n left: auto;\n}\n.col-xs-offset-12 {\n margin-left: 100%;\n}\n.col-xs-offset-11 {\n margin-left: 91.66666667%;\n}\n.col-xs-offset-10 {\n margin-left: 83.33333333%;\n}\n.col-xs-offset-9 {\n margin-left: 75%;\n}\n.col-xs-offset-8 {\n margin-left: 66.66666667%;\n}\n.col-xs-offset-7 {\n margin-left: 58.33333333%;\n}\n.col-xs-offset-6 {\n margin-left: 50%;\n}\n.col-xs-offset-5 {\n margin-left: 41.66666667%;\n}\n.col-xs-offset-4 {\n margin-left: 33.33333333%;\n}\n.col-xs-offset-3 {\n margin-left: 25%;\n}\n.col-xs-offset-2 {\n margin-left: 16.66666667%;\n}\n.col-xs-offset-1 {\n margin-left: 8.33333333%;\n}\n.col-xs-offset-0 {\n margin-left: 0;\n}\n@media (min-width: 768px) {\n .col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12 {\n float: left;\n }\n .col-sm-12 {\n width: 100%;\n }\n .col-sm-11 {\n width: 91.66666667%;\n }\n .col-sm-10 {\n width: 83.33333333%;\n }\n .col-sm-9 {\n width: 75%;\n }\n .col-sm-8 {\n width: 66.66666667%;\n }\n .col-sm-7 {\n width: 58.33333333%;\n }\n .col-sm-6 {\n width: 50%;\n }\n .col-sm-5 {\n width: 41.66666667%;\n }\n .col-sm-4 {\n width: 33.33333333%;\n }\n .col-sm-3 {\n width: 25%;\n }\n .col-sm-2 {\n width: 16.66666667%;\n }\n .col-sm-1 {\n width: 8.33333333%;\n }\n .col-sm-pull-12 {\n right: 100%;\n }\n .col-sm-pull-11 {\n right: 91.66666667%;\n }\n .col-sm-pull-10 {\n right: 83.33333333%;\n }\n .col-sm-pull-9 {\n right: 75%;\n }\n .col-sm-pull-8 {\n right: 66.66666667%;\n }\n .col-sm-pull-7 {\n right: 58.33333333%;\n }\n .col-sm-pull-6 {\n right: 50%;\n }\n .col-sm-pull-5 {\n right: 41.66666667%;\n }\n .col-sm-pull-4 {\n right: 33.33333333%;\n }\n .col-sm-pull-3 {\n right: 25%;\n }\n .col-sm-pull-2 {\n right: 16.66666667%;\n }\n .col-sm-pull-1 {\n right: 8.33333333%;\n }\n .col-sm-pull-0 {\n right: auto;\n }\n .col-sm-push-12 {\n left: 100%;\n }\n .col-sm-push-11 {\n left: 91.66666667%;\n }\n .col-sm-push-10 {\n left: 83.33333333%;\n }\n .col-sm-push-9 {\n left: 75%;\n }\n .col-sm-push-8 {\n left: 66.66666667%;\n }\n .col-sm-push-7 {\n left: 58.33333333%;\n }\n .col-sm-push-6 {\n left: 50%;\n }\n .col-sm-push-5 {\n left: 41.66666667%;\n }\n .col-sm-push-4 {\n left: 33.33333333%;\n }\n .col-sm-push-3 {\n left: 25%;\n }\n .col-sm-push-2 {\n left: 16.66666667%;\n }\n .col-sm-push-1 {\n left: 8.33333333%;\n }\n .col-sm-push-0 {\n left: auto;\n }\n .col-sm-offset-12 {\n margin-left: 100%;\n }\n .col-sm-offset-11 {\n margin-left: 91.66666667%;\n }\n .col-sm-offset-10 {\n margin-left: 83.33333333%;\n }\n .col-sm-offset-9 {\n margin-left: 75%;\n }\n .col-sm-offset-8 {\n margin-left: 66.66666667%;\n }\n .col-sm-offset-7 {\n margin-left: 58.33333333%;\n }\n .col-sm-offset-6 {\n margin-left: 50%;\n }\n .col-sm-offset-5 {\n margin-left: 41.66666667%;\n }\n .col-sm-offset-4 {\n margin-left: 33.33333333%;\n }\n .col-sm-offset-3 {\n margin-left: 25%;\n }\n .col-sm-offset-2 {\n margin-left: 16.66666667%;\n }\n .col-sm-offset-1 {\n margin-left: 8.33333333%;\n }\n .col-sm-offset-0 {\n margin-left: 0;\n }\n}\n@media (min-width: 992px) {\n .col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12 {\n float: left;\n }\n .col-md-12 {\n width: 100%;\n }\n .col-md-11 {\n width: 91.66666667%;\n }\n .col-md-10 {\n width: 83.33333333%;\n }\n .col-md-9 {\n width: 75%;\n }\n .col-md-8 {\n width: 66.66666667%;\n }\n .col-md-7 {\n width: 58.33333333%;\n }\n .col-md-6 {\n width: 50%;\n }\n .col-md-5 {\n width: 41.66666667%;\n }\n .col-md-4 {\n width: 33.33333333%;\n }\n .col-md-3 {\n width: 25%;\n }\n .col-md-2 {\n width: 16.66666667%;\n }\n .col-md-1 {\n width: 8.33333333%;\n }\n .col-md-pull-12 {\n right: 100%;\n }\n .col-md-pull-11 {\n right: 91.66666667%;\n }\n .col-md-pull-10 {\n right: 83.33333333%;\n }\n .col-md-pull-9 {\n right: 75%;\n }\n .col-md-pull-8 {\n right: 66.66666667%;\n }\n .col-md-pull-7 {\n right: 58.33333333%;\n }\n .col-md-pull-6 {\n right: 50%;\n }\n .col-md-pull-5 {\n right: 41.66666667%;\n }\n .col-md-pull-4 {\n right: 33.33333333%;\n }\n .col-md-pull-3 {\n right: 25%;\n }\n .col-md-pull-2 {\n right: 16.66666667%;\n }\n .col-md-pull-1 {\n right: 8.33333333%;\n }\n .col-md-pull-0 {\n right: auto;\n }\n .col-md-push-12 {\n left: 100%;\n }\n .col-md-push-11 {\n left: 91.66666667%;\n }\n .col-md-push-10 {\n left: 83.33333333%;\n }\n .col-md-push-9 {\n left: 75%;\n }\n .col-md-push-8 {\n left: 66.66666667%;\n }\n .col-md-push-7 {\n left: 58.33333333%;\n }\n .col-md-push-6 {\n left: 50%;\n }\n .col-md-push-5 {\n left: 41.66666667%;\n }\n .col-md-push-4 {\n left: 33.33333333%;\n }\n .col-md-push-3 {\n left: 25%;\n }\n .col-md-push-2 {\n left: 16.66666667%;\n }\n .col-md-push-1 {\n left: 8.33333333%;\n }\n .col-md-push-0 {\n left: auto;\n }\n .col-md-offset-12 {\n margin-left: 100%;\n }\n .col-md-offset-11 {\n margin-left: 91.66666667%;\n }\n .col-md-offset-10 {\n margin-left: 83.33333333%;\n }\n .col-md-offset-9 {\n margin-left: 75%;\n }\n .col-md-offset-8 {\n margin-left: 66.66666667%;\n }\n .col-md-offset-7 {\n margin-left: 58.33333333%;\n }\n .col-md-offset-6 {\n margin-left: 50%;\n }\n .col-md-offset-5 {\n margin-left: 41.66666667%;\n }\n .col-md-offset-4 {\n margin-left: 33.33333333%;\n }\n .col-md-offset-3 {\n margin-left: 25%;\n }\n .col-md-offset-2 {\n margin-left: 16.66666667%;\n }\n .col-md-offset-1 {\n margin-left: 8.33333333%;\n }\n .col-md-offset-0 {\n margin-left: 0;\n }\n}\n@media (min-width: 1200px) {\n .col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12 {\n float: left;\n }\n .col-lg-12 {\n width: 100%;\n }\n .col-lg-11 {\n width: 91.66666667%;\n }\n .col-lg-10 {\n width: 83.33333333%;\n }\n .col-lg-9 {\n width: 75%;\n }\n .col-lg-8 {\n width: 66.66666667%;\n }\n .col-lg-7 {\n width: 58.33333333%;\n }\n .col-lg-6 {\n width: 50%;\n }\n .col-lg-5 {\n width: 41.66666667%;\n }\n .col-lg-4 {\n width: 33.33333333%;\n }\n .col-lg-3 {\n width: 25%;\n }\n .col-lg-2 {\n width: 16.66666667%;\n }\n .col-lg-1 {\n width: 8.33333333%;\n }\n .col-lg-pull-12 {\n right: 100%;\n }\n .col-lg-pull-11 {\n right: 91.66666667%;\n }\n .col-lg-pull-10 {\n right: 83.33333333%;\n }\n .col-lg-pull-9 {\n right: 75%;\n }\n .col-lg-pull-8 {\n right: 66.66666667%;\n }\n .col-lg-pull-7 {\n right: 58.33333333%;\n }\n .col-lg-pull-6 {\n right: 50%;\n }\n .col-lg-pull-5 {\n right: 41.66666667%;\n }\n .col-lg-pull-4 {\n right: 33.33333333%;\n }\n .col-lg-pull-3 {\n right: 25%;\n }\n .col-lg-pull-2 {\n right: 16.66666667%;\n }\n .col-lg-pull-1 {\n right: 8.33333333%;\n }\n .col-lg-pull-0 {\n right: auto;\n }\n .col-lg-push-12 {\n left: 100%;\n }\n .col-lg-push-11 {\n left: 91.66666667%;\n }\n .col-lg-push-10 {\n left: 83.33333333%;\n }\n .col-lg-push-9 {\n left: 75%;\n }\n .col-lg-push-8 {\n left: 66.66666667%;\n }\n .col-lg-push-7 {\n left: 58.33333333%;\n }\n .col-lg-push-6 {\n left: 50%;\n }\n .col-lg-push-5 {\n left: 41.66666667%;\n }\n .col-lg-push-4 {\n left: 33.33333333%;\n }\n .col-lg-push-3 {\n left: 25%;\n }\n .col-lg-push-2 {\n left: 16.66666667%;\n }\n .col-lg-push-1 {\n left: 8.33333333%;\n }\n .col-lg-push-0 {\n left: auto;\n }\n .col-lg-offset-12 {\n margin-left: 100%;\n }\n .col-lg-offset-11 {\n margin-left: 91.66666667%;\n }\n .col-lg-offset-10 {\n margin-left: 83.33333333%;\n }\n .col-lg-offset-9 {\n margin-left: 75%;\n }\n .col-lg-offset-8 {\n margin-left: 66.66666667%;\n }\n .col-lg-offset-7 {\n margin-left: 58.33333333%;\n }\n .col-lg-offset-6 {\n margin-left: 50%;\n }\n .col-lg-offset-5 {\n margin-left: 41.66666667%;\n }\n .col-lg-offset-4 {\n margin-left: 33.33333333%;\n }\n .col-lg-offset-3 {\n margin-left: 25%;\n }\n .col-lg-offset-2 {\n margin-left: 16.66666667%;\n }\n .col-lg-offset-1 {\n margin-left: 8.33333333%;\n }\n .col-lg-offset-0 {\n margin-left: 0;\n }\n}\ntable {\n background-color: transparent;\n}\ncaption {\n padding-top: 8px;\n padding-bottom: 8px;\n color: #777;\n text-align: left;\n}\nth {\n text-align: left;\n}\n.table {\n width: 100%;\n max-width: 100%;\n margin-bottom: 20px;\n}\n.table > thead > tr > th,\n.table > tbody > tr > th,\n.table > tfoot > tr > th,\n.table > thead > tr > td,\n.table > tbody > tr > td,\n.table > tfoot > tr > td {\n padding: 8px;\n line-height: 1.42857143;\n vertical-align: top;\n border-top: 1px solid #ddd;\n}\n.table > thead > tr > th {\n vertical-align: bottom;\n border-bottom: 2px solid #ddd;\n}\n.table > caption + thead > tr:first-child > th,\n.table > colgroup + thead > tr:first-child > th,\n.table > thead:first-child > tr:first-child > th,\n.table > caption + thead > tr:first-child > td,\n.table > colgroup + thead > tr:first-child > td,\n.table > thead:first-child > tr:first-child > td {\n border-top: 0;\n}\n.table > tbody + tbody {\n border-top: 2px solid #ddd;\n}\n.table .table {\n background-color: #fff;\n}\n.table-condensed > thead > tr > th,\n.table-condensed > tbody > tr > th,\n.table-condensed > tfoot > tr > th,\n.table-condensed > thead > tr > td,\n.table-condensed > tbody > tr > td,\n.table-condensed > tfoot > tr > td {\n padding: 5px;\n}\n.table-bordered {\n border: 1px solid #ddd;\n}\n.table-bordered > thead > tr > th,\n.table-bordered > tbody > tr > th,\n.table-bordered > tfoot > tr > th,\n.table-bordered > thead > tr > td,\n.table-bordered > tbody > tr > td,\n.table-bordered > tfoot > tr > td {\n border: 1px solid #ddd;\n}\n.table-bordered > thead > tr > th,\n.table-bordered > thead > tr > td {\n border-bottom-width: 2px;\n}\n.table-striped > tbody > tr:nth-of-type(odd) {\n background-color: #f9f9f9;\n}\n.table-hover > tbody > tr:hover {\n background-color: #f5f5f5;\n}\ntable col[class*=\"col-\"] {\n position: static;\n display: table-column;\n float: none;\n}\ntable td[class*=\"col-\"],\ntable th[class*=\"col-\"] {\n position: static;\n display: table-cell;\n float: none;\n}\n.table > thead > tr > td.active,\n.table > tbody > tr > td.active,\n.table > tfoot > tr > td.active,\n.table > thead > tr > th.active,\n.table > tbody > tr > th.active,\n.table > tfoot > tr > th.active,\n.table > thead > tr.active > td,\n.table > tbody > tr.active > td,\n.table > tfoot > tr.active > td,\n.table > thead > tr.active > th,\n.table > tbody > tr.active > th,\n.table > tfoot > tr.active > th {\n background-color: #f5f5f5;\n}\n.table-hover > tbody > tr > td.active:hover,\n.table-hover > tbody > tr > th.active:hover,\n.table-hover > tbody > tr.active:hover > td,\n.table-hover > tbody > tr:hover > .active,\n.table-hover > tbody > tr.active:hover > th {\n background-color: #e8e8e8;\n}\n.table > thead > tr > td.success,\n.table > tbody > tr > td.success,\n.table > tfoot > tr > td.success,\n.table > thead > tr > th.success,\n.table > tbody > tr > th.success,\n.table > tfoot > tr > th.success,\n.table > thead > tr.success > td,\n.table > tbody > tr.success > td,\n.table > tfoot > tr.success > td,\n.table > thead > tr.success > th,\n.table > tbody > tr.success > th,\n.table > tfoot > tr.success > th {\n background-color: #dff0d8;\n}\n.table-hover > tbody > tr > td.success:hover,\n.table-hover > tbody > tr > th.success:hover,\n.table-hover > tbody > tr.success:hover > td,\n.table-hover > tbody > tr:hover > .success,\n.table-hover > tbody > tr.success:hover > th {\n background-color: #d0e9c6;\n}\n.table > thead > tr > td.info,\n.table > tbody > tr > td.info,\n.table > tfoot > tr > td.info,\n.table > thead > tr > th.info,\n.table > tbody > tr > th.info,\n.table > tfoot > tr > th.info,\n.table > thead > tr.info > td,\n.table > tbody > tr.info > td,\n.table > tfoot > tr.info > td,\n.table > thead > tr.info > th,\n.table > tbody > tr.info > th,\n.table > tfoot > tr.info > th {\n background-color: #d9edf7;\n}\n.table-hover > tbody > tr > td.info:hover,\n.table-hover > tbody > tr > th.info:hover,\n.table-hover > tbody > tr.info:hover > td,\n.table-hover > tbody > tr:hover > .info,\n.table-hover > tbody > tr.info:hover > th {\n background-color: #c4e3f3;\n}\n.table > thead > tr > td.warning,\n.table > tbody > tr > td.warning,\n.table > tfoot > tr > td.warning,\n.table > thead > tr > th.warning,\n.table > tbody > tr > th.warning,\n.table > tfoot > tr > th.warning,\n.table > thead > tr.warning > td,\n.table > tbody > tr.warning > td,\n.table > tfoot > tr.warning > td,\n.table > thead > tr.warning > th,\n.table > tbody > tr.warning > th,\n.table > tfoot > tr.warning > th {\n background-color: #fcf8e3;\n}\n.table-hover > tbody > tr > td.warning:hover,\n.table-hover > tbody > tr > th.warning:hover,\n.table-hover > tbody > tr.warning:hover > td,\n.table-hover > tbody > tr:hover > .warning,\n.table-hover > tbody > tr.warning:hover > th {\n background-color: #faf2cc;\n}\n.table > thead > tr > td.danger,\n.table > tbody > tr > td.danger,\n.table > tfoot > tr > td.danger,\n.table > thead > tr > th.danger,\n.table > tbody > tr > th.danger,\n.table > tfoot > tr > th.danger,\n.table > thead > tr.danger > td,\n.table > tbody > tr.danger > td,\n.table > tfoot > tr.danger > td,\n.table > thead > tr.danger > th,\n.table > tbody > tr.danger > th,\n.table > tfoot > tr.danger > th {\n background-color: #f2dede;\n}\n.table-hover > tbody > tr > td.danger:hover,\n.table-hover > tbody > tr > th.danger:hover,\n.table-hover > tbody > tr.danger:hover > td,\n.table-hover > tbody > tr:hover > .danger,\n.table-hover > tbody > tr.danger:hover > th {\n background-color: #ebcccc;\n}\n.table-responsive {\n min-height: .01%;\n overflow-x: auto;\n}\n@media screen and (max-width: 767px) {\n .table-responsive {\n width: 100%;\n margin-bottom: 15px;\n overflow-y: hidden;\n -ms-overflow-style: -ms-autohiding-scrollbar;\n border: 1px solid #ddd;\n }\n .table-responsive > .table {\n margin-bottom: 0;\n }\n .table-responsive > .table > thead > tr > th,\n .table-responsive > .table > tbody > tr > th,\n .table-responsive > .table > tfoot > tr > th,\n .table-responsive > .table > thead > tr > td,\n .table-responsive > .table > tbody > tr > td,\n .table-responsive > .table > tfoot > tr > td {\n white-space: nowrap;\n }\n .table-responsive > .table-bordered {\n border: 0;\n }\n .table-responsive > .table-bordered > thead > tr > th:first-child,\n .table-responsive > .table-bordered > tbody > tr > th:first-child,\n .table-responsive > .table-bordered > tfoot > tr > th:first-child,\n .table-responsive > .table-bordered > thead > tr > td:first-child,\n .table-responsive > .table-bordered > tbody > tr > td:first-child,\n .table-responsive > .table-bordered > tfoot > tr > td:first-child {\n border-left: 0;\n }\n .table-responsive > .table-bordered > thead > tr > th:last-child,\n .table-responsive > .table-bordered > tbody > tr > th:last-child,\n .table-responsive > .table-bordered > tfoot > tr > th:last-child,\n .table-responsive > .table-bordered > thead > tr > td:last-child,\n .table-responsive > .table-bordered > tbody > tr > td:last-child,\n .table-responsive > .table-bordered > tfoot > tr > td:last-child {\n border-right: 0;\n }\n .table-responsive > .table-bordered > tbody > tr:last-child > th,\n .table-responsive > .table-bordered > tfoot > tr:last-child > th,\n .table-responsive > .table-bordered > tbody > tr:last-child > td,\n .table-responsive > .table-bordered > tfoot > tr:last-child > td {\n border-bottom: 0;\n }\n}\nfieldset {\n min-width: 0;\n padding: 0;\n margin: 0;\n border: 0;\n}\nlegend {\n display: block;\n width: 100%;\n padding: 0;\n margin-bottom: 20px;\n font-size: 21px;\n line-height: inherit;\n color: #333;\n border: 0;\n border-bottom: 1px solid #e5e5e5;\n}\nlabel {\n display: inline-block;\n max-width: 100%;\n margin-bottom: 5px;\n font-weight: bold;\n}\ninput[type=\"search\"] {\n -webkit-box-sizing: border-box;\n -moz-box-sizing: border-box;\n box-sizing: border-box;\n}\ninput[type=\"radio\"],\ninput[type=\"checkbox\"] {\n margin: 4px 0 0;\n margin-top: 1px \\9;\n line-height: normal;\n}\ninput[type=\"file\"] {\n display: block;\n}\ninput[type=\"range\"] {\n display: block;\n width: 100%;\n}\nselect[multiple],\nselect[size] {\n height: auto;\n}\ninput[type=\"file\"]:focus,\ninput[type=\"radio\"]:focus,\ninput[type=\"checkbox\"]:focus {\n outline: 5px auto -webkit-focus-ring-color;\n outline-offset: -2px;\n}\noutput {\n display: block;\n padding-top: 7px;\n font-size: 14px;\n line-height: 1.42857143;\n color: #555;\n}\n.form-control {\n display: block;\n width: 100%;\n height: 34px;\n padding: 6px 12px;\n font-size: 14px;\n line-height: 1.42857143;\n color: #555;\n background-color: #fff;\n background-image: none;\n border: 1px solid #ccc;\n border-radius: 4px;\n -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075);\n box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075);\n -webkit-transition: border-color ease-in-out .15s, -webkit-box-shadow ease-in-out .15s;\n -o-transition: border-color ease-in-out .15s, box-shadow ease-in-out .15s;\n transition: border-color ease-in-out .15s, box-shadow ease-in-out .15s;\n}\n.form-control:focus {\n border-color: #66afe9;\n outline: 0;\n -webkit-box-shadow: inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, .6);\n box-shadow: inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, .6);\n}\n.form-control::-moz-placeholder {\n color: #999;\n opacity: 1;\n}\n.form-control:-ms-input-placeholder {\n color: #999;\n}\n.form-control::-webkit-input-placeholder {\n color: #999;\n}\n.form-control::-ms-expand {\n background-color: transparent;\n border: 0;\n}\n.form-control[disabled],\n.form-control[readonly],\nfieldset[disabled] .form-control {\n background-color: #eee;\n opacity: 1;\n}\n.form-control[disabled],\nfieldset[disabled] .form-control {\n cursor: not-allowed;\n}\ntextarea.form-control {\n height: auto;\n}\ninput[type=\"search\"] {\n -webkit-appearance: none;\n}\n@media screen and (-webkit-min-device-pixel-ratio: 0) {\n input[type=\"date\"].form-control,\n input[type=\"time\"].form-control,\n input[type=\"datetime-local\"].form-control,\n input[type=\"month\"].form-control {\n line-height: 34px;\n }\n input[type=\"date\"].input-sm,\n input[type=\"time\"].input-sm,\n input[type=\"datetime-local\"].input-sm,\n input[type=\"month\"].input-sm,\n .input-group-sm input[type=\"date\"],\n .input-group-sm input[type=\"time\"],\n .input-group-sm input[type=\"datetime-local\"],\n .input-group-sm input[type=\"month\"] {\n line-height: 30px;\n }\n input[type=\"date\"].input-lg,\n input[type=\"time\"].input-lg,\n input[type=\"datetime-local\"].input-lg,\n input[type=\"month\"].input-lg,\n .input-group-lg input[type=\"date\"],\n .input-group-lg input[type=\"time\"],\n .input-group-lg input[type=\"datetime-local\"],\n .input-group-lg input[type=\"month\"] {\n line-height: 46px;\n }\n}\n.form-group {\n margin-bottom: 15px;\n}\n.radio,\n.checkbox {\n position: relative;\n display: block;\n margin-top: 10px;\n margin-bottom: 10px;\n}\n.radio label,\n.checkbox label {\n min-height: 20px;\n padding-left: 20px;\n margin-bottom: 0;\n font-weight: normal;\n cursor: pointer;\n}\n.radio input[type=\"radio\"],\n.radio-inline input[type=\"radio\"],\n.checkbox input[type=\"checkbox\"],\n.checkbox-inline input[type=\"checkbox\"] {\n position: absolute;\n margin-top: 4px \\9;\n margin-left: -20px;\n}\n.radio + .radio,\n.checkbox + .checkbox {\n margin-top: -5px;\n}\n.radio-inline,\n.checkbox-inline {\n position: relative;\n display: inline-block;\n padding-left: 20px;\n margin-bottom: 0;\n font-weight: normal;\n vertical-align: middle;\n cursor: pointer;\n}\n.radio-inline + .radio-inline,\n.checkbox-inline + .checkbox-inline {\n margin-top: 0;\n margin-left: 10px;\n}\ninput[type=\"radio\"][disabled],\ninput[type=\"checkbox\"][disabled],\ninput[type=\"radio\"].disabled,\ninput[type=\"checkbox\"].disabled,\nfieldset[disabled] input[type=\"radio\"],\nfieldset[disabled] input[type=\"checkbox\"] {\n cursor: not-allowed;\n}\n.radio-inline.disabled,\n.checkbox-inline.disabled,\nfieldset[disabled] .radio-inline,\nfieldset[disabled] .checkbox-inline {\n cursor: not-allowed;\n}\n.radio.disabled label,\n.checkbox.disabled label,\nfieldset[disabled] .radio label,\nfieldset[disabled] .checkbox label {\n cursor: not-allowed;\n}\n.form-control-static {\n min-height: 34px;\n padding-top: 7px;\n padding-bottom: 7px;\n margin-bottom: 0;\n}\n.form-control-static.input-lg,\n.form-control-static.input-sm {\n padding-right: 0;\n padding-left: 0;\n}\n.input-sm {\n height: 30px;\n padding: 5px 10px;\n font-size: 12px;\n line-height: 1.5;\n border-radius: 3px;\n}\nselect.input-sm {\n height: 30px;\n line-height: 30px;\n}\ntextarea.input-sm,\nselect[multiple].input-sm {\n height: auto;\n}\n.form-group-sm .form-control {\n height: 30px;\n padding: 5px 10px;\n font-size: 12px;\n line-height: 1.5;\n border-radius: 3px;\n}\n.form-group-sm select.form-control {\n height: 30px;\n line-height: 30px;\n}\n.form-group-sm textarea.form-control,\n.form-group-sm select[multiple].form-control {\n height: auto;\n}\n.form-group-sm .form-control-static {\n height: 30px;\n min-height: 32px;\n padding: 6px 10px;\n font-size: 12px;\n line-height: 1.5;\n}\n.input-lg {\n height: 46px;\n padding: 10px 16px;\n font-size: 18px;\n line-height: 1.3333333;\n border-radius: 6px;\n}\nselect.input-lg {\n height: 46px;\n line-height: 46px;\n}\ntextarea.input-lg,\nselect[multiple].input-lg {\n height: auto;\n}\n.form-group-lg .form-control {\n height: 46px;\n padding: 10px 16px;\n font-size: 18px;\n line-height: 1.3333333;\n border-radius: 6px;\n}\n.form-group-lg select.form-control {\n height: 46px;\n line-height: 46px;\n}\n.form-group-lg textarea.form-control,\n.form-group-lg select[multiple].form-control {\n height: auto;\n}\n.form-group-lg .form-control-static {\n height: 46px;\n min-height: 38px;\n padding: 11px 16px;\n font-size: 18px;\n line-height: 1.3333333;\n}\n.has-feedback {\n position: relative;\n}\n.has-feedback .form-control {\n padding-right: 42.5px;\n}\n.form-control-feedback {\n position: absolute;\n top: 0;\n right: 0;\n z-index: 2;\n display: block;\n width: 34px;\n height: 34px;\n line-height: 34px;\n text-align: center;\n pointer-events: none;\n}\n.input-lg + .form-control-feedback,\n.input-group-lg + .form-control-feedback,\n.form-group-lg .form-control + .form-control-feedback {\n width: 46px;\n height: 46px;\n line-height: 46px;\n}\n.input-sm + .form-control-feedback,\n.input-group-sm + .form-control-feedback,\n.form-group-sm .form-control + .form-control-feedback {\n width: 30px;\n height: 30px;\n line-height: 30px;\n}\n.has-success .help-block,\n.has-success .control-label,\n.has-success .radio,\n.has-success .checkbox,\n.has-success .radio-inline,\n.has-success .checkbox-inline,\n.has-success.radio label,\n.has-success.checkbox label,\n.has-success.radio-inline label,\n.has-success.checkbox-inline label {\n color: #3c763d;\n}\n.has-success .form-control {\n border-color: #3c763d;\n -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075);\n box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075);\n}\n.has-success .form-control:focus {\n border-color: #2b542c;\n -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075), 0 0 6px #67b168;\n box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075), 0 0 6px #67b168;\n}\n.has-success .input-group-addon {\n color: #3c763d;\n background-color: #dff0d8;\n border-color: #3c763d;\n}\n.has-success .form-control-feedback {\n color: #3c763d;\n}\n.has-warning .help-block,\n.has-warning .control-label,\n.has-warning .radio,\n.has-warning .checkbox,\n.has-warning .radio-inline,\n.has-warning .checkbox-inline,\n.has-warning.radio label,\n.has-warning.checkbox label,\n.has-warning.radio-inline label,\n.has-warning.checkbox-inline label {\n color: #8a6d3b;\n}\n.has-warning .form-control {\n border-color: #8a6d3b;\n -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075);\n box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075);\n}\n.has-warning .form-control:focus {\n border-color: #66512c;\n -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075), 0 0 6px #c0a16b;\n box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075), 0 0 6px #c0a16b;\n}\n.has-warning .input-group-addon {\n color: #8a6d3b;\n background-color: #fcf8e3;\n border-color: #8a6d3b;\n}\n.has-warning .form-control-feedback {\n color: #8a6d3b;\n}\n.has-error .help-block,\n.has-error .control-label,\n.has-error .radio,\n.has-error .checkbox,\n.has-error .radio-inline,\n.has-error .checkbox-inline,\n.has-error.radio label,\n.has-error.checkbox label,\n.has-error.radio-inline label,\n.has-error.checkbox-inline label {\n color: #a94442;\n}\n.has-error .form-control {\n border-color: #a94442;\n -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075);\n box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075);\n}\n.has-error .form-control:focus {\n border-color: #843534;\n -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075), 0 0 6px #ce8483;\n box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075), 0 0 6px #ce8483;\n}\n.has-error .input-group-addon {\n color: #a94442;\n background-color: #f2dede;\n border-color: #a94442;\n}\n.has-error .form-control-feedback {\n color: #a94442;\n}\n.has-feedback label ~ .form-control-feedback {\n top: 25px;\n}\n.has-feedback label.sr-only ~ .form-control-feedback {\n top: 0;\n}\n.help-block {\n display: block;\n margin-top: 5px;\n margin-bottom: 10px;\n color: #737373;\n}\n@media (min-width: 768px) {\n .form-inline .form-group {\n display: inline-block;\n margin-bottom: 0;\n vertical-align: middle;\n }\n .form-inline .form-control {\n display: inline-block;\n width: auto;\n vertical-align: middle;\n }\n .form-inline .form-control-static {\n display: inline-block;\n }\n .form-inline .input-group {\n display: inline-table;\n vertical-align: middle;\n }\n .form-inline .input-group .input-group-addon,\n .form-inline .input-group .input-group-btn,\n .form-inline .input-group .form-control {\n width: auto;\n }\n .form-inline .input-group > .form-control {\n width: 100%;\n }\n .form-inline .control-label {\n margin-bottom: 0;\n vertical-align: middle;\n }\n .form-inline .radio,\n .form-inline .checkbox {\n display: inline-block;\n margin-top: 0;\n margin-bottom: 0;\n vertical-align: middle;\n }\n .form-inline .radio label,\n .form-inline .checkbox label {\n padding-left: 0;\n }\n .form-inline .radio input[type=\"radio\"],\n .form-inline .checkbox input[type=\"checkbox\"] {\n position: relative;\n margin-left: 0;\n }\n .form-inline .has-feedback .form-control-feedback {\n top: 0;\n }\n}\n.form-horizontal .radio,\n.form-horizontal .checkbox,\n.form-horizontal .radio-inline,\n.form-horizontal .checkbox-inline {\n padding-top: 7px;\n margin-top: 0;\n margin-bottom: 0;\n}\n.form-horizontal .radio,\n.form-horizontal .checkbox {\n min-height: 27px;\n}\n.form-horizontal .form-group {\n margin-right: -15px;\n margin-left: -15px;\n}\n@media (min-width: 768px) {\n .form-horizontal .control-label {\n padding-top: 7px;\n margin-bottom: 0;\n text-align: right;\n }\n}\n.form-horizontal .has-feedback .form-control-feedback {\n right: 15px;\n}\n@media (min-width: 768px) {\n .form-horizontal .form-group-lg .control-label {\n padding-top: 11px;\n font-size: 18px;\n }\n}\n@media (min-width: 768px) {\n .form-horizontal .form-group-sm .control-label {\n padding-top: 6px;\n font-size: 12px;\n }\n}\n.btn {\n display: inline-block;\n padding: 6px 12px;\n margin-bottom: 0;\n font-size: 14px;\n font-weight: normal;\n line-height: 1.42857143;\n text-align: center;\n white-space: nowrap;\n vertical-align: middle;\n -ms-touch-action: manipulation;\n touch-action: manipulation;\n cursor: pointer;\n -webkit-user-select: none;\n -moz-user-select: none;\n -ms-user-select: none;\n user-select: none;\n background-image: none;\n border: 1px solid transparent;\n border-radius: 4px;\n}\n.btn:focus,\n.btn:active:focus,\n.btn.active:focus,\n.btn.focus,\n.btn:active.focus,\n.btn.active.focus {\n outline: 5px auto -webkit-focus-ring-color;\n outline-offset: -2px;\n}\n.btn:hover,\n.btn:focus,\n.btn.focus {\n color: #333;\n text-decoration: none;\n}\n.btn:active,\n.btn.active {\n background-image: none;\n outline: 0;\n -webkit-box-shadow: inset 0 3px 5px rgba(0, 0, 0, .125);\n box-shadow: inset 0 3px 5px rgba(0, 0, 0, .125);\n}\n.btn.disabled,\n.btn[disabled],\nfieldset[disabled] .btn {\n cursor: not-allowed;\n filter: alpha(opacity=65);\n -webkit-box-shadow: none;\n box-shadow: none;\n opacity: .65;\n}\na.btn.disabled,\nfieldset[disabled] a.btn {\n pointer-events: none;\n}\n.btn-default {\n color: #333;\n background-color: #fff;\n border-color: #ccc;\n}\n.btn-default:focus,\n.btn-default.focus {\n color: #333;\n background-color: #e6e6e6;\n border-color: #8c8c8c;\n}\n.btn-default:hover {\n color: #333;\n background-color: #e6e6e6;\n border-color: #adadad;\n}\n.btn-default:active,\n.btn-default.active,\n.open > .dropdown-toggle.btn-default {\n color: #333;\n background-color: #e6e6e6;\n border-color: #adadad;\n}\n.btn-default:active:hover,\n.btn-default.active:hover,\n.open > .dropdown-toggle.btn-default:hover,\n.btn-default:active:focus,\n.btn-default.active:focus,\n.open > .dropdown-toggle.btn-default:focus,\n.btn-default:active.focus,\n.btn-default.active.focus,\n.open > .dropdown-toggle.btn-default.focus {\n color: #333;\n background-color: #d4d4d4;\n border-color: #8c8c8c;\n}\n.btn-default:active,\n.btn-default.active,\n.open > .dropdown-toggle.btn-default {\n background-image: none;\n}\n.btn-default.disabled:hover,\n.btn-default[disabled]:hover,\nfieldset[disabled] .btn-default:hover,\n.btn-default.disabled:focus,\n.btn-default[disabled]:focus,\nfieldset[disabled] .btn-default:focus,\n.btn-default.disabled.focus,\n.btn-default[disabled].focus,\nfieldset[disabled] .btn-default.focus {\n background-color: #fff;\n border-color: #ccc;\n}\n.btn-default .badge {\n color: #fff;\n background-color: #333;\n}\n.btn-primary {\n color: #fff;\n background-color: #337ab7;\n border-color: #2e6da4;\n}\n.btn-primary:focus,\n.btn-primary.focus {\n color: #fff;\n background-color: #286090;\n border-color: #122b40;\n}\n.btn-primary:hover {\n color: #fff;\n background-color: #286090;\n border-color: #204d74;\n}\n.btn-primary:active,\n.btn-primary.active,\n.open > .dropdown-toggle.btn-primary {\n color: #fff;\n background-color: #286090;\n border-color: #204d74;\n}\n.btn-primary:active:hover,\n.btn-primary.active:hover,\n.open > .dropdown-toggle.btn-primary:hover,\n.btn-primary:active:focus,\n.btn-primary.active:focus,\n.open > .dropdown-toggle.btn-primary:focus,\n.btn-primary:active.focus,\n.btn-primary.active.focus,\n.open > .dropdown-toggle.btn-primary.focus {\n color: #fff;\n background-color: #204d74;\n border-color: #122b40;\n}\n.btn-primary:active,\n.btn-primary.active,\n.open > .dropdown-toggle.btn-primary {\n background-image: none;\n}\n.btn-primary.disabled:hover,\n.btn-primary[disabled]:hover,\nfieldset[disabled] .btn-primary:hover,\n.btn-primary.disabled:focus,\n.btn-primary[disabled]:focus,\nfieldset[disabled] .btn-primary:focus,\n.btn-primary.disabled.focus,\n.btn-primary[disabled].focus,\nfieldset[disabled] .btn-primary.focus {\n background-color: #337ab7;\n border-color: #2e6da4;\n}\n.btn-primary .badge {\n color: #337ab7;\n background-color: #fff;\n}\n.btn-success {\n color: #fff;\n background-color: #5cb85c;\n border-color: #4cae4c;\n}\n.btn-success:focus,\n.btn-success.focus {\n color: #fff;\n background-color: #449d44;\n border-color: #255625;\n}\n.btn-success:hover {\n color: #fff;\n background-color: #449d44;\n border-color: #398439;\n}\n.btn-success:active,\n.btn-success.active,\n.open > .dropdown-toggle.btn-success {\n color: #fff;\n background-color: #449d44;\n border-color: #398439;\n}\n.btn-success:active:hover,\n.btn-success.active:hover,\n.open > .dropdown-toggle.btn-success:hover,\n.btn-success:active:focus,\n.btn-success.active:focus,\n.open > .dropdown-toggle.btn-success:focus,\n.btn-success:active.focus,\n.btn-success.active.focus,\n.open > .dropdown-toggle.btn-success.focus {\n color: #fff;\n background-color: #398439;\n border-color: #255625;\n}\n.btn-success:active,\n.btn-success.active,\n.open > .dropdown-toggle.btn-success {\n background-image: none;\n}\n.btn-success.disabled:hover,\n.btn-success[disabled]:hover,\nfieldset[disabled] .btn-success:hover,\n.btn-success.disabled:focus,\n.btn-success[disabled]:focus,\nfieldset[disabled] .btn-success:focus,\n.btn-success.disabled.focus,\n.btn-success[disabled].focus,\nfieldset[disabled] .btn-success.focus {\n background-color: #5cb85c;\n border-color: #4cae4c;\n}\n.btn-success .badge {\n color: #5cb85c;\n background-color: #fff;\n}\n.btn-info {\n color: #fff;\n background-color: #5bc0de;\n border-color: #46b8da;\n}\n.btn-info:focus,\n.btn-info.focus {\n color: #fff;\n background-color: #31b0d5;\n border-color: #1b6d85;\n}\n.btn-info:hover {\n color: #fff;\n background-color: #31b0d5;\n border-color: #269abc;\n}\n.btn-info:active,\n.btn-info.active,\n.open > .dropdown-toggle.btn-info {\n color: #fff;\n background-color: #31b0d5;\n border-color: #269abc;\n}\n.btn-info:active:hover,\n.btn-info.active:hover,\n.open > .dropdown-toggle.btn-info:hover,\n.btn-info:active:focus,\n.btn-info.active:focus,\n.open > .dropdown-toggle.btn-info:focus,\n.btn-info:active.focus,\n.btn-info.active.focus,\n.open > .dropdown-toggle.btn-info.focus {\n color: #fff;\n background-color: #269abc;\n border-color: #1b6d85;\n}\n.btn-info:active,\n.btn-info.active,\n.open > .dropdown-toggle.btn-info {\n background-image: none;\n}\n.btn-info.disabled:hover,\n.btn-info[disabled]:hover,\nfieldset[disabled] .btn-info:hover,\n.btn-info.disabled:focus,\n.btn-info[disabled]:focus,\nfieldset[disabled] .btn-info:focus,\n.btn-info.disabled.focus,\n.btn-info[disabled].focus,\nfieldset[disabled] .btn-info.focus {\n background-color: #5bc0de;\n border-color: #46b8da;\n}\n.btn-info .badge {\n color: #5bc0de;\n background-color: #fff;\n}\n.btn-warning {\n color: #fff;\n background-color: #f0ad4e;\n border-color: #eea236;\n}\n.btn-warning:focus,\n.btn-warning.focus {\n color: #fff;\n background-color: #ec971f;\n border-color: #985f0d;\n}\n.btn-warning:hover {\n color: #fff;\n background-color: #ec971f;\n border-color: #d58512;\n}\n.btn-warning:active,\n.btn-warning.active,\n.open > .dropdown-toggle.btn-warning {\n color: #fff;\n background-color: #ec971f;\n border-color: #d58512;\n}\n.btn-warning:active:hover,\n.btn-warning.active:hover,\n.open > .dropdown-toggle.btn-warning:hover,\n.btn-warning:active:focus,\n.btn-warning.active:focus,\n.open > .dropdown-toggle.btn-warning:focus,\n.btn-warning:active.focus,\n.btn-warning.active.focus,\n.open > .dropdown-toggle.btn-warning.focus {\n color: #fff;\n background-color: #d58512;\n border-color: #985f0d;\n}\n.btn-warning:active,\n.btn-warning.active,\n.open > .dropdown-toggle.btn-warning {\n background-image: none;\n}\n.btn-warning.disabled:hover,\n.btn-warning[disabled]:hover,\nfieldset[disabled] .btn-warning:hover,\n.btn-warning.disabled:focus,\n.btn-warning[disabled]:focus,\nfieldset[disabled] .btn-warning:focus,\n.btn-warning.disabled.focus,\n.btn-warning[disabled].focus,\nfieldset[disabled] .btn-warning.focus {\n background-color: #f0ad4e;\n border-color: #eea236;\n}\n.btn-warning .badge {\n color: #f0ad4e;\n background-color: #fff;\n}\n.btn-danger {\n color: #fff;\n background-color: #d9534f;\n border-color: #d43f3a;\n}\n.btn-danger:focus,\n.btn-danger.focus {\n color: #fff;\n background-color: #c9302c;\n border-color: #761c19;\n}\n.btn-danger:hover {\n color: #fff;\n background-color: #c9302c;\n border-color: #ac2925;\n}\n.btn-danger:active,\n.btn-danger.active,\n.open > .dropdown-toggle.btn-danger {\n color: #fff;\n background-color: #c9302c;\n border-color: #ac2925;\n}\n.btn-danger:active:hover,\n.btn-danger.active:hover,\n.open > .dropdown-toggle.btn-danger:hover,\n.btn-danger:active:focus,\n.btn-danger.active:focus,\n.open > .dropdown-toggle.btn-danger:focus,\n.btn-danger:active.focus,\n.btn-danger.active.focus,\n.open > .dropdown-toggle.btn-danger.focus {\n color: #fff;\n background-color: #ac2925;\n border-color: #761c19;\n}\n.btn-danger:active,\n.btn-danger.active,\n.open > .dropdown-toggle.btn-danger {\n background-image: none;\n}\n.btn-danger.disabled:hover,\n.btn-danger[disabled]:hover,\nfieldset[disabled] .btn-danger:hover,\n.btn-danger.disabled:focus,\n.btn-danger[disabled]:focus,\nfieldset[disabled] .btn-danger:focus,\n.btn-danger.disabled.focus,\n.btn-danger[disabled].focus,\nfieldset[disabled] .btn-danger.focus {\n background-color: #d9534f;\n border-color: #d43f3a;\n}\n.btn-danger .badge {\n color: #d9534f;\n background-color: #fff;\n}\n.btn-link {\n font-weight: normal;\n color: #337ab7;\n border-radius: 0;\n}\n.btn-link,\n.btn-link:active,\n.btn-link.active,\n.btn-link[disabled],\nfieldset[disabled] .btn-link {\n background-color: transparent;\n -webkit-box-shadow: none;\n box-shadow: none;\n}\n.btn-link,\n.btn-link:hover,\n.btn-link:focus,\n.btn-link:active {\n border-color: transparent;\n}\n.btn-link:hover,\n.btn-link:focus {\n color: #23527c;\n text-decoration: underline;\n background-color: transparent;\n}\n.btn-link[disabled]:hover,\nfieldset[disabled] .btn-link:hover,\n.btn-link[disabled]:focus,\nfieldset[disabled] .btn-link:focus {\n color: #777;\n text-decoration: none;\n}\n.btn-lg,\n.btn-group-lg > .btn {\n padding: 10px 16px;\n font-size: 18px;\n line-height: 1.3333333;\n border-radius: 6px;\n}\n.btn-sm,\n.btn-group-sm > .btn {\n padding: 5px 10px;\n font-size: 12px;\n line-height: 1.5;\n border-radius: 3px;\n}\n.btn-xs,\n.btn-group-xs > .btn {\n padding: 1px 5px;\n font-size: 12px;\n line-height: 1.5;\n border-radius: 3px;\n}\n.btn-block {\n display: block;\n width: 100%;\n}\n.btn-block + .btn-block {\n margin-top: 5px;\n}\ninput[type=\"submit\"].btn-block,\ninput[type=\"reset\"].btn-block,\ninput[type=\"button\"].btn-block {\n width: 100%;\n}\n.fade {\n opacity: 0;\n -webkit-transition: opacity .15s linear;\n -o-transition: opacity .15s linear;\n transition: opacity .15s linear;\n}\n.fade.in {\n opacity: 1;\n}\n.collapse {\n display: none;\n}\n.collapse.in {\n display: block;\n}\ntr.collapse.in {\n display: table-row;\n}\ntbody.collapse.in {\n display: table-row-group;\n}\n.collapsing {\n position: relative;\n height: 0;\n overflow: hidden;\n -webkit-transition-timing-function: ease;\n -o-transition-timing-function: ease;\n transition-timing-function: ease;\n -webkit-transition-duration: .35s;\n -o-transition-duration: .35s;\n transition-duration: .35s;\n -webkit-transition-property: height, visibility;\n -o-transition-property: height, visibility;\n transition-property: height, visibility;\n}\n.caret {\n display: inline-block;\n width: 0;\n height: 0;\n margin-left: 2px;\n vertical-align: middle;\n border-top: 4px dashed;\n border-top: 4px solid \\9;\n border-right: 4px solid transparent;\n border-left: 4px solid transparent;\n}\n.dropup,\n.dropdown {\n position: relative;\n}\n.dropdown-toggle:focus {\n outline: 0;\n}\n.dropdown-menu {\n position: absolute;\n top: 100%;\n left: 0;\n z-index: 1000;\n display: none;\n float: left;\n min-width: 160px;\n padding: 5px 0;\n margin: 2px 0 0;\n font-size: 14px;\n text-align: left;\n list-style: none;\n background-color: #fff;\n -webkit-background-clip: padding-box;\n background-clip: padding-box;\n border: 1px solid #ccc;\n border: 1px solid rgba(0, 0, 0, .15);\n border-radius: 4px;\n -webkit-box-shadow: 0 6px 12px rgba(0, 0, 0, .175);\n box-shadow: 0 6px 12px rgba(0, 0, 0, .175);\n}\n.dropdown-menu.pull-right {\n right: 0;\n left: auto;\n}\n.dropdown-menu .divider {\n height: 1px;\n margin: 9px 0;\n overflow: hidden;\n background-color: #e5e5e5;\n}\n.dropdown-menu > li > a {\n display: block;\n padding: 3px 20px;\n clear: both;\n font-weight: normal;\n line-height: 1.42857143;\n color: #333;\n white-space: nowrap;\n}\n.dropdown-menu > li > a:hover,\n.dropdown-menu > li > a:focus {\n color: #262626;\n text-decoration: none;\n background-color: #f5f5f5;\n}\n.dropdown-menu > .active > a,\n.dropdown-menu > .active > a:hover,\n.dropdown-menu > .active > a:focus {\n color: #fff;\n text-decoration: none;\n background-color: #337ab7;\n outline: 0;\n}\n.dropdown-menu > .disabled > a,\n.dropdown-menu > .disabled > a:hover,\n.dropdown-menu > .disabled > a:focus {\n color: #777;\n}\n.dropdown-menu > .disabled > a:hover,\n.dropdown-menu > .disabled > a:focus {\n text-decoration: none;\n cursor: not-allowed;\n background-color: transparent;\n background-image: none;\n filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);\n}\n.open > .dropdown-menu {\n display: block;\n}\n.open > a {\n outline: 0;\n}\n.dropdown-menu-right {\n right: 0;\n left: auto;\n}\n.dropdown-menu-left {\n right: auto;\n left: 0;\n}\n.dropdown-header {\n display: block;\n padding: 3px 20px;\n font-size: 12px;\n line-height: 1.42857143;\n color: #777;\n white-space: nowrap;\n}\n.dropdown-backdrop {\n position: fixed;\n top: 0;\n right: 0;\n bottom: 0;\n left: 0;\n z-index: 990;\n}\n.pull-right > .dropdown-menu {\n right: 0;\n left: auto;\n}\n.dropup .caret,\n.navbar-fixed-bottom .dropdown .caret {\n content: \"\";\n border-top: 0;\n border-bottom: 4px dashed;\n border-bottom: 4px solid \\9;\n}\n.dropup .dropdown-menu,\n.navbar-fixed-bottom .dropdown .dropdown-menu {\n top: auto;\n bottom: 100%;\n margin-bottom: 2px;\n}\n@media (min-width: 768px) {\n .navbar-right .dropdown-menu {\n right: 0;\n left: auto;\n }\n .navbar-right .dropdown-menu-left {\n right: auto;\n left: 0;\n }\n}\n.btn-group,\n.btn-group-vertical {\n position: relative;\n display: inline-block;\n vertical-align: middle;\n}\n.btn-group > .btn,\n.btn-group-vertical > .btn {\n position: relative;\n float: left;\n}\n.btn-group > .btn:hover,\n.btn-group-vertical > .btn:hover,\n.btn-group > .btn:focus,\n.btn-group-vertical > .btn:focus,\n.btn-group > .btn:active,\n.btn-group-vertical > .btn:active,\n.btn-group > .btn.active,\n.btn-group-vertical > .btn.active {\n z-index: 2;\n}\n.btn-group .btn + .btn,\n.btn-group .btn + .btn-group,\n.btn-group .btn-group + .btn,\n.btn-group .btn-group + .btn-group {\n margin-left: -1px;\n}\n.btn-toolbar {\n margin-left: -5px;\n}\n.btn-toolbar .btn,\n.btn-toolbar .btn-group,\n.btn-toolbar .input-group {\n float: left;\n}\n.btn-toolbar > .btn,\n.btn-toolbar > .btn-group,\n.btn-toolbar > .input-group {\n margin-left: 5px;\n}\n.btn-group > .btn:not(:first-child):not(:last-child):not(.dropdown-toggle) {\n border-radius: 0;\n}\n.btn-group > .btn:first-child {\n margin-left: 0;\n}\n.btn-group > .btn:first-child:not(:last-child):not(.dropdown-toggle) {\n border-top-right-radius: 0;\n border-bottom-right-radius: 0;\n}\n.btn-group > .btn:last-child:not(:first-child),\n.btn-group > .dropdown-toggle:not(:first-child) {\n border-top-left-radius: 0;\n border-bottom-left-radius: 0;\n}\n.btn-group > .btn-group {\n float: left;\n}\n.btn-group > .btn-group:not(:first-child):not(:last-child) > .btn {\n border-radius: 0;\n}\n.btn-group > .btn-group:first-child:not(:last-child) > .btn:last-child,\n.btn-group > .btn-group:first-child:not(:last-child) > .dropdown-toggle {\n border-top-right-radius: 0;\n border-bottom-right-radius: 0;\n}\n.btn-group > .btn-group:last-child:not(:first-child) > .btn:first-child {\n border-top-left-radius: 0;\n border-bottom-left-radius: 0;\n}\n.btn-group .dropdown-toggle:active,\n.btn-group.open .dropdown-toggle {\n outline: 0;\n}\n.btn-group > .btn + .dropdown-toggle {\n padding-right: 8px;\n padding-left: 8px;\n}\n.btn-group > .btn-lg + .dropdown-toggle {\n padding-right: 12px;\n padding-left: 12px;\n}\n.btn-group.open .dropdown-toggle {\n -webkit-box-shadow: inset 0 3px 5px rgba(0, 0, 0, .125);\n box-shadow: inset 0 3px 5px rgba(0, 0, 0, .125);\n}\n.btn-group.open .dropdown-toggle.btn-link {\n -webkit-box-shadow: none;\n box-shadow: none;\n}\n.btn .caret {\n margin-left: 0;\n}\n.btn-lg .caret {\n border-width: 5px 5px 0;\n border-bottom-width: 0;\n}\n.dropup .btn-lg .caret {\n border-width: 0 5px 5px;\n}\n.btn-group-vertical > .btn,\n.btn-group-vertical > .btn-group,\n.btn-group-vertical > .btn-group > .btn {\n display: block;\n float: none;\n width: 100%;\n max-width: 100%;\n}\n.btn-group-vertical > .btn-group > .btn {\n float: none;\n}\n.btn-group-vertical > .btn + .btn,\n.btn-group-vertical > .btn + .btn-group,\n.btn-group-vertical > .btn-group + .btn,\n.btn-group-vertical > .btn-group + .btn-group {\n margin-top: -1px;\n margin-left: 0;\n}\n.btn-group-vertical > .btn:not(:first-child):not(:last-child) {\n border-radius: 0;\n}\n.btn-group-vertical > .btn:first-child:not(:last-child) {\n border-top-left-radius: 4px;\n border-top-right-radius: 4px;\n border-bottom-right-radius: 0;\n border-bottom-left-radius: 0;\n}\n.btn-group-vertical > .btn:last-child:not(:first-child) {\n border-top-left-radius: 0;\n border-top-right-radius: 0;\n border-bottom-right-radius: 4px;\n border-bottom-left-radius: 4px;\n}\n.btn-group-vertical > .btn-group:not(:first-child):not(:last-child) > .btn {\n border-radius: 0;\n}\n.btn-group-vertical > .btn-group:first-child:not(:last-child) > .btn:last-child,\n.btn-group-vertical > .btn-group:first-child:not(:last-child) > .dropdown-toggle {\n border-bottom-right-radius: 0;\n border-bottom-left-radius: 0;\n}\n.btn-group-vertical > .btn-group:last-child:not(:first-child) > .btn:first-child {\n border-top-left-radius: 0;\n border-top-right-radius: 0;\n}\n.btn-group-justified {\n display: table;\n width: 100%;\n table-layout: fixed;\n border-collapse: separate;\n}\n.btn-group-justified > .btn,\n.btn-group-justified > .btn-group {\n display: table-cell;\n float: none;\n width: 1%;\n}\n.btn-group-justified > .btn-group .btn {\n width: 100%;\n}\n.btn-group-justified > .btn-group .dropdown-menu {\n left: auto;\n}\n[data-toggle=\"buttons\"] > .btn input[type=\"radio\"],\n[data-toggle=\"buttons\"] > .btn-group > .btn input[type=\"radio\"],\n[data-toggle=\"buttons\"] > .btn input[type=\"checkbox\"],\n[data-toggle=\"buttons\"] > .btn-group > .btn input[type=\"checkbox\"] {\n position: absolute;\n clip: rect(0, 0, 0, 0);\n pointer-events: none;\n}\n.input-group {\n position: relative;\n display: table;\n border-collapse: separate;\n}\n.input-group[class*=\"col-\"] {\n float: none;\n padding-right: 0;\n padding-left: 0;\n}\n.input-group .form-control {\n position: relative;\n z-index: 2;\n float: left;\n width: 100%;\n margin-bottom: 0;\n}\n.input-group .form-control:focus {\n z-index: 3;\n}\n.input-group-lg > .form-control,\n.input-group-lg > .input-group-addon,\n.input-group-lg > .input-group-btn > .btn {\n height: 46px;\n padding: 10px 16px;\n font-size: 18px;\n line-height: 1.3333333;\n border-radius: 6px;\n}\nselect.input-group-lg > .form-control,\nselect.input-group-lg > .input-group-addon,\nselect.input-group-lg > .input-group-btn > .btn {\n height: 46px;\n line-height: 46px;\n}\ntextarea.input-group-lg > .form-control,\ntextarea.input-group-lg > .input-group-addon,\ntextarea.input-group-lg > .input-group-btn > .btn,\nselect[multiple].input-group-lg > .form-control,\nselect[multiple].input-group-lg > .input-group-addon,\nselect[multiple].input-group-lg > .input-group-btn > .btn {\n height: auto;\n}\n.input-group-sm > .form-control,\n.input-group-sm > .input-group-addon,\n.input-group-sm > .input-group-btn > .btn {\n height: 30px;\n padding: 5px 10px;\n font-size: 12px;\n line-height: 1.5;\n border-radius: 3px;\n}\nselect.input-group-sm > .form-control,\nselect.input-group-sm > .input-group-addon,\nselect.input-group-sm > .input-group-btn > .btn {\n height: 30px;\n line-height: 30px;\n}\ntextarea.input-group-sm > .form-control,\ntextarea.input-group-sm > .input-group-addon,\ntextarea.input-group-sm > .input-group-btn > .btn,\nselect[multiple].input-group-sm > .form-control,\nselect[multiple].input-group-sm > .input-group-addon,\nselect[multiple].input-group-sm > .input-group-btn > .btn {\n height: auto;\n}\n.input-group-addon,\n.input-group-btn,\n.input-group .form-control {\n display: table-cell;\n}\n.input-group-addon:not(:first-child):not(:last-child),\n.input-group-btn:not(:first-child):not(:last-child),\n.input-group .form-control:not(:first-child):not(:last-child) {\n border-radius: 0;\n}\n.input-group-addon,\n.input-group-btn {\n width: 1%;\n white-space: nowrap;\n vertical-align: middle;\n}\n.input-group-addon {\n padding: 6px 12px;\n font-size: 14px;\n font-weight: normal;\n line-height: 1;\n color: #555;\n text-align: center;\n background-color: #eee;\n border: 1px solid #ccc;\n border-radius: 4px;\n}\n.input-group-addon.input-sm {\n padding: 5px 10px;\n font-size: 12px;\n border-radius: 3px;\n}\n.input-group-addon.input-lg {\n padding: 10px 16px;\n font-size: 18px;\n border-radius: 6px;\n}\n.input-group-addon input[type=\"radio\"],\n.input-group-addon input[type=\"checkbox\"] {\n margin-top: 0;\n}\n.input-group .form-control:first-child,\n.input-group-addon:first-child,\n.input-group-btn:first-child > .btn,\n.input-group-btn:first-child > .btn-group > .btn,\n.input-group-btn:first-child > .dropdown-toggle,\n.input-group-btn:last-child > .btn:not(:last-child):not(.dropdown-toggle),\n.input-group-btn:last-child > .btn-group:not(:last-child) > .btn {\n border-top-right-radius: 0;\n border-bottom-right-radius: 0;\n}\n.input-group-addon:first-child {\n border-right: 0;\n}\n.input-group .form-control:last-child,\n.input-group-addon:last-child,\n.input-group-btn:last-child > .btn,\n.input-group-btn:last-child > .btn-group > .btn,\n.input-group-btn:last-child > .dropdown-toggle,\n.input-group-btn:first-child > .btn:not(:first-child),\n.input-group-btn:first-child > .btn-group:not(:first-child) > .btn {\n border-top-left-radius: 0;\n border-bottom-left-radius: 0;\n}\n.input-group-addon:last-child {\n border-left: 0;\n}\n.input-group-btn {\n position: relative;\n font-size: 0;\n white-space: nowrap;\n}\n.input-group-btn > .btn {\n position: relative;\n}\n.input-group-btn > .btn + .btn {\n margin-left: -1px;\n}\n.input-group-btn > .btn:hover,\n.input-group-btn > .btn:focus,\n.input-group-btn > .btn:active {\n z-index: 2;\n}\n.input-group-btn:first-child > .btn,\n.input-group-btn:first-child > .btn-group {\n margin-right: -1px;\n}\n.input-group-btn:last-child > .btn,\n.input-group-btn:last-child > .btn-group {\n z-index: 2;\n margin-left: -1px;\n}\n.nav {\n padding-left: 0;\n margin-bottom: 0;\n list-style: none;\n}\n.nav > li {\n position: relative;\n display: block;\n}\n.nav > li > a {\n position: relative;\n display: block;\n padding: 10px 15px;\n}\n.nav > li > a:hover,\n.nav > li > a:focus {\n text-decoration: none;\n background-color: #eee;\n}\n.nav > li.disabled > a {\n color: #777;\n}\n.nav > li.disabled > a:hover,\n.nav > li.disabled > a:focus {\n color: #777;\n text-decoration: none;\n cursor: not-allowed;\n background-color: transparent;\n}\n.nav .open > a,\n.nav .open > a:hover,\n.nav .open > a:focus {\n background-color: #eee;\n border-color: #337ab7;\n}\n.nav .nav-divider {\n height: 1px;\n margin: 9px 0;\n overflow: hidden;\n background-color: #e5e5e5;\n}\n.nav > li > a > img {\n max-width: none;\n}\n.nav-tabs {\n border-bottom: 1px solid #ddd;\n}\n.nav-tabs > li {\n float: left;\n margin-bottom: -1px;\n}\n.nav-tabs > li > a {\n margin-right: 2px;\n line-height: 1.42857143;\n border: 1px solid transparent;\n border-radius: 4px 4px 0 0;\n}\n.nav-tabs > li > a:hover {\n border-color: #eee #eee #ddd;\n}\n.nav-tabs > li.active > a,\n.nav-tabs > li.active > a:hover,\n.nav-tabs > li.active > a:focus {\n color: #555;\n cursor: default;\n background-color: #fff;\n border: 1px solid #ddd;\n border-bottom-color: transparent;\n}\n.nav-tabs.nav-justified {\n width: 100%;\n border-bottom: 0;\n}\n.nav-tabs.nav-justified > li {\n float: none;\n}\n.nav-tabs.nav-justified > li > a {\n margin-bottom: 5px;\n text-align: center;\n}\n.nav-tabs.nav-justified > .dropdown .dropdown-menu {\n top: auto;\n left: auto;\n}\n@media (min-width: 768px) {\n .nav-tabs.nav-justified > li {\n display: table-cell;\n width: 1%;\n }\n .nav-tabs.nav-justified > li > a {\n margin-bottom: 0;\n }\n}\n.nav-tabs.nav-justified > li > a {\n margin-right: 0;\n border-radius: 4px;\n}\n.nav-tabs.nav-justified > .active > a,\n.nav-tabs.nav-justified > .active > a:hover,\n.nav-tabs.nav-justified > .active > a:focus {\n border: 1px solid #ddd;\n}\n@media (min-width: 768px) {\n .nav-tabs.nav-justified > li > a {\n border-bottom: 1px solid #ddd;\n border-radius: 4px 4px 0 0;\n }\n .nav-tabs.nav-justified > .active > a,\n .nav-tabs.nav-justified > .active > a:hover,\n .nav-tabs.nav-justified > .active > a:focus {\n border-bottom-color: #fff;\n }\n}\n.nav-pills > li {\n float: left;\n}\n.nav-pills > li > a {\n border-radius: 4px;\n}\n.nav-pills > li + li {\n margin-left: 2px;\n}\n.nav-pills > li.active > a,\n.nav-pills > li.active > a:hover,\n.nav-pills > li.active > a:focus {\n color: #fff;\n background-color: #337ab7;\n}\n.nav-stacked > li {\n float: none;\n}\n.nav-stacked > li + li {\n margin-top: 2px;\n margin-left: 0;\n}\n.nav-justified {\n width: 100%;\n}\n.nav-justified > li {\n float: none;\n}\n.nav-justified > li > a {\n margin-bottom: 5px;\n text-align: center;\n}\n.nav-justified > .dropdown .dropdown-menu {\n top: auto;\n left: auto;\n}\n@media (min-width: 768px) {\n .nav-justified > li {\n display: table-cell;\n width: 1%;\n }\n .nav-justified > li > a {\n margin-bottom: 0;\n }\n}\n.nav-tabs-justified {\n border-bottom: 0;\n}\n.nav-tabs-justified > li > a {\n margin-right: 0;\n border-radius: 4px;\n}\n.nav-tabs-justified > .active > a,\n.nav-tabs-justified > .active > a:hover,\n.nav-tabs-justified > .active > a:focus {\n border: 1px solid #ddd;\n}\n@media (min-width: 768px) {\n .nav-tabs-justified > li > a {\n border-bottom: 1px solid #ddd;\n border-radius: 4px 4px 0 0;\n }\n .nav-tabs-justified > .active > a,\n .nav-tabs-justified > .active > a:hover,\n .nav-tabs-justified > .active > a:focus {\n border-bottom-color: #fff;\n }\n}\n.tab-content > .tab-pane {\n display: none;\n}\n.tab-content > .active {\n display: block;\n}\n.nav-tabs .dropdown-menu {\n margin-top: -1px;\n border-top-left-radius: 0;\n border-top-right-radius: 0;\n}\n.navbar {\n position: relative;\n min-height: 50px;\n margin-bottom: 20px;\n border: 1px solid transparent;\n}\n@media (min-width: 768px) {\n .navbar {\n border-radius: 4px;\n }\n}\n@media (min-width: 768px) {\n .navbar-header {\n float: left;\n }\n}\n.navbar-collapse {\n padding-right: 15px;\n padding-left: 15px;\n overflow-x: visible;\n -webkit-overflow-scrolling: touch;\n border-top: 1px solid transparent;\n -webkit-box-shadow: inset 0 1px 0 rgba(255, 255, 255, .1);\n box-shadow: inset 0 1px 0 rgba(255, 255, 255, .1);\n}\n.navbar-collapse.in {\n overflow-y: auto;\n}\n@media (min-width: 768px) {\n .navbar-collapse {\n width: auto;\n border-top: 0;\n -webkit-box-shadow: none;\n box-shadow: none;\n }\n .navbar-collapse.collapse {\n display: block !important;\n height: auto !important;\n padding-bottom: 0;\n overflow: visible !important;\n }\n .navbar-collapse.in {\n overflow-y: visible;\n }\n .navbar-fixed-top .navbar-collapse,\n .navbar-static-top .navbar-collapse,\n .navbar-fixed-bottom .navbar-collapse {\n padding-right: 0;\n padding-left: 0;\n }\n}\n.navbar-fixed-top .navbar-collapse,\n.navbar-fixed-bottom .navbar-collapse {\n max-height: 340px;\n}\n@media (max-device-width: 480px) and (orientation: landscape) {\n .navbar-fixed-top .navbar-collapse,\n .navbar-fixed-bottom .navbar-collapse {\n max-height: 200px;\n }\n}\n.container > .navbar-header,\n.container-fluid > .navbar-header,\n.container > .navbar-collapse,\n.container-fluid > .navbar-collapse {\n margin-right: -15px;\n margin-left: -15px;\n}\n@media (min-width: 768px) {\n .container > .navbar-header,\n .container-fluid > .navbar-header,\n .container > .navbar-collapse,\n .container-fluid > .navbar-collapse {\n margin-right: 0;\n margin-left: 0;\n }\n}\n.navbar-static-top {\n z-index: 1000;\n border-width: 0 0 1px;\n}\n@media (min-width: 768px) {\n .navbar-static-top {\n border-radius: 0;\n }\n}\n.navbar-fixed-top,\n.navbar-fixed-bottom {\n position: fixed;\n right: 0;\n left: 0;\n z-index: 1030;\n}\n@media (min-width: 768px) {\n .navbar-fixed-top,\n .navbar-fixed-bottom {\n border-radius: 0;\n }\n}\n.navbar-fixed-top {\n top: 0;\n border-width: 0 0 1px;\n}\n.navbar-fixed-bottom {\n bottom: 0;\n margin-bottom: 0;\n border-width: 1px 0 0;\n}\n.navbar-brand {\n float: left;\n height: 50px;\n padding: 15px 15px;\n font-size: 18px;\n line-height: 20px;\n}\n.navbar-brand:hover,\n.navbar-brand:focus {\n text-decoration: none;\n}\n.navbar-brand > img {\n display: block;\n}\n@media (min-width: 768px) {\n .navbar > .container .navbar-brand,\n .navbar > .container-fluid .navbar-brand {\n margin-left: -15px;\n }\n}\n.navbar-toggle {\n position: relative;\n float: right;\n padding: 9px 10px;\n margin-top: 8px;\n margin-right: 15px;\n margin-bottom: 8px;\n background-color: transparent;\n background-image: none;\n border: 1px solid transparent;\n border-radius: 4px;\n}\n.navbar-toggle:focus {\n outline: 0;\n}\n.navbar-toggle .icon-bar {\n display: block;\n width: 22px;\n height: 2px;\n border-radius: 1px;\n}\n.navbar-toggle .icon-bar + .icon-bar {\n margin-top: 4px;\n}\n@media (min-width: 768px) {\n .navbar-toggle {\n display: none;\n }\n}\n.navbar-nav {\n margin: 7.5px -15px;\n}\n.navbar-nav > li > a {\n padding-top: 10px;\n padding-bottom: 10px;\n line-height: 20px;\n}\n@media (max-width: 767px) {\n .navbar-nav .open .dropdown-menu {\n position: static;\n float: none;\n width: auto;\n margin-top: 0;\n background-color: transparent;\n border: 0;\n -webkit-box-shadow: none;\n box-shadow: none;\n }\n .navbar-nav .open .dropdown-menu > li > a,\n .navbar-nav .open .dropdown-menu .dropdown-header {\n padding: 5px 15px 5px 25px;\n }\n .navbar-nav .open .dropdown-menu > li > a {\n line-height: 20px;\n }\n .navbar-nav .open .dropdown-menu > li > a:hover,\n .navbar-nav .open .dropdown-menu > li > a:focus {\n background-image: none;\n }\n}\n@media (min-width: 768px) {\n .navbar-nav {\n float: left;\n margin: 0;\n }\n .navbar-nav > li {\n float: left;\n }\n .navbar-nav > li > a {\n padding-top: 15px;\n padding-bottom: 15px;\n }\n}\n.navbar-form {\n padding: 10px 15px;\n margin-top: 8px;\n margin-right: -15px;\n margin-bottom: 8px;\n margin-left: -15px;\n border-top: 1px solid transparent;\n border-bottom: 1px solid transparent;\n -webkit-box-shadow: inset 0 1px 0 rgba(255, 255, 255, .1), 0 1px 0 rgba(255, 255, 255, .1);\n box-shadow: inset 0 1px 0 rgba(255, 255, 255, .1), 0 1px 0 rgba(255, 255, 255, .1);\n}\n@media (min-width: 768px) {\n .navbar-form .form-group {\n display: inline-block;\n margin-bottom: 0;\n vertical-align: middle;\n }\n .navbar-form .form-control {\n display: inline-block;\n width: auto;\n vertical-align: middle;\n }\n .navbar-form .form-control-static {\n display: inline-block;\n }\n .navbar-form .input-group {\n display: inline-table;\n vertical-align: middle;\n }\n .navbar-form .input-group .input-group-addon,\n .navbar-form .input-group .input-group-btn,\n .navbar-form .input-group .form-control {\n width: auto;\n }\n .navbar-form .input-group > .form-control {\n width: 100%;\n }\n .navbar-form .control-label {\n margin-bottom: 0;\n vertical-align: middle;\n }\n .navbar-form .radio,\n .navbar-form .checkbox {\n display: inline-block;\n margin-top: 0;\n margin-bottom: 0;\n vertical-align: middle;\n }\n .navbar-form .radio label,\n .navbar-form .checkbox label {\n padding-left: 0;\n }\n .navbar-form .radio input[type=\"radio\"],\n .navbar-form .checkbox input[type=\"checkbox\"] {\n position: relative;\n margin-left: 0;\n }\n .navbar-form .has-feedback .form-control-feedback {\n top: 0;\n }\n}\n@media (max-width: 767px) {\n .navbar-form .form-group {\n margin-bottom: 5px;\n }\n .navbar-form .form-group:last-child {\n margin-bottom: 0;\n }\n}\n@media (min-width: 768px) {\n .navbar-form {\n width: auto;\n padding-top: 0;\n padding-bottom: 0;\n margin-right: 0;\n margin-left: 0;\n border: 0;\n -webkit-box-shadow: none;\n box-shadow: none;\n }\n}\n.navbar-nav > li > .dropdown-menu {\n margin-top: 0;\n border-top-left-radius: 0;\n border-top-right-radius: 0;\n}\n.navbar-fixed-bottom .navbar-nav > li > .dropdown-menu {\n margin-bottom: 0;\n border-top-left-radius: 4px;\n border-top-right-radius: 4px;\n border-bottom-right-radius: 0;\n border-bottom-left-radius: 0;\n}\n.navbar-btn {\n margin-top: 8px;\n margin-bottom: 8px;\n}\n.navbar-btn.btn-sm {\n margin-top: 10px;\n margin-bottom: 10px;\n}\n.navbar-btn.btn-xs {\n margin-top: 14px;\n margin-bottom: 14px;\n}\n.navbar-text {\n margin-top: 15px;\n margin-bottom: 15px;\n}\n@media (min-width: 768px) {\n .navbar-text {\n float: left;\n margin-right: 15px;\n margin-left: 15px;\n }\n}\n@media (min-width: 768px) {\n .navbar-left {\n float: left !important;\n }\n .navbar-right {\n float: right !important;\n margin-right: -15px;\n }\n .navbar-right ~ .navbar-right {\n margin-right: 0;\n }\n}\n.navbar-default {\n background-color: #f8f8f8;\n border-color: #e7e7e7;\n}\n.navbar-default .navbar-brand {\n color: #777;\n}\n.navbar-default .navbar-brand:hover,\n.navbar-default .navbar-brand:focus {\n color: #5e5e5e;\n background-color: transparent;\n}\n.navbar-default .navbar-text {\n color: #777;\n}\n.navbar-default .navbar-nav > li > a {\n color: #777;\n}\n.navbar-default .navbar-nav > li > a:hover,\n.navbar-default .navbar-nav > li > a:focus {\n color: #333;\n background-color: transparent;\n}\n.navbar-default .navbar-nav > .active > a,\n.navbar-default .navbar-nav > .active > a:hover,\n.navbar-default .navbar-nav > .active > a:focus {\n color: #555;\n background-color: #e7e7e7;\n}\n.navbar-default .navbar-nav > .disabled > a,\n.navbar-default .navbar-nav > .disabled > a:hover,\n.navbar-default .navbar-nav > .disabled > a:focus {\n color: #ccc;\n background-color: transparent;\n}\n.navbar-default .navbar-toggle {\n border-color: #ddd;\n}\n.navbar-default .navbar-toggle:hover,\n.navbar-default .navbar-toggle:focus {\n background-color: #ddd;\n}\n.navbar-default .navbar-toggle .icon-bar {\n background-color: #888;\n}\n.navbar-default .navbar-collapse,\n.navbar-default .navbar-form {\n border-color: #e7e7e7;\n}\n.navbar-default .navbar-nav > .open > a,\n.navbar-default .navbar-nav > .open > a:hover,\n.navbar-default .navbar-nav > .open > a:focus {\n color: #555;\n background-color: #e7e7e7;\n}\n@media (max-width: 767px) {\n .navbar-default .navbar-nav .open .dropdown-menu > li > a {\n color: #777;\n }\n .navbar-default .navbar-nav .open .dropdown-menu > li > a:hover,\n .navbar-default .navbar-nav .open .dropdown-menu > li > a:focus {\n color: #333;\n background-color: transparent;\n }\n .navbar-default .navbar-nav .open .dropdown-menu > .active > a,\n .navbar-default .navbar-nav .open .dropdown-menu > .active > a:hover,\n .navbar-default .navbar-nav .open .dropdown-menu > .active > a:focus {\n color: #555;\n background-color: #e7e7e7;\n }\n .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a,\n .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:hover,\n .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:focus {\n color: #ccc;\n background-color: transparent;\n }\n}\n.navbar-default .navbar-link {\n color: #777;\n}\n.navbar-default .navbar-link:hover {\n color: #333;\n}\n.navbar-default .btn-link {\n color: #777;\n}\n.navbar-default .btn-link:hover,\n.navbar-default .btn-link:focus {\n color: #333;\n}\n.navbar-default .btn-link[disabled]:hover,\nfieldset[disabled] .navbar-default .btn-link:hover,\n.navbar-default .btn-link[disabled]:focus,\nfieldset[disabled] .navbar-default .btn-link:focus {\n color: #ccc;\n}\n.navbar-inverse {\n background-color: #222;\n border-color: #080808;\n}\n.navbar-inverse .navbar-brand {\n color: #9d9d9d;\n}\n.navbar-inverse .navbar-brand:hover,\n.navbar-inverse .navbar-brand:focus {\n color: #fff;\n background-color: transparent;\n}\n.navbar-inverse .navbar-text {\n color: #9d9d9d;\n}\n.navbar-inverse .navbar-nav > li > a {\n color: #9d9d9d;\n}\n.navbar-inverse .navbar-nav > li > a:hover,\n.navbar-inverse .navbar-nav > li > a:focus {\n color: #fff;\n background-color: transparent;\n}\n.navbar-inverse .navbar-nav > .active > a,\n.navbar-inverse .navbar-nav > .active > a:hover,\n.navbar-inverse .navbar-nav > .active > a:focus {\n color: #fff;\n background-color: #080808;\n}\n.navbar-inverse .navbar-nav > .disabled > a,\n.navbar-inverse .navbar-nav > .disabled > a:hover,\n.navbar-inverse .navbar-nav > .disabled > a:focus {\n color: #444;\n background-color: transparent;\n}\n.navbar-inverse .navbar-toggle {\n border-color: #333;\n}\n.navbar-inverse .navbar-toggle:hover,\n.navbar-inverse .navbar-toggle:focus {\n background-color: #333;\n}\n.navbar-inverse .navbar-toggle .icon-bar {\n background-color: #fff;\n}\n.navbar-inverse .navbar-collapse,\n.navbar-inverse .navbar-form {\n border-color: #101010;\n}\n.navbar-inverse .navbar-nav > .open > a,\n.navbar-inverse .navbar-nav > .open > a:hover,\n.navbar-inverse .navbar-nav > .open > a:focus {\n color: #fff;\n background-color: #080808;\n}\n@media (max-width: 767px) {\n .navbar-inverse .navbar-nav .open .dropdown-menu > .dropdown-header {\n border-color: #080808;\n }\n .navbar-inverse .navbar-nav .open .dropdown-menu .divider {\n background-color: #080808;\n }\n .navbar-inverse .navbar-nav .open .dropdown-menu > li > a {\n color: #9d9d9d;\n }\n .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:hover,\n .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:focus {\n color: #fff;\n background-color: transparent;\n }\n .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a,\n .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:hover,\n .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:focus {\n color: #fff;\n background-color: #080808;\n }\n .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a,\n .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:hover,\n .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:focus {\n color: #444;\n background-color: transparent;\n }\n}\n.navbar-inverse .navbar-link {\n color: #9d9d9d;\n}\n.navbar-inverse .navbar-link:hover {\n color: #fff;\n}\n.navbar-inverse .btn-link {\n color: #9d9d9d;\n}\n.navbar-inverse .btn-link:hover,\n.navbar-inverse .btn-link:focus {\n color: #fff;\n}\n.navbar-inverse .btn-link[disabled]:hover,\nfieldset[disabled] .navbar-inverse .btn-link:hover,\n.navbar-inverse .btn-link[disabled]:focus,\nfieldset[disabled] .navbar-inverse .btn-link:focus {\n color: #444;\n}\n.breadcrumb {\n padding: 8px 15px;\n margin-bottom: 20px;\n list-style: none;\n background-color: #f5f5f5;\n border-radius: 4px;\n}\n.breadcrumb > li {\n display: inline-block;\n}\n.breadcrumb > li + li:before {\n padding: 0 5px;\n color: #ccc;\n content: \"/\\00a0\";\n}\n.breadcrumb > .active {\n color: #777;\n}\n.pagination {\n display: inline-block;\n padding-left: 0;\n margin: 20px 0;\n border-radius: 4px;\n}\n.pagination > li {\n display: inline;\n}\n.pagination > li > a,\n.pagination > li > span {\n position: relative;\n float: left;\n padding: 6px 12px;\n margin-left: -1px;\n line-height: 1.42857143;\n color: #337ab7;\n text-decoration: none;\n background-color: #fff;\n border: 1px solid #ddd;\n}\n.pagination > li:first-child > a,\n.pagination > li:first-child > span {\n margin-left: 0;\n border-top-left-radius: 4px;\n border-bottom-left-radius: 4px;\n}\n.pagination > li:last-child > a,\n.pagination > li:last-child > span {\n border-top-right-radius: 4px;\n border-bottom-right-radius: 4px;\n}\n.pagination > li > a:hover,\n.pagination > li > span:hover,\n.pagination > li > a:focus,\n.pagination > li > span:focus {\n z-index: 2;\n color: #23527c;\n background-color: #eee;\n border-color: #ddd;\n}\n.pagination > .active > a,\n.pagination > .active > span,\n.pagination > .active > a:hover,\n.pagination > .active > span:hover,\n.pagination > .active > a:focus,\n.pagination > .active > span:focus {\n z-index: 3;\n color: #fff;\n cursor: default;\n background-color: #337ab7;\n border-color: #337ab7;\n}\n.pagination > .disabled > span,\n.pagination > .disabled > span:hover,\n.pagination > .disabled > span:focus,\n.pagination > .disabled > a,\n.pagination > .disabled > a:hover,\n.pagination > .disabled > a:focus {\n color: #777;\n cursor: not-allowed;\n background-color: #fff;\n border-color: #ddd;\n}\n.pagination-lg > li > a,\n.pagination-lg > li > span {\n padding: 10px 16px;\n font-size: 18px;\n line-height: 1.3333333;\n}\n.pagination-lg > li:first-child > a,\n.pagination-lg > li:first-child > span {\n border-top-left-radius: 6px;\n border-bottom-left-radius: 6px;\n}\n.pagination-lg > li:last-child > a,\n.pagination-lg > li:last-child > span {\n border-top-right-radius: 6px;\n border-bottom-right-radius: 6px;\n}\n.pagination-sm > li > a,\n.pagination-sm > li > span {\n padding: 5px 10px;\n font-size: 12px;\n line-height: 1.5;\n}\n.pagination-sm > li:first-child > a,\n.pagination-sm > li:first-child > span {\n border-top-left-radius: 3px;\n border-bottom-left-radius: 3px;\n}\n.pagination-sm > li:last-child > a,\n.pagination-sm > li:last-child > span {\n border-top-right-radius: 3px;\n border-bottom-right-radius: 3px;\n}\n.pager {\n padding-left: 0;\n margin: 20px 0;\n text-align: center;\n list-style: none;\n}\n.pager li {\n display: inline;\n}\n.pager li > a,\n.pager li > span {\n display: inline-block;\n padding: 5px 14px;\n background-color: #fff;\n border: 1px solid #ddd;\n border-radius: 15px;\n}\n.pager li > a:hover,\n.pager li > a:focus {\n text-decoration: none;\n background-color: #eee;\n}\n.pager .next > a,\n.pager .next > span {\n float: right;\n}\n.pager .previous > a,\n.pager .previous > span {\n float: left;\n}\n.pager .disabled > a,\n.pager .disabled > a:hover,\n.pager .disabled > a:focus,\n.pager .disabled > span {\n color: #777;\n cursor: not-allowed;\n background-color: #fff;\n}\n.label {\n display: inline;\n padding: .2em .6em .3em;\n font-size: 75%;\n font-weight: bold;\n line-height: 1;\n color: #fff;\n text-align: center;\n white-space: nowrap;\n vertical-align: baseline;\n border-radius: .25em;\n}\na.label:hover,\na.label:focus {\n color: #fff;\n text-decoration: none;\n cursor: pointer;\n}\n.label:empty {\n display: none;\n}\n.btn .label {\n position: relative;\n top: -1px;\n}\n.label-default {\n background-color: #777;\n}\n.label-default[href]:hover,\n.label-default[href]:focus {\n background-color: #5e5e5e;\n}\n.label-primary {\n background-color: #337ab7;\n}\n.label-primary[href]:hover,\n.label-primary[href]:focus {\n background-color: #286090;\n}\n.label-success {\n background-color: #5cb85c;\n}\n.label-success[href]:hover,\n.label-success[href]:focus {\n background-color: #449d44;\n}\n.label-info {\n background-color: #5bc0de;\n}\n.label-info[href]:hover,\n.label-info[href]:focus {\n background-color: #31b0d5;\n}\n.label-warning {\n background-color: #f0ad4e;\n}\n.label-warning[href]:hover,\n.label-warning[href]:focus {\n background-color: #ec971f;\n}\n.label-danger {\n background-color: #d9534f;\n}\n.label-danger[href]:hover,\n.label-danger[href]:focus {\n background-color: #c9302c;\n}\n.badge {\n display: inline-block;\n min-width: 10px;\n padding: 3px 7px;\n font-size: 12px;\n font-weight: bold;\n line-height: 1;\n color: #fff;\n text-align: center;\n white-space: nowrap;\n vertical-align: middle;\n background-color: #777;\n border-radius: 10px;\n}\n.badge:empty {\n display: none;\n}\n.btn .badge {\n position: relative;\n top: -1px;\n}\n.btn-xs .badge,\n.btn-group-xs > .btn .badge {\n top: 0;\n padding: 1px 5px;\n}\na.badge:hover,\na.badge:focus {\n color: #fff;\n text-decoration: none;\n cursor: pointer;\n}\n.list-group-item.active > .badge,\n.nav-pills > .active > a > .badge {\n color: #337ab7;\n background-color: #fff;\n}\n.list-group-item > .badge {\n float: right;\n}\n.list-group-item > .badge + .badge {\n margin-right: 5px;\n}\n.nav-pills > li > a > .badge {\n margin-left: 3px;\n}\n.jumbotron {\n padding-top: 30px;\n padding-bottom: 30px;\n margin-bottom: 30px;\n color: inherit;\n background-color: #eee;\n}\n.jumbotron h1,\n.jumbotron .h1 {\n color: inherit;\n}\n.jumbotron p {\n margin-bottom: 15px;\n font-size: 21px;\n font-weight: 200;\n}\n.jumbotron > hr {\n border-top-color: #d5d5d5;\n}\n.container .jumbotron,\n.container-fluid .jumbotron {\n padding-right: 15px;\n padding-left: 15px;\n border-radius: 6px;\n}\n.jumbotron .container {\n max-width: 100%;\n}\n@media screen and (min-width: 768px) {\n .jumbotron {\n padding-top: 48px;\n padding-bottom: 48px;\n }\n .container .jumbotron,\n .container-fluid .jumbotron {\n padding-right: 60px;\n padding-left: 60px;\n }\n .jumbotron h1,\n .jumbotron .h1 {\n font-size: 63px;\n }\n}\n.thumbnail {\n display: block;\n padding: 4px;\n margin-bottom: 20px;\n line-height: 1.42857143;\n background-color: #fff;\n border: 1px solid #ddd;\n border-radius: 4px;\n -webkit-transition: border .2s ease-in-out;\n -o-transition: border .2s ease-in-out;\n transition: border .2s ease-in-out;\n}\n.thumbnail > img,\n.thumbnail a > img {\n margin-right: auto;\n margin-left: auto;\n}\na.thumbnail:hover,\na.thumbnail:focus,\na.thumbnail.active {\n border-color: #337ab7;\n}\n.thumbnail .caption {\n padding: 9px;\n color: #333;\n}\n.alert {\n padding: 15px;\n margin-bottom: 20px;\n border: 1px solid transparent;\n border-radius: 4px;\n}\n.alert h4 {\n margin-top: 0;\n color: inherit;\n}\n.alert .alert-link {\n font-weight: bold;\n}\n.alert > p,\n.alert > ul {\n margin-bottom: 0;\n}\n.alert > p + p {\n margin-top: 5px;\n}\n.alert-dismissable,\n.alert-dismissible {\n padding-right: 35px;\n}\n.alert-dismissable .close,\n.alert-dismissible .close {\n position: relative;\n top: -2px;\n right: -21px;\n color: inherit;\n}\n.alert-success {\n color: #3c763d;\n background-color: #dff0d8;\n border-color: #d6e9c6;\n}\n.alert-success hr {\n border-top-color: #c9e2b3;\n}\n.alert-success .alert-link {\n color: #2b542c;\n}\n.alert-info {\n color: #31708f;\n background-color: #d9edf7;\n border-color: #bce8f1;\n}\n.alert-info hr {\n border-top-color: #a6e1ec;\n}\n.alert-info .alert-link {\n color: #245269;\n}\n.alert-warning {\n color: #8a6d3b;\n background-color: #fcf8e3;\n border-color: #faebcc;\n}\n.alert-warning hr {\n border-top-color: #f7e1b5;\n}\n.alert-warning .alert-link {\n color: #66512c;\n}\n.alert-danger {\n color: #a94442;\n background-color: #f2dede;\n border-color: #ebccd1;\n}\n.alert-danger hr {\n border-top-color: #e4b9c0;\n}\n.alert-danger .alert-link {\n color: #843534;\n}\n@-webkit-keyframes progress-bar-stripes {\n from {\n background-position: 40px 0;\n }\n to {\n background-position: 0 0;\n }\n}\n@-o-keyframes progress-bar-stripes {\n from {\n background-position: 40px 0;\n }\n to {\n background-position: 0 0;\n }\n}\n@keyframes progress-bar-stripes {\n from {\n background-position: 40px 0;\n }\n to {\n background-position: 0 0;\n }\n}\n.progress {\n height: 20px;\n margin-bottom: 20px;\n overflow: hidden;\n background-color: #f5f5f5;\n border-radius: 4px;\n -webkit-box-shadow: inset 0 1px 2px rgba(0, 0, 0, .1);\n box-shadow: inset 0 1px 2px rgba(0, 0, 0, .1);\n}\n.progress-bar {\n float: left;\n width: 0;\n height: 100%;\n font-size: 12px;\n line-height: 20px;\n color: #fff;\n text-align: center;\n background-color: #337ab7;\n -webkit-box-shadow: inset 0 -1px 0 rgba(0, 0, 0, .15);\n box-shadow: inset 0 -1px 0 rgba(0, 0, 0, .15);\n -webkit-transition: width .6s ease;\n -o-transition: width .6s ease;\n transition: width .6s ease;\n}\n.progress-striped .progress-bar,\n.progress-bar-striped {\n background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);\n background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);\n background-image: linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);\n -webkit-background-size: 40px 40px;\n background-size: 40px 40px;\n}\n.progress.active .progress-bar,\n.progress-bar.active {\n -webkit-animation: progress-bar-stripes 2s linear infinite;\n -o-animation: progress-bar-stripes 2s linear infinite;\n animation: progress-bar-stripes 2s linear infinite;\n}\n.progress-bar-success {\n background-color: #5cb85c;\n}\n.progress-striped .progress-bar-success {\n background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);\n background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);\n background-image: linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);\n}\n.progress-bar-info {\n background-color: #5bc0de;\n}\n.progress-striped .progress-bar-info {\n background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);\n background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);\n background-image: linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);\n}\n.progress-bar-warning {\n background-color: #f0ad4e;\n}\n.progress-striped .progress-bar-warning {\n background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);\n background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);\n background-image: linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);\n}\n.progress-bar-danger {\n background-color: #d9534f;\n}\n.progress-striped .progress-bar-danger {\n background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);\n background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);\n background-image: linear-gradient(45deg, rgba(255, 255, 255, .15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, .15) 50%, rgba(255, 255, 255, .15) 75%, transparent 75%, transparent);\n}\n.media {\n margin-top: 15px;\n}\n.media:first-child {\n margin-top: 0;\n}\n.media,\n.media-body {\n overflow: hidden;\n zoom: 1;\n}\n.media-body {\n width: 10000px;\n}\n.media-object {\n display: block;\n}\n.media-object.img-thumbnail {\n max-width: none;\n}\n.media-right,\n.media > .pull-right {\n padding-left: 10px;\n}\n.media-left,\n.media > .pull-left {\n padding-right: 10px;\n}\n.media-left,\n.media-right,\n.media-body {\n display: table-cell;\n vertical-align: top;\n}\n.media-middle {\n vertical-align: middle;\n}\n.media-bottom {\n vertical-align: bottom;\n}\n.media-heading {\n margin-top: 0;\n margin-bottom: 5px;\n}\n.media-list {\n padding-left: 0;\n list-style: none;\n}\n.list-group {\n padding-left: 0;\n margin-bottom: 20px;\n}\n.list-group-item {\n position: relative;\n display: block;\n padding: 10px 15px;\n margin-bottom: -1px;\n background-color: #fff;\n border: 1px solid #ddd;\n}\n.list-group-item:first-child {\n border-top-left-radius: 4px;\n border-top-right-radius: 4px;\n}\n.list-group-item:last-child {\n margin-bottom: 0;\n border-bottom-right-radius: 4px;\n border-bottom-left-radius: 4px;\n}\na.list-group-item,\nbutton.list-group-item {\n color: #555;\n}\na.list-group-item .list-group-item-heading,\nbutton.list-group-item .list-group-item-heading {\n color: #333;\n}\na.list-group-item:hover,\nbutton.list-group-item:hover,\na.list-group-item:focus,\nbutton.list-group-item:focus {\n color: #555;\n text-decoration: none;\n background-color: #f5f5f5;\n}\nbutton.list-group-item {\n width: 100%;\n text-align: left;\n}\n.list-group-item.disabled,\n.list-group-item.disabled:hover,\n.list-group-item.disabled:focus {\n color: #777;\n cursor: not-allowed;\n background-color: #eee;\n}\n.list-group-item.disabled .list-group-item-heading,\n.list-group-item.disabled:hover .list-group-item-heading,\n.list-group-item.disabled:focus .list-group-item-heading {\n color: inherit;\n}\n.list-group-item.disabled .list-group-item-text,\n.list-group-item.disabled:hover .list-group-item-text,\n.list-group-item.disabled:focus .list-group-item-text {\n color: #777;\n}\n.list-group-item.active,\n.list-group-item.active:hover,\n.list-group-item.active:focus {\n z-index: 2;\n color: #fff;\n background-color: #337ab7;\n border-color: #337ab7;\n}\n.list-group-item.active .list-group-item-heading,\n.list-group-item.active:hover .list-group-item-heading,\n.list-group-item.active:focus .list-group-item-heading,\n.list-group-item.active .list-group-item-heading > small,\n.list-group-item.active:hover .list-group-item-heading > small,\n.list-group-item.active:focus .list-group-item-heading > small,\n.list-group-item.active .list-group-item-heading > .small,\n.list-group-item.active:hover .list-group-item-heading > .small,\n.list-group-item.active:focus .list-group-item-heading > .small {\n color: inherit;\n}\n.list-group-item.active .list-group-item-text,\n.list-group-item.active:hover .list-group-item-text,\n.list-group-item.active:focus .list-group-item-text {\n color: #c7ddef;\n}\n.list-group-item-success {\n color: #3c763d;\n background-color: #dff0d8;\n}\na.list-group-item-success,\nbutton.list-group-item-success {\n color: #3c763d;\n}\na.list-group-item-success .list-group-item-heading,\nbutton.list-group-item-success .list-group-item-heading {\n color: inherit;\n}\na.list-group-item-success:hover,\nbutton.list-group-item-success:hover,\na.list-group-item-success:focus,\nbutton.list-group-item-success:focus {\n color: #3c763d;\n background-color: #d0e9c6;\n}\na.list-group-item-success.active,\nbutton.list-group-item-success.active,\na.list-group-item-success.active:hover,\nbutton.list-group-item-success.active:hover,\na.list-group-item-success.active:focus,\nbutton.list-group-item-success.active:focus {\n color: #fff;\n background-color: #3c763d;\n border-color: #3c763d;\n}\n.list-group-item-info {\n color: #31708f;\n background-color: #d9edf7;\n}\na.list-group-item-info,\nbutton.list-group-item-info {\n color: #31708f;\n}\na.list-group-item-info .list-group-item-heading,\nbutton.list-group-item-info .list-group-item-heading {\n color: inherit;\n}\na.list-group-item-info:hover,\nbutton.list-group-item-info:hover,\na.list-group-item-info:focus,\nbutton.list-group-item-info:focus {\n color: #31708f;\n background-color: #c4e3f3;\n}\na.list-group-item-info.active,\nbutton.list-group-item-info.active,\na.list-group-item-info.active:hover,\nbutton.list-group-item-info.active:hover,\na.list-group-item-info.active:focus,\nbutton.list-group-item-info.active:focus {\n color: #fff;\n background-color: #31708f;\n border-color: #31708f;\n}\n.list-group-item-warning {\n color: #8a6d3b;\n background-color: #fcf8e3;\n}\na.list-group-item-warning,\nbutton.list-group-item-warning {\n color: #8a6d3b;\n}\na.list-group-item-warning .list-group-item-heading,\nbutton.list-group-item-warning .list-group-item-heading {\n color: inherit;\n}\na.list-group-item-warning:hover,\nbutton.list-group-item-warning:hover,\na.list-group-item-warning:focus,\nbutton.list-group-item-warning:focus {\n color: #8a6d3b;\n background-color: #faf2cc;\n}\na.list-group-item-warning.active,\nbutton.list-group-item-warning.active,\na.list-group-item-warning.active:hover,\nbutton.list-group-item-warning.active:hover,\na.list-group-item-warning.active:focus,\nbutton.list-group-item-warning.active:focus {\n color: #fff;\n background-color: #8a6d3b;\n border-color: #8a6d3b;\n}\n.list-group-item-danger {\n color: #a94442;\n background-color: #f2dede;\n}\na.list-group-item-danger,\nbutton.list-group-item-danger {\n color: #a94442;\n}\na.list-group-item-danger .list-group-item-heading,\nbutton.list-group-item-danger .list-group-item-heading {\n color: inherit;\n}\na.list-group-item-danger:hover,\nbutton.list-group-item-danger:hover,\na.list-group-item-danger:focus,\nbutton.list-group-item-danger:focus {\n color: #a94442;\n background-color: #ebcccc;\n}\na.list-group-item-danger.active,\nbutton.list-group-item-danger.active,\na.list-group-item-danger.active:hover,\nbutton.list-group-item-danger.active:hover,\na.list-group-item-danger.active:focus,\nbutton.list-group-item-danger.active:focus {\n color: #fff;\n background-color: #a94442;\n border-color: #a94442;\n}\n.list-group-item-heading {\n margin-top: 0;\n margin-bottom: 5px;\n}\n.list-group-item-text {\n margin-bottom: 0;\n line-height: 1.3;\n}\n.panel {\n margin-bottom: 20px;\n background-color: #fff;\n border: 1px solid transparent;\n border-radius: 4px;\n -webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .05);\n box-shadow: 0 1px 1px rgba(0, 0, 0, .05);\n}\n.panel-body {\n padding: 15px;\n}\n.panel-heading {\n padding: 10px 15px;\n border-bottom: 1px solid transparent;\n border-top-left-radius: 3px;\n border-top-right-radius: 3px;\n}\n.panel-heading > .dropdown .dropdown-toggle {\n color: inherit;\n}\n.panel-title {\n margin-top: 0;\n margin-bottom: 0;\n font-size: 16px;\n color: inherit;\n}\n.panel-title > a,\n.panel-title > small,\n.panel-title > .small,\n.panel-title > small > a,\n.panel-title > .small > a {\n color: inherit;\n}\n.panel-footer {\n padding: 10px 15px;\n background-color: #f5f5f5;\n border-top: 1px solid #ddd;\n border-bottom-right-radius: 3px;\n border-bottom-left-radius: 3px;\n}\n.panel > .list-group,\n.panel > .panel-collapse > .list-group {\n margin-bottom: 0;\n}\n.panel > .list-group .list-group-item,\n.panel > .panel-collapse > .list-group .list-group-item {\n border-width: 1px 0;\n border-radius: 0;\n}\n.panel > .list-group:first-child .list-group-item:first-child,\n.panel > .panel-collapse > .list-group:first-child .list-group-item:first-child {\n border-top: 0;\n border-top-left-radius: 3px;\n border-top-right-radius: 3px;\n}\n.panel > .list-group:last-child .list-group-item:last-child,\n.panel > .panel-collapse > .list-group:last-child .list-group-item:last-child {\n border-bottom: 0;\n border-bottom-right-radius: 3px;\n border-bottom-left-radius: 3px;\n}\n.panel > .panel-heading + .panel-collapse > .list-group .list-group-item:first-child {\n border-top-left-radius: 0;\n border-top-right-radius: 0;\n}\n.panel-heading + .list-group .list-group-item:first-child {\n border-top-width: 0;\n}\n.list-group + .panel-footer {\n border-top-width: 0;\n}\n.panel > .table,\n.panel > .table-responsive > .table,\n.panel > .panel-collapse > .table {\n margin-bottom: 0;\n}\n.panel > .table caption,\n.panel > .table-responsive > .table caption,\n.panel > .panel-collapse > .table caption {\n padding-right: 15px;\n padding-left: 15px;\n}\n.panel > .table:first-child,\n.panel > .table-responsive:first-child > .table:first-child {\n border-top-left-radius: 3px;\n border-top-right-radius: 3px;\n}\n.panel > .table:first-child > thead:first-child > tr:first-child,\n.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child,\n.panel > .table:first-child > tbody:first-child > tr:first-child,\n.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child {\n border-top-left-radius: 3px;\n border-top-right-radius: 3px;\n}\n.panel > .table:first-child > thead:first-child > tr:first-child td:first-child,\n.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:first-child,\n.panel > .table:first-child > tbody:first-child > tr:first-child td:first-child,\n.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:first-child,\n.panel > .table:first-child > thead:first-child > tr:first-child th:first-child,\n.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:first-child,\n.panel > .table:first-child > tbody:first-child > tr:first-child th:first-child,\n.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:first-child {\n border-top-left-radius: 3px;\n}\n.panel > .table:first-child > thead:first-child > tr:first-child td:last-child,\n.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:last-child,\n.panel > .table:first-child > tbody:first-child > tr:first-child td:last-child,\n.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:last-child,\n.panel > .table:first-child > thead:first-child > tr:first-child th:last-child,\n.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:last-child,\n.panel > .table:first-child > tbody:first-child > tr:first-child th:last-child,\n.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:last-child {\n border-top-right-radius: 3px;\n}\n.panel > .table:last-child,\n.panel > .table-responsive:last-child > .table:last-child {\n border-bottom-right-radius: 3px;\n border-bottom-left-radius: 3px;\n}\n.panel > .table:last-child > tbody:last-child > tr:last-child,\n.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child,\n.panel > .table:last-child > tfoot:last-child > tr:last-child,\n.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child {\n border-bottom-right-radius: 3px;\n border-bottom-left-radius: 3px;\n}\n.panel > .table:last-child > tbody:last-child > tr:last-child td:first-child,\n.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:first-child,\n.panel > .table:last-child > tfoot:last-child > tr:last-child td:first-child,\n.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:first-child,\n.panel > .table:last-child > tbody:last-child > tr:last-child th:first-child,\n.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:first-child,\n.panel > .table:last-child > tfoot:last-child > tr:last-child th:first-child,\n.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:first-child {\n border-bottom-left-radius: 3px;\n}\n.panel > .table:last-child > tbody:last-child > tr:last-child td:last-child,\n.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:last-child,\n.panel > .table:last-child > tfoot:last-child > tr:last-child td:last-child,\n.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:last-child,\n.panel > .table:last-child > tbody:last-child > tr:last-child th:last-child,\n.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:last-child,\n.panel > .table:last-child > tfoot:last-child > tr:last-child th:last-child,\n.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:last-child {\n border-bottom-right-radius: 3px;\n}\n.panel > .panel-body + .table,\n.panel > .panel-body + .table-responsive,\n.panel > .table + .panel-body,\n.panel > .table-responsive + .panel-body {\n border-top: 1px solid #ddd;\n}\n.panel > .table > tbody:first-child > tr:first-child th,\n.panel > .table > tbody:first-child > tr:first-child td {\n border-top: 0;\n}\n.panel > .table-bordered,\n.panel > .table-responsive > .table-bordered {\n border: 0;\n}\n.panel > .table-bordered > thead > tr > th:first-child,\n.panel > .table-responsive > .table-bordered > thead > tr > th:first-child,\n.panel > .table-bordered > tbody > tr > th:first-child,\n.panel > .table-responsive > .table-bordered > tbody > tr > th:first-child,\n.panel > .table-bordered > tfoot > tr > th:first-child,\n.panel > .table-responsive > .table-bordered > tfoot > tr > th:first-child,\n.panel > .table-bordered > thead > tr > td:first-child,\n.panel > .table-responsive > .table-bordered > thead > tr > td:first-child,\n.panel > .table-bordered > tbody > tr > td:first-child,\n.panel > .table-responsive > .table-bordered > tbody > tr > td:first-child,\n.panel > .table-bordered > tfoot > tr > td:first-child,\n.panel > .table-responsive > .table-bordered > tfoot > tr > td:first-child {\n border-left: 0;\n}\n.panel > .table-bordered > thead > tr > th:last-child,\n.panel > .table-responsive > .table-bordered > thead > tr > th:last-child,\n.panel > .table-bordered > tbody > tr > th:last-child,\n.panel > .table-responsive > .table-bordered > tbody > tr > th:last-child,\n.panel > .table-bordered > tfoot > tr > th:last-child,\n.panel > .table-responsive > .table-bordered > tfoot > tr > th:last-child,\n.panel > .table-bordered > thead > tr > td:last-child,\n.panel > .table-responsive > .table-bordered > thead > tr > td:last-child,\n.panel > .table-bordered > tbody > tr > td:last-child,\n.panel > .table-responsive > .table-bordered > tbody > tr > td:last-child,\n.panel > .table-bordered > tfoot > tr > td:last-child,\n.panel > .table-responsive > .table-bordered > tfoot > tr > td:last-child {\n border-right: 0;\n}\n.panel > .table-bordered > thead > tr:first-child > td,\n.panel > .table-responsive > .table-bordered > thead > tr:first-child > td,\n.panel > .table-bordered > tbody > tr:first-child > td,\n.panel > .table-responsive > .table-bordered > tbody > tr:first-child > td,\n.panel > .table-bordered > thead > tr:first-child > th,\n.panel > .table-responsive > .table-bordered > thead > tr:first-child > th,\n.panel > .table-bordered > tbody > tr:first-child > th,\n.panel > .table-responsive > .table-bordered > tbody > tr:first-child > th {\n border-bottom: 0;\n}\n.panel > .table-bordered > tbody > tr:last-child > td,\n.panel > .table-responsive > .table-bordered > tbody > tr:last-child > td,\n.panel > .table-bordered > tfoot > tr:last-child > td,\n.panel > .table-responsive > .table-bordered > tfoot > tr:last-child > td,\n.panel > .table-bordered > tbody > tr:last-child > th,\n.panel > .table-responsive > .table-bordered > tbody > tr:last-child > th,\n.panel > .table-bordered > tfoot > tr:last-child > th,\n.panel > .table-responsive > .table-bordered > tfoot > tr:last-child > th {\n border-bottom: 0;\n}\n.panel > .table-responsive {\n margin-bottom: 0;\n border: 0;\n}\n.panel-group {\n margin-bottom: 20px;\n}\n.panel-group .panel {\n margin-bottom: 0;\n border-radius: 4px;\n}\n.panel-group .panel + .panel {\n margin-top: 5px;\n}\n.panel-group .panel-heading {\n border-bottom: 0;\n}\n.panel-group .panel-heading + .panel-collapse > .panel-body,\n.panel-group .panel-heading + .panel-collapse > .list-group {\n border-top: 1px solid #ddd;\n}\n.panel-group .panel-footer {\n border-top: 0;\n}\n.panel-group .panel-footer + .panel-collapse .panel-body {\n border-bottom: 1px solid #ddd;\n}\n.panel-default {\n border-color: #ddd;\n}\n.panel-default > .panel-heading {\n color: #333;\n background-color: #f5f5f5;\n border-color: #ddd;\n}\n.panel-default > .panel-heading + .panel-collapse > .panel-body {\n border-top-color: #ddd;\n}\n.panel-default > .panel-heading .badge {\n color: #f5f5f5;\n background-color: #333;\n}\n.panel-default > .panel-footer + .panel-collapse > .panel-body {\n border-bottom-color: #ddd;\n}\n.panel-primary {\n border-color: #337ab7;\n}\n.panel-primary > .panel-heading {\n color: #fff;\n background-color: #337ab7;\n border-color: #337ab7;\n}\n.panel-primary > .panel-heading + .panel-collapse > .panel-body {\n border-top-color: #337ab7;\n}\n.panel-primary > .panel-heading .badge {\n color: #337ab7;\n background-color: #fff;\n}\n.panel-primary > .panel-footer + .panel-collapse > .panel-body {\n border-bottom-color: #337ab7;\n}\n.panel-success {\n border-color: #d6e9c6;\n}\n.panel-success > .panel-heading {\n color: #3c763d;\n background-color: #dff0d8;\n border-color: #d6e9c6;\n}\n.panel-success > .panel-heading + .panel-collapse > .panel-body {\n border-top-color: #d6e9c6;\n}\n.panel-success > .panel-heading .badge {\n color: #dff0d8;\n background-color: #3c763d;\n}\n.panel-success > .panel-footer + .panel-collapse > .panel-body {\n border-bottom-color: #d6e9c6;\n}\n.panel-info {\n border-color: #bce8f1;\n}\n.panel-info > .panel-heading {\n color: #31708f;\n background-color: #d9edf7;\n border-color: #bce8f1;\n}\n.panel-info > .panel-heading + .panel-collapse > .panel-body {\n border-top-color: #bce8f1;\n}\n.panel-info > .panel-heading .badge {\n color: #d9edf7;\n background-color: #31708f;\n}\n.panel-info > .panel-footer + .panel-collapse > .panel-body {\n border-bottom-color: #bce8f1;\n}\n.panel-warning {\n border-color: #faebcc;\n}\n.panel-warning > .panel-heading {\n color: #8a6d3b;\n background-color: #fcf8e3;\n border-color: #faebcc;\n}\n.panel-warning > .panel-heading + .panel-collapse > .panel-body {\n border-top-color: #faebcc;\n}\n.panel-warning > .panel-heading .badge {\n color: #fcf8e3;\n background-color: #8a6d3b;\n}\n.panel-warning > .panel-footer + .panel-collapse > .panel-body {\n border-bottom-color: #faebcc;\n}\n.panel-danger {\n border-color: #ebccd1;\n}\n.panel-danger > .panel-heading {\n color: #a94442;\n background-color: #f2dede;\n border-color: #ebccd1;\n}\n.panel-danger > .panel-heading + .panel-collapse > .panel-body {\n border-top-color: #ebccd1;\n}\n.panel-danger > .panel-heading .badge {\n color: #f2dede;\n background-color: #a94442;\n}\n.panel-danger > .panel-footer + .panel-collapse > .panel-body {\n border-bottom-color: #ebccd1;\n}\n.embed-responsive {\n position: relative;\n display: block;\n height: 0;\n padding: 0;\n overflow: hidden;\n}\n.embed-responsive .embed-responsive-item,\n.embed-responsive iframe,\n.embed-responsive embed,\n.embed-responsive object,\n.embed-responsive video {\n position: absolute;\n top: 0;\n bottom: 0;\n left: 0;\n width: 100%;\n height: 100%;\n border: 0;\n}\n.embed-responsive-16by9 {\n padding-bottom: 56.25%;\n}\n.embed-responsive-4by3 {\n padding-bottom: 75%;\n}\n.well {\n min-height: 20px;\n padding: 19px;\n margin-bottom: 20px;\n background-color: #f5f5f5;\n border: 1px solid #e3e3e3;\n border-radius: 4px;\n -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, .05);\n box-shadow: inset 0 1px 1px rgba(0, 0, 0, .05);\n}\n.well blockquote {\n border-color: #ddd;\n border-color: rgba(0, 0, 0, .15);\n}\n.well-lg {\n padding: 24px;\n border-radius: 6px;\n}\n.well-sm {\n padding: 9px;\n border-radius: 3px;\n}\n.close {\n float: right;\n font-size: 21px;\n font-weight: bold;\n line-height: 1;\n color: #000;\n text-shadow: 0 1px 0 #fff;\n filter: alpha(opacity=20);\n opacity: .2;\n}\n.close:hover,\n.close:focus {\n color: #000;\n text-decoration: none;\n cursor: pointer;\n filter: alpha(opacity=50);\n opacity: .5;\n}\nbutton.close {\n -webkit-appearance: none;\n padding: 0;\n cursor: pointer;\n background: transparent;\n border: 0;\n}\n.modal-open {\n overflow: hidden;\n}\n.modal {\n position: fixed;\n top: 0;\n right: 0;\n bottom: 0;\n left: 0;\n z-index: 1050;\n display: none;\n overflow: hidden;\n -webkit-overflow-scrolling: touch;\n outline: 0;\n}\n.modal.fade .modal-dialog {\n -webkit-transition: -webkit-transform .3s ease-out;\n -o-transition: -o-transform .3s ease-out;\n transition: transform .3s ease-out;\n -webkit-transform: translate(0, -25%);\n -ms-transform: translate(0, -25%);\n -o-transform: translate(0, -25%);\n transform: translate(0, -25%);\n}\n.modal.in .modal-dialog {\n -webkit-transform: translate(0, 0);\n -ms-transform: translate(0, 0);\n -o-transform: translate(0, 0);\n transform: translate(0, 0);\n}\n.modal-open .modal {\n overflow-x: hidden;\n overflow-y: auto;\n}\n.modal-dialog {\n position: relative;\n width: auto;\n margin: 10px;\n}\n.modal-content {\n position: relative;\n background-color: #fff;\n -webkit-background-clip: padding-box;\n background-clip: padding-box;\n border: 1px solid #999;\n border: 1px solid rgba(0, 0, 0, .2);\n border-radius: 6px;\n outline: 0;\n -webkit-box-shadow: 0 3px 9px rgba(0, 0, 0, .5);\n box-shadow: 0 3px 9px rgba(0, 0, 0, .5);\n}\n.modal-backdrop {\n position: fixed;\n top: 0;\n right: 0;\n bottom: 0;\n left: 0;\n z-index: 1040;\n background-color: #000;\n}\n.modal-backdrop.fade {\n filter: alpha(opacity=0);\n opacity: 0;\n}\n.modal-backdrop.in {\n filter: alpha(opacity=50);\n opacity: .5;\n}\n.modal-header {\n padding: 15px;\n border-bottom: 1px solid #e5e5e5;\n}\n.modal-header .close {\n margin-top: -2px;\n}\n.modal-title {\n margin: 0;\n line-height: 1.42857143;\n}\n.modal-body {\n position: relative;\n padding: 15px;\n}\n.modal-footer {\n padding: 15px;\n text-align: right;\n border-top: 1px solid #e5e5e5;\n}\n.modal-footer .btn + .btn {\n margin-bottom: 0;\n margin-left: 5px;\n}\n.modal-footer .btn-group .btn + .btn {\n margin-left: -1px;\n}\n.modal-footer .btn-block + .btn-block {\n margin-left: 0;\n}\n.modal-scrollbar-measure {\n position: absolute;\n top: -9999px;\n width: 50px;\n height: 50px;\n overflow: scroll;\n}\n@media (min-width: 768px) {\n .modal-dialog {\n width: 600px;\n margin: 30px auto;\n }\n .modal-content {\n -webkit-box-shadow: 0 5px 15px rgba(0, 0, 0, .5);\n box-shadow: 0 5px 15px rgba(0, 0, 0, .5);\n }\n .modal-sm {\n width: 300px;\n }\n}\n@media (min-width: 992px) {\n .modal-lg {\n width: 900px;\n }\n}\n.tooltip {\n position: absolute;\n z-index: 1070;\n display: block;\n font-family: \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n font-size: 12px;\n font-style: normal;\n font-weight: normal;\n line-height: 1.42857143;\n text-align: left;\n text-align: start;\n text-decoration: none;\n text-shadow: none;\n text-transform: none;\n letter-spacing: normal;\n word-break: normal;\n word-spacing: normal;\n word-wrap: normal;\n white-space: normal;\n filter: alpha(opacity=0);\n opacity: 0;\n\n line-break: auto;\n}\n.tooltip.in {\n filter: alpha(opacity=90);\n opacity: .9;\n}\n.tooltip.top {\n padding: 5px 0;\n margin-top: -3px;\n}\n.tooltip.right {\n padding: 0 5px;\n margin-left: 3px;\n}\n.tooltip.bottom {\n padding: 5px 0;\n margin-top: 3px;\n}\n.tooltip.left {\n padding: 0 5px;\n margin-left: -3px;\n}\n.tooltip-inner {\n max-width: 200px;\n padding: 3px 8px;\n color: #fff;\n text-align: center;\n background-color: #000;\n border-radius: 4px;\n}\n.tooltip-arrow {\n position: absolute;\n width: 0;\n height: 0;\n border-color: transparent;\n border-style: solid;\n}\n.tooltip.top .tooltip-arrow {\n bottom: 0;\n left: 50%;\n margin-left: -5px;\n border-width: 5px 5px 0;\n border-top-color: #000;\n}\n.tooltip.top-left .tooltip-arrow {\n right: 5px;\n bottom: 0;\n margin-bottom: -5px;\n border-width: 5px 5px 0;\n border-top-color: #000;\n}\n.tooltip.top-right .tooltip-arrow {\n bottom: 0;\n left: 5px;\n margin-bottom: -5px;\n border-width: 5px 5px 0;\n border-top-color: #000;\n}\n.tooltip.right .tooltip-arrow {\n top: 50%;\n left: 0;\n margin-top: -5px;\n border-width: 5px 5px 5px 0;\n border-right-color: #000;\n}\n.tooltip.left .tooltip-arrow {\n top: 50%;\n right: 0;\n margin-top: -5px;\n border-width: 5px 0 5px 5px;\n border-left-color: #000;\n}\n.tooltip.bottom .tooltip-arrow {\n top: 0;\n left: 50%;\n margin-left: -5px;\n border-width: 0 5px 5px;\n border-bottom-color: #000;\n}\n.tooltip.bottom-left .tooltip-arrow {\n top: 0;\n right: 5px;\n margin-top: -5px;\n border-width: 0 5px 5px;\n border-bottom-color: #000;\n}\n.tooltip.bottom-right .tooltip-arrow {\n top: 0;\n left: 5px;\n margin-top: -5px;\n border-width: 0 5px 5px;\n border-bottom-color: #000;\n}\n.popover {\n position: absolute;\n top: 0;\n left: 0;\n z-index: 1060;\n display: none;\n max-width: 276px;\n padding: 1px;\n font-family: \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n font-size: 14px;\n font-style: normal;\n font-weight: normal;\n line-height: 1.42857143;\n text-align: left;\n text-align: start;\n text-decoration: none;\n text-shadow: none;\n text-transform: none;\n letter-spacing: normal;\n word-break: normal;\n word-spacing: normal;\n word-wrap: normal;\n white-space: normal;\n background-color: #fff;\n -webkit-background-clip: padding-box;\n background-clip: padding-box;\n border: 1px solid #ccc;\n border: 1px solid rgba(0, 0, 0, .2);\n border-radius: 6px;\n -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, .2);\n box-shadow: 0 5px 10px rgba(0, 0, 0, .2);\n\n line-break: auto;\n}\n.popover.top {\n margin-top: -10px;\n}\n.popover.right {\n margin-left: 10px;\n}\n.popover.bottom {\n margin-top: 10px;\n}\n.popover.left {\n margin-left: -10px;\n}\n.popover-title {\n padding: 8px 14px;\n margin: 0;\n font-size: 14px;\n background-color: #f7f7f7;\n border-bottom: 1px solid #ebebeb;\n border-radius: 5px 5px 0 0;\n}\n.popover-content {\n padding: 9px 14px;\n}\n.popover > .arrow,\n.popover > .arrow:after {\n position: absolute;\n display: block;\n width: 0;\n height: 0;\n border-color: transparent;\n border-style: solid;\n}\n.popover > .arrow {\n border-width: 11px;\n}\n.popover > .arrow:after {\n content: \"\";\n border-width: 10px;\n}\n.popover.top > .arrow {\n bottom: -11px;\n left: 50%;\n margin-left: -11px;\n border-top-color: #999;\n border-top-color: rgba(0, 0, 0, .25);\n border-bottom-width: 0;\n}\n.popover.top > .arrow:after {\n bottom: 1px;\n margin-left: -10px;\n content: \" \";\n border-top-color: #fff;\n border-bottom-width: 0;\n}\n.popover.right > .arrow {\n top: 50%;\n left: -11px;\n margin-top: -11px;\n border-right-color: #999;\n border-right-color: rgba(0, 0, 0, .25);\n border-left-width: 0;\n}\n.popover.right > .arrow:after {\n bottom: -10px;\n left: 1px;\n content: \" \";\n border-right-color: #fff;\n border-left-width: 0;\n}\n.popover.bottom > .arrow {\n top: -11px;\n left: 50%;\n margin-left: -11px;\n border-top-width: 0;\n border-bottom-color: #999;\n border-bottom-color: rgba(0, 0, 0, .25);\n}\n.popover.bottom > .arrow:after {\n top: 1px;\n margin-left: -10px;\n content: \" \";\n border-top-width: 0;\n border-bottom-color: #fff;\n}\n.popover.left > .arrow {\n top: 50%;\n right: -11px;\n margin-top: -11px;\n border-right-width: 0;\n border-left-color: #999;\n border-left-color: rgba(0, 0, 0, .25);\n}\n.popover.left > .arrow:after {\n right: 1px;\n bottom: -10px;\n content: \" \";\n border-right-width: 0;\n border-left-color: #fff;\n}\n.carousel {\n position: relative;\n}\n.carousel-inner {\n position: relative;\n width: 100%;\n overflow: hidden;\n}\n.carousel-inner > .item {\n position: relative;\n display: none;\n -webkit-transition: .6s ease-in-out left;\n -o-transition: .6s ease-in-out left;\n transition: .6s ease-in-out left;\n}\n.carousel-inner > .item > img,\n.carousel-inner > .item > a > img {\n line-height: 1;\n}\n@media all and (transform-3d), (-webkit-transform-3d) {\n .carousel-inner > .item {\n -webkit-transition: -webkit-transform .6s ease-in-out;\n -o-transition: -o-transform .6s ease-in-out;\n transition: transform .6s ease-in-out;\n\n -webkit-backface-visibility: hidden;\n backface-visibility: hidden;\n -webkit-perspective: 1000px;\n perspective: 1000px;\n }\n .carousel-inner > .item.next,\n .carousel-inner > .item.active.right {\n left: 0;\n -webkit-transform: translate3d(100%, 0, 0);\n transform: translate3d(100%, 0, 0);\n }\n .carousel-inner > .item.prev,\n .carousel-inner > .item.active.left {\n left: 0;\n -webkit-transform: translate3d(-100%, 0, 0);\n transform: translate3d(-100%, 0, 0);\n }\n .carousel-inner > .item.next.left,\n .carousel-inner > .item.prev.right,\n .carousel-inner > .item.active {\n left: 0;\n -webkit-transform: translate3d(0, 0, 0);\n transform: translate3d(0, 0, 0);\n }\n}\n.carousel-inner > .active,\n.carousel-inner > .next,\n.carousel-inner > .prev {\n display: block;\n}\n.carousel-inner > .active {\n left: 0;\n}\n.carousel-inner > .next,\n.carousel-inner > .prev {\n position: absolute;\n top: 0;\n width: 100%;\n}\n.carousel-inner > .next {\n left: 100%;\n}\n.carousel-inner > .prev {\n left: -100%;\n}\n.carousel-inner > .next.left,\n.carousel-inner > .prev.right {\n left: 0;\n}\n.carousel-inner > .active.left {\n left: -100%;\n}\n.carousel-inner > .active.right {\n left: 100%;\n}\n.carousel-control {\n position: absolute;\n top: 0;\n bottom: 0;\n left: 0;\n width: 15%;\n font-size: 20px;\n color: #fff;\n text-align: center;\n text-shadow: 0 1px 2px rgba(0, 0, 0, .6);\n background-color: rgba(0, 0, 0, 0);\n filter: alpha(opacity=50);\n opacity: .5;\n}\n.carousel-control.left {\n background-image: -webkit-linear-gradient(left, rgba(0, 0, 0, .5) 0%, rgba(0, 0, 0, .0001) 100%);\n background-image: -o-linear-gradient(left, rgba(0, 0, 0, .5) 0%, rgba(0, 0, 0, .0001) 100%);\n background-image: -webkit-gradient(linear, left top, right top, from(rgba(0, 0, 0, .5)), to(rgba(0, 0, 0, .0001)));\n background-image: linear-gradient(to right, rgba(0, 0, 0, .5) 0%, rgba(0, 0, 0, .0001) 100%);\n filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);\n background-repeat: repeat-x;\n}\n.carousel-control.right {\n right: 0;\n left: auto;\n background-image: -webkit-linear-gradient(left, rgba(0, 0, 0, .0001) 0%, rgba(0, 0, 0, .5) 100%);\n background-image: -o-linear-gradient(left, rgba(0, 0, 0, .0001) 0%, rgba(0, 0, 0, .5) 100%);\n background-image: -webkit-gradient(linear, left top, right top, from(rgba(0, 0, 0, .0001)), to(rgba(0, 0, 0, .5)));\n background-image: linear-gradient(to right, rgba(0, 0, 0, .0001) 0%, rgba(0, 0, 0, .5) 100%);\n filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);\n background-repeat: repeat-x;\n}\n.carousel-control:hover,\n.carousel-control:focus {\n color: #fff;\n text-decoration: none;\n filter: alpha(opacity=90);\n outline: 0;\n opacity: .9;\n}\n.carousel-control .icon-prev,\n.carousel-control .icon-next,\n.carousel-control .glyphicon-chevron-left,\n.carousel-control .glyphicon-chevron-right {\n position: absolute;\n top: 50%;\n z-index: 5;\n display: inline-block;\n margin-top: -10px;\n}\n.carousel-control .icon-prev,\n.carousel-control .glyphicon-chevron-left {\n left: 50%;\n margin-left: -10px;\n}\n.carousel-control .icon-next,\n.carousel-control .glyphicon-chevron-right {\n right: 50%;\n margin-right: -10px;\n}\n.carousel-control .icon-prev,\n.carousel-control .icon-next {\n width: 20px;\n height: 20px;\n font-family: serif;\n line-height: 1;\n}\n.carousel-control .icon-prev:before {\n content: '\\2039';\n}\n.carousel-control .icon-next:before {\n content: '\\203a';\n}\n.carousel-indicators {\n position: absolute;\n bottom: 10px;\n left: 50%;\n z-index: 15;\n width: 60%;\n padding-left: 0;\n margin-left: -30%;\n text-align: center;\n list-style: none;\n}\n.carousel-indicators li {\n display: inline-block;\n width: 10px;\n height: 10px;\n margin: 1px;\n text-indent: -999px;\n cursor: pointer;\n background-color: #000 \\9;\n background-color: rgba(0, 0, 0, 0);\n border: 1px solid #fff;\n border-radius: 10px;\n}\n.carousel-indicators .active {\n width: 12px;\n height: 12px;\n margin: 0;\n background-color: #fff;\n}\n.carousel-caption {\n position: absolute;\n right: 15%;\n bottom: 20px;\n left: 15%;\n z-index: 10;\n padding-top: 20px;\n padding-bottom: 20px;\n color: #fff;\n text-align: center;\n text-shadow: 0 1px 2px rgba(0, 0, 0, .6);\n}\n.carousel-caption .btn {\n text-shadow: none;\n}\n@media screen and (min-width: 768px) {\n .carousel-control .glyphicon-chevron-left,\n .carousel-control .glyphicon-chevron-right,\n .carousel-control .icon-prev,\n .carousel-control .icon-next {\n width: 30px;\n height: 30px;\n margin-top: -10px;\n font-size: 30px;\n }\n .carousel-control .glyphicon-chevron-left,\n .carousel-control .icon-prev {\n margin-left: -10px;\n }\n .carousel-control .glyphicon-chevron-right,\n .carousel-control .icon-next {\n margin-right: -10px;\n }\n .carousel-caption {\n right: 20%;\n left: 20%;\n padding-bottom: 30px;\n }\n .carousel-indicators {\n bottom: 20px;\n }\n}\n.clearfix:before,\n.clearfix:after,\n.dl-horizontal dd:before,\n.dl-horizontal dd:after,\n.container:before,\n.container:after,\n.container-fluid:before,\n.container-fluid:after,\n.row:before,\n.row:after,\n.form-horizontal .form-group:before,\n.form-horizontal .form-group:after,\n.btn-toolbar:before,\n.btn-toolbar:after,\n.btn-group-vertical > .btn-group:before,\n.btn-group-vertical > .btn-group:after,\n.nav:before,\n.nav:after,\n.navbar:before,\n.navbar:after,\n.navbar-header:before,\n.navbar-header:after,\n.navbar-collapse:before,\n.navbar-collapse:after,\n.pager:before,\n.pager:after,\n.panel-body:before,\n.panel-body:after,\n.modal-header:before,\n.modal-header:after,\n.modal-footer:before,\n.modal-footer:after {\n display: table;\n content: \" \";\n}\n.clearfix:after,\n.dl-horizontal dd:after,\n.container:after,\n.container-fluid:after,\n.row:after,\n.form-horizontal .form-group:after,\n.btn-toolbar:after,\n.btn-group-vertical > .btn-group:after,\n.nav:after,\n.navbar:after,\n.navbar-header:after,\n.navbar-collapse:after,\n.pager:after,\n.panel-body:after,\n.modal-header:after,\n.modal-footer:after {\n clear: both;\n}\n.center-block {\n display: block;\n margin-right: auto;\n margin-left: auto;\n}\n.pull-right {\n float: right !important;\n}\n.pull-left {\n float: left !important;\n}\n.hide {\n display: none !important;\n}\n.show {\n display: block !important;\n}\n.invisible {\n visibility: hidden;\n}\n.text-hide {\n font: 0/0 a;\n color: transparent;\n text-shadow: none;\n background-color: transparent;\n border: 0;\n}\n.hidden {\n display: none !important;\n}\n.affix {\n position: fixed;\n}\n@-ms-viewport {\n width: device-width;\n}\n.visible-xs,\n.visible-sm,\n.visible-md,\n.visible-lg {\n display: none !important;\n}\n.visible-xs-block,\n.visible-xs-inline,\n.visible-xs-inline-block,\n.visible-sm-block,\n.visible-sm-inline,\n.visible-sm-inline-block,\n.visible-md-block,\n.visible-md-inline,\n.visible-md-inline-block,\n.visible-lg-block,\n.visible-lg-inline,\n.visible-lg-inline-block {\n display: none !important;\n}\n@media (max-width: 767px) {\n .visible-xs {\n display: block !important;\n }\n table.visible-xs {\n display: table !important;\n }\n tr.visible-xs {\n display: table-row !important;\n }\n th.visible-xs,\n td.visible-xs {\n display: table-cell !important;\n }\n}\n@media (max-width: 767px) {\n .visible-xs-block {\n display: block !important;\n }\n}\n@media (max-width: 767px) {\n .visible-xs-inline {\n display: inline !important;\n }\n}\n@media (max-width: 767px) {\n .visible-xs-inline-block {\n display: inline-block !important;\n }\n}\n@media (min-width: 768px) and (max-width: 991px) {\n .visible-sm {\n display: block !important;\n }\n table.visible-sm {\n display: table !important;\n }\n tr.visible-sm {\n display: table-row !important;\n }\n th.visible-sm,\n td.visible-sm {\n display: table-cell !important;\n }\n}\n@media (min-width: 768px) and (max-width: 991px) {\n .visible-sm-block {\n display: block !important;\n }\n}\n@media (min-width: 768px) and (max-width: 991px) {\n .visible-sm-inline {\n display: inline !important;\n }\n}\n@media (min-width: 768px) and (max-width: 991px) {\n .visible-sm-inline-block {\n display: inline-block !important;\n }\n}\n@media (min-width: 992px) and (max-width: 1199px) {\n .visible-md {\n display: block !important;\n }\n table.visible-md {\n display: table !important;\n }\n tr.visible-md {\n display: table-row !important;\n }\n th.visible-md,\n td.visible-md {\n display: table-cell !important;\n }\n}\n@media (min-width: 992px) and (max-width: 1199px) {\n .visible-md-block {\n display: block !important;\n }\n}\n@media (min-width: 992px) and (max-width: 1199px) {\n .visible-md-inline {\n display: inline !important;\n }\n}\n@media (min-width: 992px) and (max-width: 1199px) {\n .visible-md-inline-block {\n display: inline-block !important;\n }\n}\n@media (min-width: 1200px) {\n .visible-lg {\n display: block !important;\n }\n table.visible-lg {\n display: table !important;\n }\n tr.visible-lg {\n display: table-row !important;\n }\n th.visible-lg,\n td.visible-lg {\n display: table-cell !important;\n }\n}\n@media (min-width: 1200px) {\n .visible-lg-block {\n display: block !important;\n }\n}\n@media (min-width: 1200px) {\n .visible-lg-inline {\n display: inline !important;\n }\n}\n@media (min-width: 1200px) {\n .visible-lg-inline-block {\n display: inline-block !important;\n }\n}\n@media (max-width: 767px) {\n .hidden-xs {\n display: none !important;\n }\n}\n@media (min-width: 768px) and (max-width: 991px) {\n .hidden-sm {\n display: none !important;\n }\n}\n@media (min-width: 992px) and (max-width: 1199px) {\n .hidden-md {\n display: none !important;\n }\n}\n@media (min-width: 1200px) {\n .hidden-lg {\n display: none !important;\n }\n}\n.visible-print {\n display: none !important;\n}\n@media print {\n .visible-print {\n display: block !important;\n }\n table.visible-print {\n display: table !important;\n }\n tr.visible-print {\n display: table-row !important;\n }\n th.visible-print,\n td.visible-print {\n display: table-cell !important;\n }\n}\n.visible-print-block {\n display: none !important;\n}\n@media print {\n .visible-print-block {\n display: block !important;\n }\n}\n.visible-print-inline {\n display: none !important;\n}\n@media print {\n .visible-print-inline {\n display: inline !important;\n }\n}\n.visible-print-inline-block {\n display: none !important;\n}\n@media print {\n .visible-print-inline-block {\n display: inline-block !important;\n }\n}\n@media print {\n .hidden-print {\n display: none !important;\n }\n}\n/*# sourceMappingURL=bootstrap.css.map */\n","//\n// Glyphicons for Bootstrap\n//\n// Since icons are fonts, they can be placed anywhere text is placed and are\n// thus automatically sized to match the surrounding child. To use, create an\n// inline element with the appropriate classes, like so:\n//\n// Star\n\n// Import the fonts\n@font-face {\n font-family: 'Glyphicons Halflings';\n src: url('@{icon-font-path}@{icon-font-name}.eot');\n src: url('@{icon-font-path}@{icon-font-name}.eot?#iefix') format('embedded-opentype'),\n url('@{icon-font-path}@{icon-font-name}.woff2') format('woff2'),\n url('@{icon-font-path}@{icon-font-name}.woff') format('woff'),\n url('@{icon-font-path}@{icon-font-name}.ttf') format('truetype'),\n url('@{icon-font-path}@{icon-font-name}.svg#@{icon-font-svg-id}') format('svg');\n}\n\n// Catchall baseclass\n.glyphicon {\n position: relative;\n top: 1px;\n display: inline-block;\n font-family: 'Glyphicons Halflings';\n font-style: normal;\n font-weight: normal;\n line-height: 1;\n -webkit-font-smoothing: antialiased;\n -moz-osx-font-smoothing: grayscale;\n}\n\n// Individual icons\n.glyphicon-asterisk { &:before { content: \"\\002a\"; } }\n.glyphicon-plus { &:before { content: \"\\002b\"; } }\n.glyphicon-euro,\n.glyphicon-eur { &:before { content: \"\\20ac\"; } }\n.glyphicon-minus { &:before { content: \"\\2212\"; } }\n.glyphicon-cloud { &:before { content: \"\\2601\"; } }\n.glyphicon-envelope { &:before { content: \"\\2709\"; } }\n.glyphicon-pencil { &:before { content: \"\\270f\"; } }\n.glyphicon-glass { &:before { content: \"\\e001\"; } }\n.glyphicon-music { &:before { content: \"\\e002\"; } }\n.glyphicon-search { &:before { content: \"\\e003\"; } }\n.glyphicon-heart { &:before { content: \"\\e005\"; } }\n.glyphicon-star { &:before { content: \"\\e006\"; } }\n.glyphicon-star-empty { &:before { content: \"\\e007\"; } }\n.glyphicon-user { &:before { content: \"\\e008\"; } }\n.glyphicon-film { &:before { content: \"\\e009\"; } }\n.glyphicon-th-large { &:before { content: \"\\e010\"; } }\n.glyphicon-th { &:before { content: \"\\e011\"; } }\n.glyphicon-th-list { &:before { content: \"\\e012\"; } }\n.glyphicon-ok { &:before { content: \"\\e013\"; } }\n.glyphicon-remove { &:before { content: \"\\e014\"; } }\n.glyphicon-zoom-in { &:before { content: \"\\e015\"; } }\n.glyphicon-zoom-out { &:before { content: \"\\e016\"; } }\n.glyphicon-off { &:before { content: \"\\e017\"; } }\n.glyphicon-signal { &:before { content: \"\\e018\"; } }\n.glyphicon-cog { &:before { content: \"\\e019\"; } }\n.glyphicon-trash { &:before { content: \"\\e020\"; } }\n.glyphicon-home { &:before { content: \"\\e021\"; } }\n.glyphicon-file { &:before { content: \"\\e022\"; } }\n.glyphicon-time { &:before { content: \"\\e023\"; } }\n.glyphicon-road { &:before { content: \"\\e024\"; } }\n.glyphicon-download-alt { &:before { content: \"\\e025\"; } }\n.glyphicon-download { &:before { content: \"\\e026\"; } }\n.glyphicon-upload { &:before { content: \"\\e027\"; } }\n.glyphicon-inbox { &:before { content: \"\\e028\"; } }\n.glyphicon-play-circle { &:before { content: \"\\e029\"; } }\n.glyphicon-repeat { &:before { content: \"\\e030\"; } }\n.glyphicon-refresh { &:before { content: \"\\e031\"; } }\n.glyphicon-list-alt { &:before { content: \"\\e032\"; } }\n.glyphicon-lock { &:before { content: \"\\e033\"; } }\n.glyphicon-flag { &:before { content: \"\\e034\"; } }\n.glyphicon-headphones { &:before { content: \"\\e035\"; } }\n.glyphicon-volume-off { &:before { content: \"\\e036\"; } }\n.glyphicon-volume-down { &:before { content: \"\\e037\"; } }\n.glyphicon-volume-up { &:before { content: \"\\e038\"; } }\n.glyphicon-qrcode { &:before { content: \"\\e039\"; } }\n.glyphicon-barcode { &:before { content: \"\\e040\"; } }\n.glyphicon-tag { &:before { content: \"\\e041\"; } }\n.glyphicon-tags { &:before { content: \"\\e042\"; } }\n.glyphicon-book { &:before { content: \"\\e043\"; } }\n.glyphicon-bookmark { &:before { content: \"\\e044\"; } }\n.glyphicon-print { &:before { content: \"\\e045\"; } }\n.glyphicon-camera { &:before { content: \"\\e046\"; } }\n.glyphicon-font { &:before { content: \"\\e047\"; } }\n.glyphicon-bold { &:before { content: \"\\e048\"; } }\n.glyphicon-italic { &:before { content: \"\\e049\"; } }\n.glyphicon-text-height { &:before { content: \"\\e050\"; } }\n.glyphicon-text-width { &:before { content: \"\\e051\"; } }\n.glyphicon-align-left { &:before { content: \"\\e052\"; } }\n.glyphicon-align-center { &:before { content: \"\\e053\"; } }\n.glyphicon-align-right { &:before { content: \"\\e054\"; } }\n.glyphicon-align-justify { &:before { content: \"\\e055\"; } }\n.glyphicon-list { &:before { content: \"\\e056\"; } }\n.glyphicon-indent-left { &:before { content: \"\\e057\"; } }\n.glyphicon-indent-right { &:before { content: \"\\e058\"; } }\n.glyphicon-facetime-video { &:before { content: \"\\e059\"; } }\n.glyphicon-picture { &:before { content: \"\\e060\"; } }\n.glyphicon-map-marker { &:before { content: \"\\e062\"; } }\n.glyphicon-adjust { &:before { content: \"\\e063\"; } }\n.glyphicon-tint { &:before { content: \"\\e064\"; } }\n.glyphicon-edit { &:before { content: \"\\e065\"; } }\n.glyphicon-share { &:before { content: \"\\e066\"; } }\n.glyphicon-check { &:before { content: \"\\e067\"; } }\n.glyphicon-move { &:before { content: \"\\e068\"; } }\n.glyphicon-step-backward { &:before { content: \"\\e069\"; } }\n.glyphicon-fast-backward { &:before { content: \"\\e070\"; } }\n.glyphicon-backward { &:before { content: \"\\e071\"; } }\n.glyphicon-play { &:before { content: \"\\e072\"; } }\n.glyphicon-pause { &:before { content: \"\\e073\"; } }\n.glyphicon-stop { &:before { content: \"\\e074\"; } }\n.glyphicon-forward { &:before { content: \"\\e075\"; } }\n.glyphicon-fast-forward { &:before { content: \"\\e076\"; } }\n.glyphicon-step-forward { &:before { content: \"\\e077\"; } }\n.glyphicon-eject { &:before { content: \"\\e078\"; } }\n.glyphicon-chevron-left { &:before { content: \"\\e079\"; } }\n.glyphicon-chevron-right { &:before { content: \"\\e080\"; } }\n.glyphicon-plus-sign { &:before { content: \"\\e081\"; } }\n.glyphicon-minus-sign { &:before { content: \"\\e082\"; } }\n.glyphicon-remove-sign { &:before { content: \"\\e083\"; } }\n.glyphicon-ok-sign { &:before { content: \"\\e084\"; } }\n.glyphicon-question-sign { &:before { content: \"\\e085\"; } }\n.glyphicon-info-sign { &:before { content: \"\\e086\"; } }\n.glyphicon-screenshot { &:before { content: \"\\e087\"; } }\n.glyphicon-remove-circle { &:before { content: \"\\e088\"; } }\n.glyphicon-ok-circle { &:before { content: \"\\e089\"; } }\n.glyphicon-ban-circle { &:before { content: \"\\e090\"; } }\n.glyphicon-arrow-left { &:before { content: \"\\e091\"; } }\n.glyphicon-arrow-right { &:before { content: \"\\e092\"; } }\n.glyphicon-arrow-up { &:before { content: \"\\e093\"; } }\n.glyphicon-arrow-down { &:before { content: \"\\e094\"; } }\n.glyphicon-share-alt { &:before { content: \"\\e095\"; } }\n.glyphicon-resize-full { &:before { content: \"\\e096\"; } }\n.glyphicon-resize-small { &:before { content: \"\\e097\"; } }\n.glyphicon-exclamation-sign { &:before { content: \"\\e101\"; } }\n.glyphicon-gift { &:before { content: \"\\e102\"; } }\n.glyphicon-leaf { &:before { content: \"\\e103\"; } }\n.glyphicon-fire { &:before { content: \"\\e104\"; } }\n.glyphicon-eye-open { &:before { content: \"\\e105\"; } }\n.glyphicon-eye-close { &:before { content: \"\\e106\"; } }\n.glyphicon-warning-sign { &:before { content: \"\\e107\"; } }\n.glyphicon-plane { &:before { content: \"\\e108\"; } }\n.glyphicon-calendar { &:before { content: \"\\e109\"; } }\n.glyphicon-random { &:before { content: \"\\e110\"; } }\n.glyphicon-comment { &:before { content: \"\\e111\"; } }\n.glyphicon-magnet { &:before { content: \"\\e112\"; } }\n.glyphicon-chevron-up { &:before { content: \"\\e113\"; } }\n.glyphicon-chevron-down { &:before { content: \"\\e114\"; } }\n.glyphicon-retweet { &:before { content: \"\\e115\"; } }\n.glyphicon-shopping-cart { &:before { content: \"\\e116\"; } }\n.glyphicon-folder-close { &:before { content: \"\\e117\"; } }\n.glyphicon-folder-open { &:before { content: \"\\e118\"; } }\n.glyphicon-resize-vertical { &:before { content: \"\\e119\"; } }\n.glyphicon-resize-horizontal { &:before { content: \"\\e120\"; } }\n.glyphicon-hdd { &:before { content: \"\\e121\"; } }\n.glyphicon-bullhorn { &:before { content: \"\\e122\"; } }\n.glyphicon-bell { &:before { content: \"\\e123\"; } }\n.glyphicon-certificate { &:before { content: \"\\e124\"; } }\n.glyphicon-thumbs-up { &:before { content: \"\\e125\"; } }\n.glyphicon-thumbs-down { &:before { content: \"\\e126\"; } }\n.glyphicon-hand-right { &:before { content: \"\\e127\"; } }\n.glyphicon-hand-left { &:before { content: \"\\e128\"; } }\n.glyphicon-hand-up { &:before { content: \"\\e129\"; } }\n.glyphicon-hand-down { &:before { content: \"\\e130\"; } }\n.glyphicon-circle-arrow-right { &:before { content: \"\\e131\"; } }\n.glyphicon-circle-arrow-left { &:before { content: \"\\e132\"; } }\n.glyphicon-circle-arrow-up { &:before { content: \"\\e133\"; } }\n.glyphicon-circle-arrow-down { &:before { content: \"\\e134\"; } }\n.glyphicon-globe { &:before { content: \"\\e135\"; } }\n.glyphicon-wrench { &:before { content: \"\\e136\"; } }\n.glyphicon-tasks { &:before { content: \"\\e137\"; } }\n.glyphicon-filter { &:before { content: \"\\e138\"; } }\n.glyphicon-briefcase { &:before { content: \"\\e139\"; } }\n.glyphicon-fullscreen { &:before { content: \"\\e140\"; } }\n.glyphicon-dashboard { &:before { content: \"\\e141\"; } }\n.glyphicon-paperclip { &:before { content: \"\\e142\"; } }\n.glyphicon-heart-empty { &:before { content: \"\\e143\"; } }\n.glyphicon-link { &:before { content: \"\\e144\"; } }\n.glyphicon-phone { &:before { content: \"\\e145\"; } }\n.glyphicon-pushpin { &:before { content: \"\\e146\"; } }\n.glyphicon-usd { &:before { content: \"\\e148\"; } }\n.glyphicon-gbp { &:before { content: \"\\e149\"; } }\n.glyphicon-sort { &:before { content: \"\\e150\"; } }\n.glyphicon-sort-by-alphabet { &:before { content: \"\\e151\"; } }\n.glyphicon-sort-by-alphabet-alt { &:before { content: \"\\e152\"; } }\n.glyphicon-sort-by-order { &:before { content: \"\\e153\"; } }\n.glyphicon-sort-by-order-alt { &:before { content: \"\\e154\"; } }\n.glyphicon-sort-by-attributes { &:before { content: \"\\e155\"; } }\n.glyphicon-sort-by-attributes-alt { &:before { content: \"\\e156\"; } }\n.glyphicon-unchecked { &:before { content: \"\\e157\"; } }\n.glyphicon-expand { &:before { content: \"\\e158\"; } }\n.glyphicon-collapse-down { &:before { content: \"\\e159\"; } }\n.glyphicon-collapse-up { &:before { content: \"\\e160\"; } }\n.glyphicon-log-in { &:before { content: \"\\e161\"; } }\n.glyphicon-flash { &:before { content: \"\\e162\"; } }\n.glyphicon-log-out { &:before { content: \"\\e163\"; } }\n.glyphicon-new-window { &:before { content: \"\\e164\"; } }\n.glyphicon-record { &:before { content: \"\\e165\"; } }\n.glyphicon-save { &:before { content: \"\\e166\"; } }\n.glyphicon-open { &:before { content: \"\\e167\"; } }\n.glyphicon-saved { &:before { content: \"\\e168\"; } }\n.glyphicon-import { &:before { content: \"\\e169\"; } }\n.glyphicon-export { &:before { content: \"\\e170\"; } }\n.glyphicon-send { &:before { content: \"\\e171\"; } }\n.glyphicon-floppy-disk { &:before { content: \"\\e172\"; } }\n.glyphicon-floppy-saved { &:before { content: \"\\e173\"; } }\n.glyphicon-floppy-remove { &:before { content: \"\\e174\"; } }\n.glyphicon-floppy-save { &:before { content: \"\\e175\"; } }\n.glyphicon-floppy-open { &:before { content: \"\\e176\"; } }\n.glyphicon-credit-card { &:before { content: \"\\e177\"; } }\n.glyphicon-transfer { &:before { content: \"\\e178\"; } }\n.glyphicon-cutlery { &:before { content: \"\\e179\"; } }\n.glyphicon-header { &:before { content: \"\\e180\"; } }\n.glyphicon-compressed { &:before { content: \"\\e181\"; } }\n.glyphicon-earphone { &:before { content: \"\\e182\"; } }\n.glyphicon-phone-alt { &:before { content: \"\\e183\"; } }\n.glyphicon-tower { &:before { content: \"\\e184\"; } }\n.glyphicon-stats { &:before { content: \"\\e185\"; } }\n.glyphicon-sd-video { &:before { content: \"\\e186\"; } }\n.glyphicon-hd-video { &:before { content: \"\\e187\"; } }\n.glyphicon-subtitles { &:before { content: \"\\e188\"; } }\n.glyphicon-sound-stereo { &:before { content: \"\\e189\"; } }\n.glyphicon-sound-dolby { &:before { content: \"\\e190\"; } }\n.glyphicon-sound-5-1 { &:before { content: \"\\e191\"; } }\n.glyphicon-sound-6-1 { &:before { content: \"\\e192\"; } }\n.glyphicon-sound-7-1 { &:before { content: \"\\e193\"; } }\n.glyphicon-copyright-mark { &:before { content: \"\\e194\"; } }\n.glyphicon-registration-mark { &:before { content: \"\\e195\"; } }\n.glyphicon-cloud-download { &:before { content: \"\\e197\"; } }\n.glyphicon-cloud-upload { &:before { content: \"\\e198\"; } }\n.glyphicon-tree-conifer { &:before { content: \"\\e199\"; } }\n.glyphicon-tree-deciduous { &:before { content: \"\\e200\"; } }\n.glyphicon-cd { &:before { content: \"\\e201\"; } }\n.glyphicon-save-file { &:before { content: \"\\e202\"; } }\n.glyphicon-open-file { &:before { content: \"\\e203\"; } }\n.glyphicon-level-up { &:before { content: \"\\e204\"; } }\n.glyphicon-copy { &:before { content: \"\\e205\"; } }\n.glyphicon-paste { &:before { content: \"\\e206\"; } }\n// The following 2 Glyphicons are omitted for the time being because\n// they currently use Unicode codepoints that are outside the\n// Basic Multilingual Plane (BMP). Older buggy versions of WebKit can't handle\n// non-BMP codepoints in CSS string escapes, and thus can't display these two icons.\n// Notably, the bug affects some older versions of the Android Browser.\n// More info: https://github.com/twbs/bootstrap/issues/10106\n// .glyphicon-door { &:before { content: \"\\1f6aa\"; } }\n// .glyphicon-key { &:before { content: \"\\1f511\"; } }\n.glyphicon-alert { &:before { content: \"\\e209\"; } }\n.glyphicon-equalizer { &:before { content: \"\\e210\"; } }\n.glyphicon-king { &:before { content: \"\\e211\"; } }\n.glyphicon-queen { &:before { content: \"\\e212\"; } }\n.glyphicon-pawn { &:before { content: \"\\e213\"; } }\n.glyphicon-bishop { &:before { content: \"\\e214\"; } }\n.glyphicon-knight { &:before { content: \"\\e215\"; } }\n.glyphicon-baby-formula { &:before { content: \"\\e216\"; } }\n.glyphicon-tent { &:before { content: \"\\26fa\"; } }\n.glyphicon-blackboard { &:before { content: \"\\e218\"; } }\n.glyphicon-bed { &:before { content: \"\\e219\"; } }\n.glyphicon-apple { &:before { content: \"\\f8ff\"; } }\n.glyphicon-erase { &:before { content: \"\\e221\"; } }\n.glyphicon-hourglass { &:before { content: \"\\231b\"; } }\n.glyphicon-lamp { &:before { content: \"\\e223\"; } }\n.glyphicon-duplicate { &:before { content: \"\\e224\"; } }\n.glyphicon-piggy-bank { &:before { content: \"\\e225\"; } }\n.glyphicon-scissors { &:before { content: \"\\e226\"; } }\n.glyphicon-bitcoin { &:before { content: \"\\e227\"; } }\n.glyphicon-btc { &:before { content: \"\\e227\"; } }\n.glyphicon-xbt { &:before { content: \"\\e227\"; } }\n.glyphicon-yen { &:before { content: \"\\00a5\"; } }\n.glyphicon-jpy { &:before { content: \"\\00a5\"; } }\n.glyphicon-ruble { &:before { content: \"\\20bd\"; } }\n.glyphicon-rub { &:before { content: \"\\20bd\"; } }\n.glyphicon-scale { &:before { content: \"\\e230\"; } }\n.glyphicon-ice-lolly { &:before { content: \"\\e231\"; } }\n.glyphicon-ice-lolly-tasted { &:before { content: \"\\e232\"; } }\n.glyphicon-education { &:before { content: \"\\e233\"; } }\n.glyphicon-option-horizontal { &:before { content: \"\\e234\"; } }\n.glyphicon-option-vertical { &:before { content: \"\\e235\"; } }\n.glyphicon-menu-hamburger { &:before { content: \"\\e236\"; } }\n.glyphicon-modal-window { &:before { content: \"\\e237\"; } }\n.glyphicon-oil { &:before { content: \"\\e238\"; } }\n.glyphicon-grain { &:before { content: \"\\e239\"; } }\n.glyphicon-sunglasses { &:before { content: \"\\e240\"; } }\n.glyphicon-text-size { &:before { content: \"\\e241\"; } }\n.glyphicon-text-color { &:before { content: \"\\e242\"; } }\n.glyphicon-text-background { &:before { content: \"\\e243\"; } }\n.glyphicon-object-align-top { &:before { content: \"\\e244\"; } }\n.glyphicon-object-align-bottom { &:before { content: \"\\e245\"; } }\n.glyphicon-object-align-horizontal{ &:before { content: \"\\e246\"; } }\n.glyphicon-object-align-left { &:before { content: \"\\e247\"; } }\n.glyphicon-object-align-vertical { &:before { content: \"\\e248\"; } }\n.glyphicon-object-align-right { &:before { content: \"\\e249\"; } }\n.glyphicon-triangle-right { &:before { content: \"\\e250\"; } }\n.glyphicon-triangle-left { &:before { content: \"\\e251\"; } }\n.glyphicon-triangle-bottom { &:before { content: \"\\e252\"; } }\n.glyphicon-triangle-top { &:before { content: \"\\e253\"; } }\n.glyphicon-console { &:before { content: \"\\e254\"; } }\n.glyphicon-superscript { &:before { content: \"\\e255\"; } }\n.glyphicon-subscript { &:before { content: \"\\e256\"; } }\n.glyphicon-menu-left { &:before { content: \"\\e257\"; } }\n.glyphicon-menu-right { &:before { content: \"\\e258\"; } }\n.glyphicon-menu-down { &:before { content: \"\\e259\"; } }\n.glyphicon-menu-up { &:before { content: \"\\e260\"; } }\n","//\n// Scaffolding\n// --------------------------------------------------\n\n\n// Reset the box-sizing\n//\n// Heads up! This reset may cause conflicts with some third-party widgets.\n// For recommendations on resolving such conflicts, see\n// http://getbootstrap.com/getting-started/#third-box-sizing\n* {\n .box-sizing(border-box);\n}\n*:before,\n*:after {\n .box-sizing(border-box);\n}\n\n\n// Body reset\n\nhtml {\n font-size: 10px;\n -webkit-tap-highlight-color: rgba(0,0,0,0);\n}\n\nbody {\n font-family: @font-family-base;\n font-size: @font-size-base;\n line-height: @line-height-base;\n color: @text-color;\n background-color: @body-bg;\n}\n\n// Reset fonts for relevant elements\ninput,\nbutton,\nselect,\ntextarea {\n font-family: inherit;\n font-size: inherit;\n line-height: inherit;\n}\n\n\n// Links\n\na {\n color: @link-color;\n text-decoration: none;\n\n &:hover,\n &:focus {\n color: @link-hover-color;\n text-decoration: @link-hover-decoration;\n }\n\n &:focus {\n .tab-focus();\n }\n}\n\n\n// Figures\n//\n// We reset this here because previously Normalize had no `figure` margins. This\n// ensures we don't break anyone's use of the element.\n\nfigure {\n margin: 0;\n}\n\n\n// Images\n\nimg {\n vertical-align: middle;\n}\n\n// Responsive images (ensure images don't scale beyond their parents)\n.img-responsive {\n .img-responsive();\n}\n\n// Rounded corners\n.img-rounded {\n border-radius: @border-radius-large;\n}\n\n// Image thumbnails\n//\n// Heads up! This is mixin-ed into thumbnails.less for `.thumbnail`.\n.img-thumbnail {\n padding: @thumbnail-padding;\n line-height: @line-height-base;\n background-color: @thumbnail-bg;\n border: 1px solid @thumbnail-border;\n border-radius: @thumbnail-border-radius;\n .transition(all .2s ease-in-out);\n\n // Keep them at most 100% wide\n .img-responsive(inline-block);\n}\n\n// Perfect circle\n.img-circle {\n border-radius: 50%; // set radius in percents\n}\n\n\n// Horizontal rules\n\nhr {\n margin-top: @line-height-computed;\n margin-bottom: @line-height-computed;\n border: 0;\n border-top: 1px solid @hr-border;\n}\n\n\n// Only display content to screen readers\n//\n// See: http://a11yproject.com/posts/how-to-hide-content\n\n.sr-only {\n position: absolute;\n width: 1px;\n height: 1px;\n margin: -1px;\n padding: 0;\n overflow: hidden;\n clip: rect(0,0,0,0);\n border: 0;\n}\n\n// Use in conjunction with .sr-only to only display content when it's focused.\n// Useful for \"Skip to main content\" links; see http://www.w3.org/TR/2013/NOTE-WCAG20-TECHS-20130905/G1\n// Credit: HTML5 Boilerplate\n\n.sr-only-focusable {\n &:active,\n &:focus {\n position: static;\n width: auto;\n height: auto;\n margin: 0;\n overflow: visible;\n clip: auto;\n }\n}\n\n\n// iOS \"clickable elements\" fix for role=\"button\"\n//\n// Fixes \"clickability\" issue (and more generally, the firing of events such as focus as well)\n// for traditionally non-focusable elements with role=\"button\"\n// see https://developer.mozilla.org/en-US/docs/Web/Events/click#Safari_Mobile\n\n[role=\"button\"] {\n cursor: pointer;\n}\n","// Vendor Prefixes\n//\n// All vendor mixins are deprecated as of v3.2.0 due to the introduction of\n// Autoprefixer in our Gruntfile. They have been removed in v4.\n\n// - Animations\n// - Backface visibility\n// - Box shadow\n// - Box sizing\n// - Content columns\n// - Hyphens\n// - Placeholder text\n// - Transformations\n// - Transitions\n// - User Select\n\n\n// Animations\n.animation(@animation) {\n -webkit-animation: @animation;\n -o-animation: @animation;\n animation: @animation;\n}\n.animation-name(@name) {\n -webkit-animation-name: @name;\n animation-name: @name;\n}\n.animation-duration(@duration) {\n -webkit-animation-duration: @duration;\n animation-duration: @duration;\n}\n.animation-timing-function(@timing-function) {\n -webkit-animation-timing-function: @timing-function;\n animation-timing-function: @timing-function;\n}\n.animation-delay(@delay) {\n -webkit-animation-delay: @delay;\n animation-delay: @delay;\n}\n.animation-iteration-count(@iteration-count) {\n -webkit-animation-iteration-count: @iteration-count;\n animation-iteration-count: @iteration-count;\n}\n.animation-direction(@direction) {\n -webkit-animation-direction: @direction;\n animation-direction: @direction;\n}\n.animation-fill-mode(@fill-mode) {\n -webkit-animation-fill-mode: @fill-mode;\n animation-fill-mode: @fill-mode;\n}\n\n// Backface visibility\n// Prevent browsers from flickering when using CSS 3D transforms.\n// Default value is `visible`, but can be changed to `hidden`\n\n.backface-visibility(@visibility) {\n -webkit-backface-visibility: @visibility;\n -moz-backface-visibility: @visibility;\n backface-visibility: @visibility;\n}\n\n// Drop shadows\n//\n// Note: Deprecated `.box-shadow()` as of v3.1.0 since all of Bootstrap's\n// supported browsers that have box shadow capabilities now support it.\n\n.box-shadow(@shadow) {\n -webkit-box-shadow: @shadow; // iOS <4.3 & Android <4.1\n box-shadow: @shadow;\n}\n\n// Box sizing\n.box-sizing(@boxmodel) {\n -webkit-box-sizing: @boxmodel;\n -moz-box-sizing: @boxmodel;\n box-sizing: @boxmodel;\n}\n\n// CSS3 Content Columns\n.content-columns(@column-count; @column-gap: @grid-gutter-width) {\n -webkit-column-count: @column-count;\n -moz-column-count: @column-count;\n column-count: @column-count;\n -webkit-column-gap: @column-gap;\n -moz-column-gap: @column-gap;\n column-gap: @column-gap;\n}\n\n// Optional hyphenation\n.hyphens(@mode: auto) {\n word-wrap: break-word;\n -webkit-hyphens: @mode;\n -moz-hyphens: @mode;\n -ms-hyphens: @mode; // IE10+\n -o-hyphens: @mode;\n hyphens: @mode;\n}\n\n// Placeholder text\n.placeholder(@color: @input-color-placeholder) {\n // Firefox\n &::-moz-placeholder {\n color: @color;\n opacity: 1; // Override Firefox's unusual default opacity; see https://github.com/twbs/bootstrap/pull/11526\n }\n &:-ms-input-placeholder { color: @color; } // Internet Explorer 10+\n &::-webkit-input-placeholder { color: @color; } // Safari and Chrome\n}\n\n// Transformations\n.scale(@ratio) {\n -webkit-transform: scale(@ratio);\n -ms-transform: scale(@ratio); // IE9 only\n -o-transform: scale(@ratio);\n transform: scale(@ratio);\n}\n.scale(@ratioX; @ratioY) {\n -webkit-transform: scale(@ratioX, @ratioY);\n -ms-transform: scale(@ratioX, @ratioY); // IE9 only\n -o-transform: scale(@ratioX, @ratioY);\n transform: scale(@ratioX, @ratioY);\n}\n.scaleX(@ratio) {\n -webkit-transform: scaleX(@ratio);\n -ms-transform: scaleX(@ratio); // IE9 only\n -o-transform: scaleX(@ratio);\n transform: scaleX(@ratio);\n}\n.scaleY(@ratio) {\n -webkit-transform: scaleY(@ratio);\n -ms-transform: scaleY(@ratio); // IE9 only\n -o-transform: scaleY(@ratio);\n transform: scaleY(@ratio);\n}\n.skew(@x; @y) {\n -webkit-transform: skewX(@x) skewY(@y);\n -ms-transform: skewX(@x) skewY(@y); // See https://github.com/twbs/bootstrap/issues/4885; IE9+\n -o-transform: skewX(@x) skewY(@y);\n transform: skewX(@x) skewY(@y);\n}\n.translate(@x; @y) {\n -webkit-transform: translate(@x, @y);\n -ms-transform: translate(@x, @y); // IE9 only\n -o-transform: translate(@x, @y);\n transform: translate(@x, @y);\n}\n.translate3d(@x; @y; @z) {\n -webkit-transform: translate3d(@x, @y, @z);\n transform: translate3d(@x, @y, @z);\n}\n.rotate(@degrees) {\n -webkit-transform: rotate(@degrees);\n -ms-transform: rotate(@degrees); // IE9 only\n -o-transform: rotate(@degrees);\n transform: rotate(@degrees);\n}\n.rotateX(@degrees) {\n -webkit-transform: rotateX(@degrees);\n -ms-transform: rotateX(@degrees); // IE9 only\n -o-transform: rotateX(@degrees);\n transform: rotateX(@degrees);\n}\n.rotateY(@degrees) {\n -webkit-transform: rotateY(@degrees);\n -ms-transform: rotateY(@degrees); // IE9 only\n -o-transform: rotateY(@degrees);\n transform: rotateY(@degrees);\n}\n.perspective(@perspective) {\n -webkit-perspective: @perspective;\n -moz-perspective: @perspective;\n perspective: @perspective;\n}\n.perspective-origin(@perspective) {\n -webkit-perspective-origin: @perspective;\n -moz-perspective-origin: @perspective;\n perspective-origin: @perspective;\n}\n.transform-origin(@origin) {\n -webkit-transform-origin: @origin;\n -moz-transform-origin: @origin;\n -ms-transform-origin: @origin; // IE9 only\n transform-origin: @origin;\n}\n\n\n// Transitions\n\n.transition(@transition) {\n -webkit-transition: @transition;\n -o-transition: @transition;\n transition: @transition;\n}\n.transition-property(@transition-property) {\n -webkit-transition-property: @transition-property;\n transition-property: @transition-property;\n}\n.transition-delay(@transition-delay) {\n -webkit-transition-delay: @transition-delay;\n transition-delay: @transition-delay;\n}\n.transition-duration(@transition-duration) {\n -webkit-transition-duration: @transition-duration;\n transition-duration: @transition-duration;\n}\n.transition-timing-function(@timing-function) {\n -webkit-transition-timing-function: @timing-function;\n transition-timing-function: @timing-function;\n}\n.transition-transform(@transition) {\n -webkit-transition: -webkit-transform @transition;\n -moz-transition: -moz-transform @transition;\n -o-transition: -o-transform @transition;\n transition: transform @transition;\n}\n\n\n// User select\n// For selecting text on the page\n\n.user-select(@select) {\n -webkit-user-select: @select;\n -moz-user-select: @select;\n -ms-user-select: @select; // IE10+\n user-select: @select;\n}\n","// WebKit-style focus\n\n.tab-focus() {\n // WebKit-specific. Other browsers will keep their default outline style.\n // (Initially tried to also force default via `outline: initial`,\n // but that seems to erroneously remove the outline in Firefox altogether.)\n outline: 5px auto -webkit-focus-ring-color;\n outline-offset: -2px;\n}\n","// Image Mixins\n// - Responsive image\n// - Retina image\n\n\n// Responsive image\n//\n// Keep images from scaling beyond the width of their parents.\n.img-responsive(@display: block) {\n display: @display;\n max-width: 100%; // Part 1: Set a maximum relative to the parent\n height: auto; // Part 2: Scale the height according to the width, otherwise you get stretching\n}\n\n\n// Retina image\n//\n// Short retina mixin for setting background-image and -size. Note that the\n// spelling of `min--moz-device-pixel-ratio` is intentional.\n.img-retina(@file-1x; @file-2x; @width-1x; @height-1x) {\n background-image: url(\"@{file-1x}\");\n\n @media\n only screen and (-webkit-min-device-pixel-ratio: 2),\n only screen and ( min--moz-device-pixel-ratio: 2),\n only screen and ( -o-min-device-pixel-ratio: 2/1),\n only screen and ( min-device-pixel-ratio: 2),\n only screen and ( min-resolution: 192dpi),\n only screen and ( min-resolution: 2dppx) {\n background-image: url(\"@{file-2x}\");\n background-size: @width-1x @height-1x;\n }\n}\n","//\n// Typography\n// --------------------------------------------------\n\n\n// Headings\n// -------------------------\n\nh1, h2, h3, h4, h5, h6,\n.h1, .h2, .h3, .h4, .h5, .h6 {\n font-family: @headings-font-family;\n font-weight: @headings-font-weight;\n line-height: @headings-line-height;\n color: @headings-color;\n\n small,\n .small {\n font-weight: normal;\n line-height: 1;\n color: @headings-small-color;\n }\n}\n\nh1, .h1,\nh2, .h2,\nh3, .h3 {\n margin-top: @line-height-computed;\n margin-bottom: (@line-height-computed / 2);\n\n small,\n .small {\n font-size: 65%;\n }\n}\nh4, .h4,\nh5, .h5,\nh6, .h6 {\n margin-top: (@line-height-computed / 2);\n margin-bottom: (@line-height-computed / 2);\n\n small,\n .small {\n font-size: 75%;\n }\n}\n\nh1, .h1 { font-size: @font-size-h1; }\nh2, .h2 { font-size: @font-size-h2; }\nh3, .h3 { font-size: @font-size-h3; }\nh4, .h4 { font-size: @font-size-h4; }\nh5, .h5 { font-size: @font-size-h5; }\nh6, .h6 { font-size: @font-size-h6; }\n\n\n// Body text\n// -------------------------\n\np {\n margin: 0 0 (@line-height-computed / 2);\n}\n\n.lead {\n margin-bottom: @line-height-computed;\n font-size: floor((@font-size-base * 1.15));\n font-weight: 300;\n line-height: 1.4;\n\n @media (min-width: @screen-sm-min) {\n font-size: (@font-size-base * 1.5);\n }\n}\n\n\n// Emphasis & misc\n// -------------------------\n\n// Ex: (12px small font / 14px base font) * 100% = about 85%\nsmall,\n.small {\n font-size: floor((100% * @font-size-small / @font-size-base));\n}\n\nmark,\n.mark {\n background-color: @state-warning-bg;\n padding: .2em;\n}\n\n// Alignment\n.text-left { text-align: left; }\n.text-right { text-align: right; }\n.text-center { text-align: center; }\n.text-justify { text-align: justify; }\n.text-nowrap { white-space: nowrap; }\n\n// Transformation\n.text-lowercase { text-transform: lowercase; }\n.text-uppercase { text-transform: uppercase; }\n.text-capitalize { text-transform: capitalize; }\n\n// Contextual colors\n.text-muted {\n color: @text-muted;\n}\n.text-primary {\n .text-emphasis-variant(@brand-primary);\n}\n.text-success {\n .text-emphasis-variant(@state-success-text);\n}\n.text-info {\n .text-emphasis-variant(@state-info-text);\n}\n.text-warning {\n .text-emphasis-variant(@state-warning-text);\n}\n.text-danger {\n .text-emphasis-variant(@state-danger-text);\n}\n\n// Contextual backgrounds\n// For now we'll leave these alongside the text classes until v4 when we can\n// safely shift things around (per SemVer rules).\n.bg-primary {\n // Given the contrast here, this is the only class to have its color inverted\n // automatically.\n color: #fff;\n .bg-variant(@brand-primary);\n}\n.bg-success {\n .bg-variant(@state-success-bg);\n}\n.bg-info {\n .bg-variant(@state-info-bg);\n}\n.bg-warning {\n .bg-variant(@state-warning-bg);\n}\n.bg-danger {\n .bg-variant(@state-danger-bg);\n}\n\n\n// Page header\n// -------------------------\n\n.page-header {\n padding-bottom: ((@line-height-computed / 2) - 1);\n margin: (@line-height-computed * 2) 0 @line-height-computed;\n border-bottom: 1px solid @page-header-border-color;\n}\n\n\n// Lists\n// -------------------------\n\n// Unordered and Ordered lists\nul,\nol {\n margin-top: 0;\n margin-bottom: (@line-height-computed / 2);\n ul,\n ol {\n margin-bottom: 0;\n }\n}\n\n// List options\n\n// Unstyled keeps list items block level, just removes default browser padding and list-style\n.list-unstyled {\n padding-left: 0;\n list-style: none;\n}\n\n// Inline turns list items into inline-block\n.list-inline {\n .list-unstyled();\n margin-left: -5px;\n\n > li {\n display: inline-block;\n padding-left: 5px;\n padding-right: 5px;\n }\n}\n\n// Description Lists\ndl {\n margin-top: 0; // Remove browser default\n margin-bottom: @line-height-computed;\n}\ndt,\ndd {\n line-height: @line-height-base;\n}\ndt {\n font-weight: bold;\n}\ndd {\n margin-left: 0; // Undo browser default\n}\n\n// Horizontal description lists\n//\n// Defaults to being stacked without any of the below styles applied, until the\n// grid breakpoint is reached (default of ~768px).\n\n.dl-horizontal {\n dd {\n &:extend(.clearfix all); // Clear the floated `dt` if an empty `dd` is present\n }\n\n @media (min-width: @dl-horizontal-breakpoint) {\n dt {\n float: left;\n width: (@dl-horizontal-offset - 20);\n clear: left;\n text-align: right;\n .text-overflow();\n }\n dd {\n margin-left: @dl-horizontal-offset;\n }\n }\n}\n\n\n// Misc\n// -------------------------\n\n// Abbreviations and acronyms\nabbr[title],\n// Add data-* attribute to help out our tooltip plugin, per https://github.com/twbs/bootstrap/issues/5257\nabbr[data-original-title] {\n cursor: help;\n border-bottom: 1px dotted @abbr-border-color;\n}\n.initialism {\n font-size: 90%;\n .text-uppercase();\n}\n\n// Blockquotes\nblockquote {\n padding: (@line-height-computed / 2) @line-height-computed;\n margin: 0 0 @line-height-computed;\n font-size: @blockquote-font-size;\n border-left: 5px solid @blockquote-border-color;\n\n p,\n ul,\n ol {\n &:last-child {\n margin-bottom: 0;\n }\n }\n\n // Note: Deprecated small and .small as of v3.1.0\n // Context: https://github.com/twbs/bootstrap/issues/11660\n footer,\n small,\n .small {\n display: block;\n font-size: 80%; // back to default font-size\n line-height: @line-height-base;\n color: @blockquote-small-color;\n\n &:before {\n content: '\\2014 \\00A0'; // em dash, nbsp\n }\n }\n}\n\n// Opposite alignment of blockquote\n//\n// Heads up: `blockquote.pull-right` has been deprecated as of v3.1.0.\n.blockquote-reverse,\nblockquote.pull-right {\n padding-right: 15px;\n padding-left: 0;\n border-right: 5px solid @blockquote-border-color;\n border-left: 0;\n text-align: right;\n\n // Account for citation\n footer,\n small,\n .small {\n &:before { content: ''; }\n &:after {\n content: '\\00A0 \\2014'; // nbsp, em dash\n }\n }\n}\n\n// Addresses\naddress {\n margin-bottom: @line-height-computed;\n font-style: normal;\n line-height: @line-height-base;\n}\n","// Typography\n\n.text-emphasis-variant(@color) {\n color: @color;\n a&:hover,\n a&:focus {\n color: darken(@color, 10%);\n }\n}\n","// Contextual backgrounds\n\n.bg-variant(@color) {\n background-color: @color;\n a&:hover,\n a&:focus {\n background-color: darken(@color, 10%);\n }\n}\n","// Text overflow\n// Requires inline-block or block for proper styling\n\n.text-overflow() {\n overflow: hidden;\n text-overflow: ellipsis;\n white-space: nowrap;\n}\n","//\n// Code (inline and block)\n// --------------------------------------------------\n\n\n// Inline and block code styles\ncode,\nkbd,\npre,\nsamp {\n font-family: @font-family-monospace;\n}\n\n// Inline code\ncode {\n padding: 2px 4px;\n font-size: 90%;\n color: @code-color;\n background-color: @code-bg;\n border-radius: @border-radius-base;\n}\n\n// User input typically entered via keyboard\nkbd {\n padding: 2px 4px;\n font-size: 90%;\n color: @kbd-color;\n background-color: @kbd-bg;\n border-radius: @border-radius-small;\n box-shadow: inset 0 -1px 0 rgba(0,0,0,.25);\n\n kbd {\n padding: 0;\n font-size: 100%;\n font-weight: bold;\n box-shadow: none;\n }\n}\n\n// Blocks of code\npre {\n display: block;\n padding: ((@line-height-computed - 1) / 2);\n margin: 0 0 (@line-height-computed / 2);\n font-size: (@font-size-base - 1); // 14px to 13px\n line-height: @line-height-base;\n word-break: break-all;\n word-wrap: break-word;\n color: @pre-color;\n background-color: @pre-bg;\n border: 1px solid @pre-border-color;\n border-radius: @border-radius-base;\n\n // Account for some code outputs that place code tags in pre tags\n code {\n padding: 0;\n font-size: inherit;\n color: inherit;\n white-space: pre-wrap;\n background-color: transparent;\n border-radius: 0;\n }\n}\n\n// Enable scrollable blocks of code\n.pre-scrollable {\n max-height: @pre-scrollable-max-height;\n overflow-y: scroll;\n}\n","//\n// Grid system\n// --------------------------------------------------\n\n\n// Container widths\n//\n// Set the container width, and override it for fixed navbars in media queries.\n\n.container {\n .container-fixed();\n\n @media (min-width: @screen-sm-min) {\n width: @container-sm;\n }\n @media (min-width: @screen-md-min) {\n width: @container-md;\n }\n @media (min-width: @screen-lg-min) {\n width: @container-lg;\n }\n}\n\n\n// Fluid container\n//\n// Utilizes the mixin meant for fixed width containers, but without any defined\n// width for fluid, full width layouts.\n\n.container-fluid {\n .container-fixed();\n}\n\n\n// Row\n//\n// Rows contain and clear the floats of your columns.\n\n.row {\n .make-row();\n}\n\n\n// Columns\n//\n// Common styles for small and large grid columns\n\n.make-grid-columns();\n\n\n// Extra small grid\n//\n// Columns, offsets, pushes, and pulls for extra small devices like\n// smartphones.\n\n.make-grid(xs);\n\n\n// Small grid\n//\n// Columns, offsets, pushes, and pulls for the small device range, from phones\n// to tablets.\n\n@media (min-width: @screen-sm-min) {\n .make-grid(sm);\n}\n\n\n// Medium grid\n//\n// Columns, offsets, pushes, and pulls for the desktop device range.\n\n@media (min-width: @screen-md-min) {\n .make-grid(md);\n}\n\n\n// Large grid\n//\n// Columns, offsets, pushes, and pulls for the large desktop device range.\n\n@media (min-width: @screen-lg-min) {\n .make-grid(lg);\n}\n","// Grid system\n//\n// Generate semantic grid columns with these mixins.\n\n// Centered container element\n.container-fixed(@gutter: @grid-gutter-width) {\n margin-right: auto;\n margin-left: auto;\n padding-left: floor((@gutter / 2));\n padding-right: ceil((@gutter / 2));\n &:extend(.clearfix all);\n}\n\n// Creates a wrapper for a series of columns\n.make-row(@gutter: @grid-gutter-width) {\n margin-left: ceil((@gutter / -2));\n margin-right: floor((@gutter / -2));\n &:extend(.clearfix all);\n}\n\n// Generate the extra small columns\n.make-xs-column(@columns; @gutter: @grid-gutter-width) {\n position: relative;\n float: left;\n width: percentage((@columns / @grid-columns));\n min-height: 1px;\n padding-left: (@gutter / 2);\n padding-right: (@gutter / 2);\n}\n.make-xs-column-offset(@columns) {\n margin-left: percentage((@columns / @grid-columns));\n}\n.make-xs-column-push(@columns) {\n left: percentage((@columns / @grid-columns));\n}\n.make-xs-column-pull(@columns) {\n right: percentage((@columns / @grid-columns));\n}\n\n// Generate the small columns\n.make-sm-column(@columns; @gutter: @grid-gutter-width) {\n position: relative;\n min-height: 1px;\n padding-left: (@gutter / 2);\n padding-right: (@gutter / 2);\n\n @media (min-width: @screen-sm-min) {\n float: left;\n width: percentage((@columns / @grid-columns));\n }\n}\n.make-sm-column-offset(@columns) {\n @media (min-width: @screen-sm-min) {\n margin-left: percentage((@columns / @grid-columns));\n }\n}\n.make-sm-column-push(@columns) {\n @media (min-width: @screen-sm-min) {\n left: percentage((@columns / @grid-columns));\n }\n}\n.make-sm-column-pull(@columns) {\n @media (min-width: @screen-sm-min) {\n right: percentage((@columns / @grid-columns));\n }\n}\n\n// Generate the medium columns\n.make-md-column(@columns; @gutter: @grid-gutter-width) {\n position: relative;\n min-height: 1px;\n padding-left: (@gutter / 2);\n padding-right: (@gutter / 2);\n\n @media (min-width: @screen-md-min) {\n float: left;\n width: percentage((@columns / @grid-columns));\n }\n}\n.make-md-column-offset(@columns) {\n @media (min-width: @screen-md-min) {\n margin-left: percentage((@columns / @grid-columns));\n }\n}\n.make-md-column-push(@columns) {\n @media (min-width: @screen-md-min) {\n left: percentage((@columns / @grid-columns));\n }\n}\n.make-md-column-pull(@columns) {\n @media (min-width: @screen-md-min) {\n right: percentage((@columns / @grid-columns));\n }\n}\n\n// Generate the large columns\n.make-lg-column(@columns; @gutter: @grid-gutter-width) {\n position: relative;\n min-height: 1px;\n padding-left: (@gutter / 2);\n padding-right: (@gutter / 2);\n\n @media (min-width: @screen-lg-min) {\n float: left;\n width: percentage((@columns / @grid-columns));\n }\n}\n.make-lg-column-offset(@columns) {\n @media (min-width: @screen-lg-min) {\n margin-left: percentage((@columns / @grid-columns));\n }\n}\n.make-lg-column-push(@columns) {\n @media (min-width: @screen-lg-min) {\n left: percentage((@columns / @grid-columns));\n }\n}\n.make-lg-column-pull(@columns) {\n @media (min-width: @screen-lg-min) {\n right: percentage((@columns / @grid-columns));\n }\n}\n","// Framework grid generation\n//\n// Used only by Bootstrap to generate the correct number of grid classes given\n// any value of `@grid-columns`.\n\n.make-grid-columns() {\n // Common styles for all sizes of grid columns, widths 1-12\n .col(@index) { // initial\n @item: ~\".col-xs-@{index}, .col-sm-@{index}, .col-md-@{index}, .col-lg-@{index}\";\n .col((@index + 1), @item);\n }\n .col(@index, @list) when (@index =< @grid-columns) { // general; \"=<\" isn't a typo\n @item: ~\".col-xs-@{index}, .col-sm-@{index}, .col-md-@{index}, .col-lg-@{index}\";\n .col((@index + 1), ~\"@{list}, @{item}\");\n }\n .col(@index, @list) when (@index > @grid-columns) { // terminal\n @{list} {\n position: relative;\n // Prevent columns from collapsing when empty\n min-height: 1px;\n // Inner gutter via padding\n padding-left: ceil((@grid-gutter-width / 2));\n padding-right: floor((@grid-gutter-width / 2));\n }\n }\n .col(1); // kickstart it\n}\n\n.float-grid-columns(@class) {\n .col(@index) { // initial\n @item: ~\".col-@{class}-@{index}\";\n .col((@index + 1), @item);\n }\n .col(@index, @list) when (@index =< @grid-columns) { // general\n @item: ~\".col-@{class}-@{index}\";\n .col((@index + 1), ~\"@{list}, @{item}\");\n }\n .col(@index, @list) when (@index > @grid-columns) { // terminal\n @{list} {\n float: left;\n }\n }\n .col(1); // kickstart it\n}\n\n.calc-grid-column(@index, @class, @type) when (@type = width) and (@index > 0) {\n .col-@{class}-@{index} {\n width: percentage((@index / @grid-columns));\n }\n}\n.calc-grid-column(@index, @class, @type) when (@type = push) and (@index > 0) {\n .col-@{class}-push-@{index} {\n left: percentage((@index / @grid-columns));\n }\n}\n.calc-grid-column(@index, @class, @type) when (@type = push) and (@index = 0) {\n .col-@{class}-push-0 {\n left: auto;\n }\n}\n.calc-grid-column(@index, @class, @type) when (@type = pull) and (@index > 0) {\n .col-@{class}-pull-@{index} {\n right: percentage((@index / @grid-columns));\n }\n}\n.calc-grid-column(@index, @class, @type) when (@type = pull) and (@index = 0) {\n .col-@{class}-pull-0 {\n right: auto;\n }\n}\n.calc-grid-column(@index, @class, @type) when (@type = offset) {\n .col-@{class}-offset-@{index} {\n margin-left: percentage((@index / @grid-columns));\n }\n}\n\n// Basic looping in LESS\n.loop-grid-columns(@index, @class, @type) when (@index >= 0) {\n .calc-grid-column(@index, @class, @type);\n // next iteration\n .loop-grid-columns((@index - 1), @class, @type);\n}\n\n// Create grid for specific class\n.make-grid(@class) {\n .float-grid-columns(@class);\n .loop-grid-columns(@grid-columns, @class, width);\n .loop-grid-columns(@grid-columns, @class, pull);\n .loop-grid-columns(@grid-columns, @class, push);\n .loop-grid-columns(@grid-columns, @class, offset);\n}\n","//\n// Tables\n// --------------------------------------------------\n\n\ntable {\n background-color: @table-bg;\n}\ncaption {\n padding-top: @table-cell-padding;\n padding-bottom: @table-cell-padding;\n color: @text-muted;\n text-align: left;\n}\nth {\n text-align: left;\n}\n\n\n// Baseline styles\n\n.table {\n width: 100%;\n max-width: 100%;\n margin-bottom: @line-height-computed;\n // Cells\n > thead,\n > tbody,\n > tfoot {\n > tr {\n > th,\n > td {\n padding: @table-cell-padding;\n line-height: @line-height-base;\n vertical-align: top;\n border-top: 1px solid @table-border-color;\n }\n }\n }\n // Bottom align for column headings\n > thead > tr > th {\n vertical-align: bottom;\n border-bottom: 2px solid @table-border-color;\n }\n // Remove top border from thead by default\n > caption + thead,\n > colgroup + thead,\n > thead:first-child {\n > tr:first-child {\n > th,\n > td {\n border-top: 0;\n }\n }\n }\n // Account for multiple tbody instances\n > tbody + tbody {\n border-top: 2px solid @table-border-color;\n }\n\n // Nesting\n .table {\n background-color: @body-bg;\n }\n}\n\n\n// Condensed table w/ half padding\n\n.table-condensed {\n > thead,\n > tbody,\n > tfoot {\n > tr {\n > th,\n > td {\n padding: @table-condensed-cell-padding;\n }\n }\n }\n}\n\n\n// Bordered version\n//\n// Add borders all around the table and between all the columns.\n\n.table-bordered {\n border: 1px solid @table-border-color;\n > thead,\n > tbody,\n > tfoot {\n > tr {\n > th,\n > td {\n border: 1px solid @table-border-color;\n }\n }\n }\n > thead > tr {\n > th,\n > td {\n border-bottom-width: 2px;\n }\n }\n}\n\n\n// Zebra-striping\n//\n// Default zebra-stripe styles (alternating gray and transparent backgrounds)\n\n.table-striped {\n > tbody > tr:nth-of-type(odd) {\n background-color: @table-bg-accent;\n }\n}\n\n\n// Hover effect\n//\n// Placed here since it has to come after the potential zebra striping\n\n.table-hover {\n > tbody > tr:hover {\n background-color: @table-bg-hover;\n }\n}\n\n\n// Table cell sizing\n//\n// Reset default table behavior\n\ntable col[class*=\"col-\"] {\n position: static; // Prevent border hiding in Firefox and IE9-11 (see https://github.com/twbs/bootstrap/issues/11623)\n float: none;\n display: table-column;\n}\ntable {\n td,\n th {\n &[class*=\"col-\"] {\n position: static; // Prevent border hiding in Firefox and IE9-11 (see https://github.com/twbs/bootstrap/issues/11623)\n float: none;\n display: table-cell;\n }\n }\n}\n\n\n// Table backgrounds\n//\n// Exact selectors below required to override `.table-striped` and prevent\n// inheritance to nested tables.\n\n// Generate the contextual variants\n.table-row-variant(active; @table-bg-active);\n.table-row-variant(success; @state-success-bg);\n.table-row-variant(info; @state-info-bg);\n.table-row-variant(warning; @state-warning-bg);\n.table-row-variant(danger; @state-danger-bg);\n\n\n// Responsive tables\n//\n// Wrap your tables in `.table-responsive` and we'll make them mobile friendly\n// by enabling horizontal scrolling. Only applies <768px. Everything above that\n// will display normally.\n\n.table-responsive {\n overflow-x: auto;\n min-height: 0.01%; // Workaround for IE9 bug (see https://github.com/twbs/bootstrap/issues/14837)\n\n @media screen and (max-width: @screen-xs-max) {\n width: 100%;\n margin-bottom: (@line-height-computed * 0.75);\n overflow-y: hidden;\n -ms-overflow-style: -ms-autohiding-scrollbar;\n border: 1px solid @table-border-color;\n\n // Tighten up spacing\n > .table {\n margin-bottom: 0;\n\n // Ensure the content doesn't wrap\n > thead,\n > tbody,\n > tfoot {\n > tr {\n > th,\n > td {\n white-space: nowrap;\n }\n }\n }\n }\n\n // Special overrides for the bordered tables\n > .table-bordered {\n border: 0;\n\n // Nuke the appropriate borders so that the parent can handle them\n > thead,\n > tbody,\n > tfoot {\n > tr {\n > th:first-child,\n > td:first-child {\n border-left: 0;\n }\n > th:last-child,\n > td:last-child {\n border-right: 0;\n }\n }\n }\n\n // Only nuke the last row's bottom-border in `tbody` and `tfoot` since\n // chances are there will be only one `tr` in a `thead` and that would\n // remove the border altogether.\n > tbody,\n > tfoot {\n > tr:last-child {\n > th,\n > td {\n border-bottom: 0;\n }\n }\n }\n\n }\n }\n}\n","// Tables\n\n.table-row-variant(@state; @background) {\n // Exact selectors below required to override `.table-striped` and prevent\n // inheritance to nested tables.\n .table > thead > tr,\n .table > tbody > tr,\n .table > tfoot > tr {\n > td.@{state},\n > th.@{state},\n &.@{state} > td,\n &.@{state} > th {\n background-color: @background;\n }\n }\n\n // Hover states for `.table-hover`\n // Note: this is not available for cells or rows within `thead` or `tfoot`.\n .table-hover > tbody > tr {\n > td.@{state}:hover,\n > th.@{state}:hover,\n &.@{state}:hover > td,\n &:hover > .@{state},\n &.@{state}:hover > th {\n background-color: darken(@background, 5%);\n }\n }\n}\n","//\n// Forms\n// --------------------------------------------------\n\n\n// Normalize non-controls\n//\n// Restyle and baseline non-control form elements.\n\nfieldset {\n padding: 0;\n margin: 0;\n border: 0;\n // Chrome and Firefox set a `min-width: min-content;` on fieldsets,\n // so we reset that to ensure it behaves more like a standard block element.\n // See https://github.com/twbs/bootstrap/issues/12359.\n min-width: 0;\n}\n\nlegend {\n display: block;\n width: 100%;\n padding: 0;\n margin-bottom: @line-height-computed;\n font-size: (@font-size-base * 1.5);\n line-height: inherit;\n color: @legend-color;\n border: 0;\n border-bottom: 1px solid @legend-border-color;\n}\n\nlabel {\n display: inline-block;\n max-width: 100%; // Force IE8 to wrap long content (see https://github.com/twbs/bootstrap/issues/13141)\n margin-bottom: 5px;\n font-weight: bold;\n}\n\n\n// Normalize form controls\n//\n// While most of our form styles require extra classes, some basic normalization\n// is required to ensure optimum display with or without those classes to better\n// address browser inconsistencies.\n\n// Override content-box in Normalize (* isn't specific enough)\ninput[type=\"search\"] {\n .box-sizing(border-box);\n}\n\n// Position radios and checkboxes better\ninput[type=\"radio\"],\ninput[type=\"checkbox\"] {\n margin: 4px 0 0;\n margin-top: 1px \\9; // IE8-9\n line-height: normal;\n}\n\ninput[type=\"file\"] {\n display: block;\n}\n\n// Make range inputs behave like textual form controls\ninput[type=\"range\"] {\n display: block;\n width: 100%;\n}\n\n// Make multiple select elements height not fixed\nselect[multiple],\nselect[size] {\n height: auto;\n}\n\n// Focus for file, radio, and checkbox\ninput[type=\"file\"]:focus,\ninput[type=\"radio\"]:focus,\ninput[type=\"checkbox\"]:focus {\n .tab-focus();\n}\n\n// Adjust output element\noutput {\n display: block;\n padding-top: (@padding-base-vertical + 1);\n font-size: @font-size-base;\n line-height: @line-height-base;\n color: @input-color;\n}\n\n\n// Common form controls\n//\n// Shared size and type resets for form controls. Apply `.form-control` to any\n// of the following form controls:\n//\n// select\n// textarea\n// input[type=\"text\"]\n// input[type=\"password\"]\n// input[type=\"datetime\"]\n// input[type=\"datetime-local\"]\n// input[type=\"date\"]\n// input[type=\"month\"]\n// input[type=\"time\"]\n// input[type=\"week\"]\n// input[type=\"number\"]\n// input[type=\"email\"]\n// input[type=\"url\"]\n// input[type=\"search\"]\n// input[type=\"tel\"]\n// input[type=\"color\"]\n\n.form-control {\n display: block;\n width: 100%;\n height: @input-height-base; // Make inputs at least the height of their button counterpart (base line-height + padding + border)\n padding: @padding-base-vertical @padding-base-horizontal;\n font-size: @font-size-base;\n line-height: @line-height-base;\n color: @input-color;\n background-color: @input-bg;\n background-image: none; // Reset unusual Firefox-on-Android default style; see https://github.com/necolas/normalize.css/issues/214\n border: 1px solid @input-border;\n border-radius: @input-border-radius; // Note: This has no effect on s in CSS.\n .box-shadow(inset 0 1px 1px rgba(0,0,0,.075));\n .transition(~\"border-color ease-in-out .15s, box-shadow ease-in-out .15s\");\n\n // Customize the `:focus` state to imitate native WebKit styles.\n .form-control-focus();\n\n // Placeholder\n .placeholder();\n\n // Unstyle the caret on ``\n// element gets special love because it's special, and that's a fact!\n.input-size(@input-height; @padding-vertical; @padding-horizontal; @font-size; @line-height; @border-radius) {\n height: @input-height;\n padding: @padding-vertical @padding-horizontal;\n font-size: @font-size;\n line-height: @line-height;\n border-radius: @border-radius;\n\n select& {\n height: @input-height;\n line-height: @input-height;\n }\n\n textarea&,\n select[multiple]& {\n height: auto;\n }\n}\n","//\n// Buttons\n// --------------------------------------------------\n\n\n// Base styles\n// --------------------------------------------------\n\n.btn {\n display: inline-block;\n margin-bottom: 0; // For input.btn\n font-weight: @btn-font-weight;\n text-align: center;\n vertical-align: middle;\n touch-action: manipulation;\n cursor: pointer;\n background-image: none; // Reset unusual Firefox-on-Android default style; see https://github.com/necolas/normalize.css/issues/214\n border: 1px solid transparent;\n white-space: nowrap;\n .button-size(@padding-base-vertical; @padding-base-horizontal; @font-size-base; @line-height-base; @btn-border-radius-base);\n .user-select(none);\n\n &,\n &:active,\n &.active {\n &:focus,\n &.focus {\n .tab-focus();\n }\n }\n\n &:hover,\n &:focus,\n &.focus {\n color: @btn-default-color;\n text-decoration: none;\n }\n\n &:active,\n &.active {\n outline: 0;\n background-image: none;\n .box-shadow(inset 0 3px 5px rgba(0,0,0,.125));\n }\n\n &.disabled,\n &[disabled],\n fieldset[disabled] & {\n cursor: @cursor-disabled;\n .opacity(.65);\n .box-shadow(none);\n }\n\n a& {\n &.disabled,\n fieldset[disabled] & {\n pointer-events: none; // Future-proof disabling of clicks on `` elements\n }\n }\n}\n\n\n// Alternate buttons\n// --------------------------------------------------\n\n.btn-default {\n .button-variant(@btn-default-color; @btn-default-bg; @btn-default-border);\n}\n.btn-primary {\n .button-variant(@btn-primary-color; @btn-primary-bg; @btn-primary-border);\n}\n// Success appears as green\n.btn-success {\n .button-variant(@btn-success-color; @btn-success-bg; @btn-success-border);\n}\n// Info appears as blue-green\n.btn-info {\n .button-variant(@btn-info-color; @btn-info-bg; @btn-info-border);\n}\n// Warning appears as orange\n.btn-warning {\n .button-variant(@btn-warning-color; @btn-warning-bg; @btn-warning-border);\n}\n// Danger and error appear as red\n.btn-danger {\n .button-variant(@btn-danger-color; @btn-danger-bg; @btn-danger-border);\n}\n\n\n// Link buttons\n// -------------------------\n\n// Make a button look and behave like a link\n.btn-link {\n color: @link-color;\n font-weight: normal;\n border-radius: 0;\n\n &,\n &:active,\n &.active,\n &[disabled],\n fieldset[disabled] & {\n background-color: transparent;\n .box-shadow(none);\n }\n &,\n &:hover,\n &:focus,\n &:active {\n border-color: transparent;\n }\n &:hover,\n &:focus {\n color: @link-hover-color;\n text-decoration: @link-hover-decoration;\n background-color: transparent;\n }\n &[disabled],\n fieldset[disabled] & {\n &:hover,\n &:focus {\n color: @btn-link-disabled-color;\n text-decoration: none;\n }\n }\n}\n\n\n// Button Sizes\n// --------------------------------------------------\n\n.btn-lg {\n // line-height: ensure even-numbered height of button next to large input\n .button-size(@padding-large-vertical; @padding-large-horizontal; @font-size-large; @line-height-large; @btn-border-radius-large);\n}\n.btn-sm {\n // line-height: ensure proper height of button next to small input\n .button-size(@padding-small-vertical; @padding-small-horizontal; @font-size-small; @line-height-small; @btn-border-radius-small);\n}\n.btn-xs {\n .button-size(@padding-xs-vertical; @padding-xs-horizontal; @font-size-small; @line-height-small; @btn-border-radius-small);\n}\n\n\n// Block button\n// --------------------------------------------------\n\n.btn-block {\n display: block;\n width: 100%;\n}\n\n// Vertically space out multiple block buttons\n.btn-block + .btn-block {\n margin-top: 5px;\n}\n\n// Specificity overrides\ninput[type=\"submit\"],\ninput[type=\"reset\"],\ninput[type=\"button\"] {\n &.btn-block {\n width: 100%;\n }\n}\n","// Button variants\n//\n// Easily pump out default styles, as well as :hover, :focus, :active,\n// and disabled options for all buttons\n\n.button-variant(@color; @background; @border) {\n color: @color;\n background-color: @background;\n border-color: @border;\n\n &:focus,\n &.focus {\n color: @color;\n background-color: darken(@background, 10%);\n border-color: darken(@border, 25%);\n }\n &:hover {\n color: @color;\n background-color: darken(@background, 10%);\n border-color: darken(@border, 12%);\n }\n &:active,\n &.active,\n .open > .dropdown-toggle& {\n color: @color;\n background-color: darken(@background, 10%);\n border-color: darken(@border, 12%);\n\n &:hover,\n &:focus,\n &.focus {\n color: @color;\n background-color: darken(@background, 17%);\n border-color: darken(@border, 25%);\n }\n }\n &:active,\n &.active,\n .open > .dropdown-toggle& {\n background-image: none;\n }\n &.disabled,\n &[disabled],\n fieldset[disabled] & {\n &:hover,\n &:focus,\n &.focus {\n background-color: @background;\n border-color: @border;\n }\n }\n\n .badge {\n color: @background;\n background-color: @color;\n }\n}\n\n// Button sizes\n.button-size(@padding-vertical; @padding-horizontal; @font-size; @line-height; @border-radius) {\n padding: @padding-vertical @padding-horizontal;\n font-size: @font-size;\n line-height: @line-height;\n border-radius: @border-radius;\n}\n","// Opacity\n\n.opacity(@opacity) {\n opacity: @opacity;\n // IE8 filter\n @opacity-ie: (@opacity * 100);\n filter: ~\"alpha(opacity=@{opacity-ie})\";\n}\n","//\n// Component animations\n// --------------------------------------------------\n\n// Heads up!\n//\n// We don't use the `.opacity()` mixin here since it causes a bug with text\n// fields in IE7-8. Source: https://github.com/twbs/bootstrap/pull/3552.\n\n.fade {\n opacity: 0;\n .transition(opacity .15s linear);\n &.in {\n opacity: 1;\n }\n}\n\n.collapse {\n display: none;\n\n &.in { display: block; }\n tr&.in { display: table-row; }\n tbody&.in { display: table-row-group; }\n}\n\n.collapsing {\n position: relative;\n height: 0;\n overflow: hidden;\n .transition-property(~\"height, visibility\");\n .transition-duration(.35s);\n .transition-timing-function(ease);\n}\n","//\n// Dropdown menus\n// --------------------------------------------------\n\n\n// Dropdown arrow/caret\n.caret {\n display: inline-block;\n width: 0;\n height: 0;\n margin-left: 2px;\n vertical-align: middle;\n border-top: @caret-width-base dashed;\n border-top: @caret-width-base solid ~\"\\9\"; // IE8\n border-right: @caret-width-base solid transparent;\n border-left: @caret-width-base solid transparent;\n}\n\n// The dropdown wrapper (div)\n.dropup,\n.dropdown {\n position: relative;\n}\n\n// Prevent the focus on the dropdown toggle when closing dropdowns\n.dropdown-toggle:focus {\n outline: 0;\n}\n\n// The dropdown menu (ul)\n.dropdown-menu {\n position: absolute;\n top: 100%;\n left: 0;\n z-index: @zindex-dropdown;\n display: none; // none by default, but block on \"open\" of the menu\n float: left;\n min-width: 160px;\n padding: 5px 0;\n margin: 2px 0 0; // override default ul\n list-style: none;\n font-size: @font-size-base;\n text-align: left; // Ensures proper alignment if parent has it changed (e.g., modal footer)\n background-color: @dropdown-bg;\n border: 1px solid @dropdown-fallback-border; // IE8 fallback\n border: 1px solid @dropdown-border;\n border-radius: @border-radius-base;\n .box-shadow(0 6px 12px rgba(0,0,0,.175));\n background-clip: padding-box;\n\n // Aligns the dropdown menu to right\n //\n // Deprecated as of 3.1.0 in favor of `.dropdown-menu-[dir]`\n &.pull-right {\n right: 0;\n left: auto;\n }\n\n // Dividers (basically an hr) within the dropdown\n .divider {\n .nav-divider(@dropdown-divider-bg);\n }\n\n // Links within the dropdown menu\n > li > a {\n display: block;\n padding: 3px 20px;\n clear: both;\n font-weight: normal;\n line-height: @line-height-base;\n color: @dropdown-link-color;\n white-space: nowrap; // prevent links from randomly breaking onto new lines\n }\n}\n\n// Hover/Focus state\n.dropdown-menu > li > a {\n &:hover,\n &:focus {\n text-decoration: none;\n color: @dropdown-link-hover-color;\n background-color: @dropdown-link-hover-bg;\n }\n}\n\n// Active state\n.dropdown-menu > .active > a {\n &,\n &:hover,\n &:focus {\n color: @dropdown-link-active-color;\n text-decoration: none;\n outline: 0;\n background-color: @dropdown-link-active-bg;\n }\n}\n\n// Disabled state\n//\n// Gray out text and ensure the hover/focus state remains gray\n\n.dropdown-menu > .disabled > a {\n &,\n &:hover,\n &:focus {\n color: @dropdown-link-disabled-color;\n }\n\n // Nuke hover/focus effects\n &:hover,\n &:focus {\n text-decoration: none;\n background-color: transparent;\n background-image: none; // Remove CSS gradient\n .reset-filter();\n cursor: @cursor-disabled;\n }\n}\n\n// Open state for the dropdown\n.open {\n // Show the menu\n > .dropdown-menu {\n display: block;\n }\n\n // Remove the outline when :focus is triggered\n > a {\n outline: 0;\n }\n}\n\n// Menu positioning\n//\n// Add extra class to `.dropdown-menu` to flip the alignment of the dropdown\n// menu with the parent.\n.dropdown-menu-right {\n left: auto; // Reset the default from `.dropdown-menu`\n right: 0;\n}\n// With v3, we enabled auto-flipping if you have a dropdown within a right\n// aligned nav component. To enable the undoing of that, we provide an override\n// to restore the default dropdown menu alignment.\n//\n// This is only for left-aligning a dropdown menu within a `.navbar-right` or\n// `.pull-right` nav component.\n.dropdown-menu-left {\n left: 0;\n right: auto;\n}\n\n// Dropdown section headers\n.dropdown-header {\n display: block;\n padding: 3px 20px;\n font-size: @font-size-small;\n line-height: @line-height-base;\n color: @dropdown-header-color;\n white-space: nowrap; // as with > li > a\n}\n\n// Backdrop to catch body clicks on mobile, etc.\n.dropdown-backdrop {\n position: fixed;\n left: 0;\n right: 0;\n bottom: 0;\n top: 0;\n z-index: (@zindex-dropdown - 10);\n}\n\n// Right aligned dropdowns\n.pull-right > .dropdown-menu {\n right: 0;\n left: auto;\n}\n\n// Allow for dropdowns to go bottom up (aka, dropup-menu)\n//\n// Just add .dropup after the standard .dropdown class and you're set, bro.\n// TODO: abstract this so that the navbar fixed styles are not placed here?\n\n.dropup,\n.navbar-fixed-bottom .dropdown {\n // Reverse the caret\n .caret {\n border-top: 0;\n border-bottom: @caret-width-base dashed;\n border-bottom: @caret-width-base solid ~\"\\9\"; // IE8\n content: \"\";\n }\n // Different positioning for bottom up menu\n .dropdown-menu {\n top: auto;\n bottom: 100%;\n margin-bottom: 2px;\n }\n}\n\n\n// Component alignment\n//\n// Reiterate per navbar.less and the modified component alignment there.\n\n@media (min-width: @grid-float-breakpoint) {\n .navbar-right {\n .dropdown-menu {\n .dropdown-menu-right();\n }\n // Necessary for overrides of the default right aligned menu.\n // Will remove come v4 in all likelihood.\n .dropdown-menu-left {\n .dropdown-menu-left();\n }\n }\n}\n","// Horizontal dividers\n//\n// Dividers (basically an hr) within dropdowns and nav lists\n\n.nav-divider(@color: #e5e5e5) {\n height: 1px;\n margin: ((@line-height-computed / 2) - 1) 0;\n overflow: hidden;\n background-color: @color;\n}\n","// Reset filters for IE\n//\n// When you need to remove a gradient background, do not forget to use this to reset\n// the IE filter for IE9 and below.\n\n.reset-filter() {\n filter: e(%(\"progid:DXImageTransform.Microsoft.gradient(enabled = false)\"));\n}\n","//\n// Button groups\n// --------------------------------------------------\n\n// Make the div behave like a button\n.btn-group,\n.btn-group-vertical {\n position: relative;\n display: inline-block;\n vertical-align: middle; // match .btn alignment given font-size hack above\n > .btn {\n position: relative;\n float: left;\n // Bring the \"active\" button to the front\n &:hover,\n &:focus,\n &:active,\n &.active {\n z-index: 2;\n }\n }\n}\n\n// Prevent double borders when buttons are next to each other\n.btn-group {\n .btn + .btn,\n .btn + .btn-group,\n .btn-group + .btn,\n .btn-group + .btn-group {\n margin-left: -1px;\n }\n}\n\n// Optional: Group multiple button groups together for a toolbar\n.btn-toolbar {\n margin-left: -5px; // Offset the first child's margin\n &:extend(.clearfix all);\n\n .btn,\n .btn-group,\n .input-group {\n float: left;\n }\n > .btn,\n > .btn-group,\n > .input-group {\n margin-left: 5px;\n }\n}\n\n.btn-group > .btn:not(:first-child):not(:last-child):not(.dropdown-toggle) {\n border-radius: 0;\n}\n\n// Set corners individual because sometimes a single button can be in a .btn-group and we need :first-child and :last-child to both match\n.btn-group > .btn:first-child {\n margin-left: 0;\n &:not(:last-child):not(.dropdown-toggle) {\n .border-right-radius(0);\n }\n}\n// Need .dropdown-toggle since :last-child doesn't apply, given that a .dropdown-menu is used immediately after it\n.btn-group > .btn:last-child:not(:first-child),\n.btn-group > .dropdown-toggle:not(:first-child) {\n .border-left-radius(0);\n}\n\n// Custom edits for including btn-groups within btn-groups (useful for including dropdown buttons within a btn-group)\n.btn-group > .btn-group {\n float: left;\n}\n.btn-group > .btn-group:not(:first-child):not(:last-child) > .btn {\n border-radius: 0;\n}\n.btn-group > .btn-group:first-child:not(:last-child) {\n > .btn:last-child,\n > .dropdown-toggle {\n .border-right-radius(0);\n }\n}\n.btn-group > .btn-group:last-child:not(:first-child) > .btn:first-child {\n .border-left-radius(0);\n}\n\n// On active and open, don't show outline\n.btn-group .dropdown-toggle:active,\n.btn-group.open .dropdown-toggle {\n outline: 0;\n}\n\n\n// Sizing\n//\n// Remix the default button sizing classes into new ones for easier manipulation.\n\n.btn-group-xs > .btn { &:extend(.btn-xs); }\n.btn-group-sm > .btn { &:extend(.btn-sm); }\n.btn-group-lg > .btn { &:extend(.btn-lg); }\n\n\n// Split button dropdowns\n// ----------------------\n\n// Give the line between buttons some depth\n.btn-group > .btn + .dropdown-toggle {\n padding-left: 8px;\n padding-right: 8px;\n}\n.btn-group > .btn-lg + .dropdown-toggle {\n padding-left: 12px;\n padding-right: 12px;\n}\n\n// The clickable button for toggling the menu\n// Remove the gradient and set the same inset shadow as the :active state\n.btn-group.open .dropdown-toggle {\n .box-shadow(inset 0 3px 5px rgba(0,0,0,.125));\n\n // Show no shadow for `.btn-link` since it has no other button styles.\n &.btn-link {\n .box-shadow(none);\n }\n}\n\n\n// Reposition the caret\n.btn .caret {\n margin-left: 0;\n}\n// Carets in other button sizes\n.btn-lg .caret {\n border-width: @caret-width-large @caret-width-large 0;\n border-bottom-width: 0;\n}\n// Upside down carets for .dropup\n.dropup .btn-lg .caret {\n border-width: 0 @caret-width-large @caret-width-large;\n}\n\n\n// Vertical button groups\n// ----------------------\n\n.btn-group-vertical {\n > .btn,\n > .btn-group,\n > .btn-group > .btn {\n display: block;\n float: none;\n width: 100%;\n max-width: 100%;\n }\n\n // Clear floats so dropdown menus can be properly placed\n > .btn-group {\n &:extend(.clearfix all);\n > .btn {\n float: none;\n }\n }\n\n > .btn + .btn,\n > .btn + .btn-group,\n > .btn-group + .btn,\n > .btn-group + .btn-group {\n margin-top: -1px;\n margin-left: 0;\n }\n}\n\n.btn-group-vertical > .btn {\n &:not(:first-child):not(:last-child) {\n border-radius: 0;\n }\n &:first-child:not(:last-child) {\n .border-top-radius(@btn-border-radius-base);\n .border-bottom-radius(0);\n }\n &:last-child:not(:first-child) {\n .border-top-radius(0);\n .border-bottom-radius(@btn-border-radius-base);\n }\n}\n.btn-group-vertical > .btn-group:not(:first-child):not(:last-child) > .btn {\n border-radius: 0;\n}\n.btn-group-vertical > .btn-group:first-child:not(:last-child) {\n > .btn:last-child,\n > .dropdown-toggle {\n .border-bottom-radius(0);\n }\n}\n.btn-group-vertical > .btn-group:last-child:not(:first-child) > .btn:first-child {\n .border-top-radius(0);\n}\n\n\n// Justified button groups\n// ----------------------\n\n.btn-group-justified {\n display: table;\n width: 100%;\n table-layout: fixed;\n border-collapse: separate;\n > .btn,\n > .btn-group {\n float: none;\n display: table-cell;\n width: 1%;\n }\n > .btn-group .btn {\n width: 100%;\n }\n\n > .btn-group .dropdown-menu {\n left: auto;\n }\n}\n\n\n// Checkbox and radio options\n//\n// In order to support the browser's form validation feedback, powered by the\n// `required` attribute, we have to \"hide\" the inputs via `clip`. We cannot use\n// `display: none;` or `visibility: hidden;` as that also hides the popover.\n// Simply visually hiding the inputs via `opacity` would leave them clickable in\n// certain cases which is prevented by using `clip` and `pointer-events`.\n// This way, we ensure a DOM element is visible to position the popover from.\n//\n// See https://github.com/twbs/bootstrap/pull/12794 and\n// https://github.com/twbs/bootstrap/pull/14559 for more information.\n\n[data-toggle=\"buttons\"] {\n > .btn,\n > .btn-group > .btn {\n input[type=\"radio\"],\n input[type=\"checkbox\"] {\n position: absolute;\n clip: rect(0,0,0,0);\n pointer-events: none;\n }\n }\n}\n","// Single side border-radius\n\n.border-top-radius(@radius) {\n border-top-right-radius: @radius;\n border-top-left-radius: @radius;\n}\n.border-right-radius(@radius) {\n border-bottom-right-radius: @radius;\n border-top-right-radius: @radius;\n}\n.border-bottom-radius(@radius) {\n border-bottom-right-radius: @radius;\n border-bottom-left-radius: @radius;\n}\n.border-left-radius(@radius) {\n border-bottom-left-radius: @radius;\n border-top-left-radius: @radius;\n}\n","//\n// Input groups\n// --------------------------------------------------\n\n// Base styles\n// -------------------------\n.input-group {\n position: relative; // For dropdowns\n display: table;\n border-collapse: separate; // prevent input groups from inheriting border styles from table cells when placed within a table\n\n // Undo padding and float of grid classes\n &[class*=\"col-\"] {\n float: none;\n padding-left: 0;\n padding-right: 0;\n }\n\n .form-control {\n // Ensure that the input is always above the *appended* addon button for\n // proper border colors.\n position: relative;\n z-index: 2;\n\n // IE9 fubars the placeholder attribute in text inputs and the arrows on\n // select elements in input groups. To fix it, we float the input. Details:\n // https://github.com/twbs/bootstrap/issues/11561#issuecomment-28936855\n float: left;\n\n width: 100%;\n margin-bottom: 0;\n\n &:focus {\n z-index: 3;\n }\n }\n}\n\n// Sizing options\n//\n// Remix the default form control sizing classes into new ones for easier\n// manipulation.\n\n.input-group-lg > .form-control,\n.input-group-lg > .input-group-addon,\n.input-group-lg > .input-group-btn > .btn {\n .input-lg();\n}\n.input-group-sm > .form-control,\n.input-group-sm > .input-group-addon,\n.input-group-sm > .input-group-btn > .btn {\n .input-sm();\n}\n\n\n// Display as table-cell\n// -------------------------\n.input-group-addon,\n.input-group-btn,\n.input-group .form-control {\n display: table-cell;\n\n &:not(:first-child):not(:last-child) {\n border-radius: 0;\n }\n}\n// Addon and addon wrapper for buttons\n.input-group-addon,\n.input-group-btn {\n width: 1%;\n white-space: nowrap;\n vertical-align: middle; // Match the inputs\n}\n\n// Text input groups\n// -------------------------\n.input-group-addon {\n padding: @padding-base-vertical @padding-base-horizontal;\n font-size: @font-size-base;\n font-weight: normal;\n line-height: 1;\n color: @input-color;\n text-align: center;\n background-color: @input-group-addon-bg;\n border: 1px solid @input-group-addon-border-color;\n border-radius: @input-border-radius;\n\n // Sizing\n &.input-sm {\n padding: @padding-small-vertical @padding-small-horizontal;\n font-size: @font-size-small;\n border-radius: @input-border-radius-small;\n }\n &.input-lg {\n padding: @padding-large-vertical @padding-large-horizontal;\n font-size: @font-size-large;\n border-radius: @input-border-radius-large;\n }\n\n // Nuke default margins from checkboxes and radios to vertically center within.\n input[type=\"radio\"],\n input[type=\"checkbox\"] {\n margin-top: 0;\n }\n}\n\n// Reset rounded corners\n.input-group .form-control:first-child,\n.input-group-addon:first-child,\n.input-group-btn:first-child > .btn,\n.input-group-btn:first-child > .btn-group > .btn,\n.input-group-btn:first-child > .dropdown-toggle,\n.input-group-btn:last-child > .btn:not(:last-child):not(.dropdown-toggle),\n.input-group-btn:last-child > .btn-group:not(:last-child) > .btn {\n .border-right-radius(0);\n}\n.input-group-addon:first-child {\n border-right: 0;\n}\n.input-group .form-control:last-child,\n.input-group-addon:last-child,\n.input-group-btn:last-child > .btn,\n.input-group-btn:last-child > .btn-group > .btn,\n.input-group-btn:last-child > .dropdown-toggle,\n.input-group-btn:first-child > .btn:not(:first-child),\n.input-group-btn:first-child > .btn-group:not(:first-child) > .btn {\n .border-left-radius(0);\n}\n.input-group-addon:last-child {\n border-left: 0;\n}\n\n// Button input groups\n// -------------------------\n.input-group-btn {\n position: relative;\n // Jankily prevent input button groups from wrapping with `white-space` and\n // `font-size` in combination with `inline-block` on buttons.\n font-size: 0;\n white-space: nowrap;\n\n // Negative margin for spacing, position for bringing hovered/focused/actived\n // element above the siblings.\n > .btn {\n position: relative;\n + .btn {\n margin-left: -1px;\n }\n // Bring the \"active\" button to the front\n &:hover,\n &:focus,\n &:active {\n z-index: 2;\n }\n }\n\n // Negative margin to only have a 1px border between the two\n &:first-child {\n > .btn,\n > .btn-group {\n margin-right: -1px;\n }\n }\n &:last-child {\n > .btn,\n > .btn-group {\n z-index: 2;\n margin-left: -1px;\n }\n }\n}\n","//\n// Navs\n// --------------------------------------------------\n\n\n// Base class\n// --------------------------------------------------\n\n.nav {\n margin-bottom: 0;\n padding-left: 0; // Override default ul/ol\n list-style: none;\n &:extend(.clearfix all);\n\n > li {\n position: relative;\n display: block;\n\n > a {\n position: relative;\n display: block;\n padding: @nav-link-padding;\n &:hover,\n &:focus {\n text-decoration: none;\n background-color: @nav-link-hover-bg;\n }\n }\n\n // Disabled state sets text to gray and nukes hover/tab effects\n &.disabled > a {\n color: @nav-disabled-link-color;\n\n &:hover,\n &:focus {\n color: @nav-disabled-link-hover-color;\n text-decoration: none;\n background-color: transparent;\n cursor: @cursor-disabled;\n }\n }\n }\n\n // Open dropdowns\n .open > a {\n &,\n &:hover,\n &:focus {\n background-color: @nav-link-hover-bg;\n border-color: @link-color;\n }\n }\n\n // Nav dividers (deprecated with v3.0.1)\n //\n // This should have been removed in v3 with the dropping of `.nav-list`, but\n // we missed it. We don't currently support this anywhere, but in the interest\n // of maintaining backward compatibility in case you use it, it's deprecated.\n .nav-divider {\n .nav-divider();\n }\n\n // Prevent IE8 from misplacing imgs\n //\n // See https://github.com/h5bp/html5-boilerplate/issues/984#issuecomment-3985989\n > li > a > img {\n max-width: none;\n }\n}\n\n\n// Tabs\n// -------------------------\n\n// Give the tabs something to sit on\n.nav-tabs {\n border-bottom: 1px solid @nav-tabs-border-color;\n > li {\n float: left;\n // Make the list-items overlay the bottom border\n margin-bottom: -1px;\n\n // Actual tabs (as links)\n > a {\n margin-right: 2px;\n line-height: @line-height-base;\n border: 1px solid transparent;\n border-radius: @border-radius-base @border-radius-base 0 0;\n &:hover {\n border-color: @nav-tabs-link-hover-border-color @nav-tabs-link-hover-border-color @nav-tabs-border-color;\n }\n }\n\n // Active state, and its :hover to override normal :hover\n &.active > a {\n &,\n &:hover,\n &:focus {\n color: @nav-tabs-active-link-hover-color;\n background-color: @nav-tabs-active-link-hover-bg;\n border: 1px solid @nav-tabs-active-link-hover-border-color;\n border-bottom-color: transparent;\n cursor: default;\n }\n }\n }\n // pulling this in mainly for less shorthand\n &.nav-justified {\n .nav-justified();\n .nav-tabs-justified();\n }\n}\n\n\n// Pills\n// -------------------------\n.nav-pills {\n > li {\n float: left;\n\n // Links rendered as pills\n > a {\n border-radius: @nav-pills-border-radius;\n }\n + li {\n margin-left: 2px;\n }\n\n // Active state\n &.active > a {\n &,\n &:hover,\n &:focus {\n color: @nav-pills-active-link-hover-color;\n background-color: @nav-pills-active-link-hover-bg;\n }\n }\n }\n}\n\n\n// Stacked pills\n.nav-stacked {\n > li {\n float: none;\n + li {\n margin-top: 2px;\n margin-left: 0; // no need for this gap between nav items\n }\n }\n}\n\n\n// Nav variations\n// --------------------------------------------------\n\n// Justified nav links\n// -------------------------\n\n.nav-justified {\n width: 100%;\n\n > li {\n float: none;\n > a {\n text-align: center;\n margin-bottom: 5px;\n }\n }\n\n > .dropdown .dropdown-menu {\n top: auto;\n left: auto;\n }\n\n @media (min-width: @screen-sm-min) {\n > li {\n display: table-cell;\n width: 1%;\n > a {\n margin-bottom: 0;\n }\n }\n }\n}\n\n// Move borders to anchors instead of bottom of list\n//\n// Mixin for adding on top the shared `.nav-justified` styles for our tabs\n.nav-tabs-justified {\n border-bottom: 0;\n\n > li > a {\n // Override margin from .nav-tabs\n margin-right: 0;\n border-radius: @border-radius-base;\n }\n\n > .active > a,\n > .active > a:hover,\n > .active > a:focus {\n border: 1px solid @nav-tabs-justified-link-border-color;\n }\n\n @media (min-width: @screen-sm-min) {\n > li > a {\n border-bottom: 1px solid @nav-tabs-justified-link-border-color;\n border-radius: @border-radius-base @border-radius-base 0 0;\n }\n > .active > a,\n > .active > a:hover,\n > .active > a:focus {\n border-bottom-color: @nav-tabs-justified-active-link-border-color;\n }\n }\n}\n\n\n// Tabbable tabs\n// -------------------------\n\n// Hide tabbable panes to start, show them when `.active`\n.tab-content {\n > .tab-pane {\n display: none;\n }\n > .active {\n display: block;\n }\n}\n\n\n// Dropdowns\n// -------------------------\n\n// Specific dropdowns\n.nav-tabs .dropdown-menu {\n // make dropdown border overlap tab border\n margin-top: -1px;\n // Remove the top rounded corners here since there is a hard edge above the menu\n .border-top-radius(0);\n}\n","//\n// Navbars\n// --------------------------------------------------\n\n\n// Wrapper and base class\n//\n// Provide a static navbar from which we expand to create full-width, fixed, and\n// other navbar variations.\n\n.navbar {\n position: relative;\n min-height: @navbar-height; // Ensure a navbar always shows (e.g., without a .navbar-brand in collapsed mode)\n margin-bottom: @navbar-margin-bottom;\n border: 1px solid transparent;\n\n // Prevent floats from breaking the navbar\n &:extend(.clearfix all);\n\n @media (min-width: @grid-float-breakpoint) {\n border-radius: @navbar-border-radius;\n }\n}\n\n\n// Navbar heading\n//\n// Groups `.navbar-brand` and `.navbar-toggle` into a single component for easy\n// styling of responsive aspects.\n\n.navbar-header {\n &:extend(.clearfix all);\n\n @media (min-width: @grid-float-breakpoint) {\n float: left;\n }\n}\n\n\n// Navbar collapse (body)\n//\n// Group your navbar content into this for easy collapsing and expanding across\n// various device sizes. By default, this content is collapsed when <768px, but\n// will expand past that for a horizontal display.\n//\n// To start (on mobile devices) the navbar links, forms, and buttons are stacked\n// vertically and include a `max-height` to overflow in case you have too much\n// content for the user's viewport.\n\n.navbar-collapse {\n overflow-x: visible;\n padding-right: @navbar-padding-horizontal;\n padding-left: @navbar-padding-horizontal;\n border-top: 1px solid transparent;\n box-shadow: inset 0 1px 0 rgba(255,255,255,.1);\n &:extend(.clearfix all);\n -webkit-overflow-scrolling: touch;\n\n &.in {\n overflow-y: auto;\n }\n\n @media (min-width: @grid-float-breakpoint) {\n width: auto;\n border-top: 0;\n box-shadow: none;\n\n &.collapse {\n display: block !important;\n height: auto !important;\n padding-bottom: 0; // Override default setting\n overflow: visible !important;\n }\n\n &.in {\n overflow-y: visible;\n }\n\n // Undo the collapse side padding for navbars with containers to ensure\n // alignment of right-aligned contents.\n .navbar-fixed-top &,\n .navbar-static-top &,\n .navbar-fixed-bottom & {\n padding-left: 0;\n padding-right: 0;\n }\n }\n}\n\n.navbar-fixed-top,\n.navbar-fixed-bottom {\n .navbar-collapse {\n max-height: @navbar-collapse-max-height;\n\n @media (max-device-width: @screen-xs-min) and (orientation: landscape) {\n max-height: 200px;\n }\n }\n}\n\n\n// Both navbar header and collapse\n//\n// When a container is present, change the behavior of the header and collapse.\n\n.container,\n.container-fluid {\n > .navbar-header,\n > .navbar-collapse {\n margin-right: -@navbar-padding-horizontal;\n margin-left: -@navbar-padding-horizontal;\n\n @media (min-width: @grid-float-breakpoint) {\n margin-right: 0;\n margin-left: 0;\n }\n }\n}\n\n\n//\n// Navbar alignment options\n//\n// Display the navbar across the entirety of the page or fixed it to the top or\n// bottom of the page.\n\n// Static top (unfixed, but 100% wide) navbar\n.navbar-static-top {\n z-index: @zindex-navbar;\n border-width: 0 0 1px;\n\n @media (min-width: @grid-float-breakpoint) {\n border-radius: 0;\n }\n}\n\n// Fix the top/bottom navbars when screen real estate supports it\n.navbar-fixed-top,\n.navbar-fixed-bottom {\n position: fixed;\n right: 0;\n left: 0;\n z-index: @zindex-navbar-fixed;\n\n // Undo the rounded corners\n @media (min-width: @grid-float-breakpoint) {\n border-radius: 0;\n }\n}\n.navbar-fixed-top {\n top: 0;\n border-width: 0 0 1px;\n}\n.navbar-fixed-bottom {\n bottom: 0;\n margin-bottom: 0; // override .navbar defaults\n border-width: 1px 0 0;\n}\n\n\n// Brand/project name\n\n.navbar-brand {\n float: left;\n padding: @navbar-padding-vertical @navbar-padding-horizontal;\n font-size: @font-size-large;\n line-height: @line-height-computed;\n height: @navbar-height;\n\n &:hover,\n &:focus {\n text-decoration: none;\n }\n\n > img {\n display: block;\n }\n\n @media (min-width: @grid-float-breakpoint) {\n .navbar > .container &,\n .navbar > .container-fluid & {\n margin-left: -@navbar-padding-horizontal;\n }\n }\n}\n\n\n// Navbar toggle\n//\n// Custom button for toggling the `.navbar-collapse`, powered by the collapse\n// JavaScript plugin.\n\n.navbar-toggle {\n position: relative;\n float: right;\n margin-right: @navbar-padding-horizontal;\n padding: 9px 10px;\n .navbar-vertical-align(34px);\n background-color: transparent;\n background-image: none; // Reset unusual Firefox-on-Android default style; see https://github.com/necolas/normalize.css/issues/214\n border: 1px solid transparent;\n border-radius: @border-radius-base;\n\n // We remove the `outline` here, but later compensate by attaching `:hover`\n // styles to `:focus`.\n &:focus {\n outline: 0;\n }\n\n // Bars\n .icon-bar {\n display: block;\n width: 22px;\n height: 2px;\n border-radius: 1px;\n }\n .icon-bar + .icon-bar {\n margin-top: 4px;\n }\n\n @media (min-width: @grid-float-breakpoint) {\n display: none;\n }\n}\n\n\n// Navbar nav links\n//\n// Builds on top of the `.nav` components with its own modifier class to make\n// the nav the full height of the horizontal nav (above 768px).\n\n.navbar-nav {\n margin: (@navbar-padding-vertical / 2) -@navbar-padding-horizontal;\n\n > li > a {\n padding-top: 10px;\n padding-bottom: 10px;\n line-height: @line-height-computed;\n }\n\n @media (max-width: @grid-float-breakpoint-max) {\n // Dropdowns get custom display when collapsed\n .open .dropdown-menu {\n position: static;\n float: none;\n width: auto;\n margin-top: 0;\n background-color: transparent;\n border: 0;\n box-shadow: none;\n > li > a,\n .dropdown-header {\n padding: 5px 15px 5px 25px;\n }\n > li > a {\n line-height: @line-height-computed;\n &:hover,\n &:focus {\n background-image: none;\n }\n }\n }\n }\n\n // Uncollapse the nav\n @media (min-width: @grid-float-breakpoint) {\n float: left;\n margin: 0;\n\n > li {\n float: left;\n > a {\n padding-top: @navbar-padding-vertical;\n padding-bottom: @navbar-padding-vertical;\n }\n }\n }\n}\n\n\n// Navbar form\n//\n// Extension of the `.form-inline` with some extra flavor for optimum display in\n// our navbars.\n\n.navbar-form {\n margin-left: -@navbar-padding-horizontal;\n margin-right: -@navbar-padding-horizontal;\n padding: 10px @navbar-padding-horizontal;\n border-top: 1px solid transparent;\n border-bottom: 1px solid transparent;\n @shadow: inset 0 1px 0 rgba(255,255,255,.1), 0 1px 0 rgba(255,255,255,.1);\n .box-shadow(@shadow);\n\n // Mixin behavior for optimum display\n .form-inline();\n\n .form-group {\n @media (max-width: @grid-float-breakpoint-max) {\n margin-bottom: 5px;\n\n &:last-child {\n margin-bottom: 0;\n }\n }\n }\n\n // Vertically center in expanded, horizontal navbar\n .navbar-vertical-align(@input-height-base);\n\n // Undo 100% width for pull classes\n @media (min-width: @grid-float-breakpoint) {\n width: auto;\n border: 0;\n margin-left: 0;\n margin-right: 0;\n padding-top: 0;\n padding-bottom: 0;\n .box-shadow(none);\n }\n}\n\n\n// Dropdown menus\n\n// Menu position and menu carets\n.navbar-nav > li > .dropdown-menu {\n margin-top: 0;\n .border-top-radius(0);\n}\n// Menu position and menu caret support for dropups via extra dropup class\n.navbar-fixed-bottom .navbar-nav > li > .dropdown-menu {\n margin-bottom: 0;\n .border-top-radius(@navbar-border-radius);\n .border-bottom-radius(0);\n}\n\n\n// Buttons in navbars\n//\n// Vertically center a button within a navbar (when *not* in a form).\n\n.navbar-btn {\n .navbar-vertical-align(@input-height-base);\n\n &.btn-sm {\n .navbar-vertical-align(@input-height-small);\n }\n &.btn-xs {\n .navbar-vertical-align(22);\n }\n}\n\n\n// Text in navbars\n//\n// Add a class to make any element properly align itself vertically within the navbars.\n\n.navbar-text {\n .navbar-vertical-align(@line-height-computed);\n\n @media (min-width: @grid-float-breakpoint) {\n float: left;\n margin-left: @navbar-padding-horizontal;\n margin-right: @navbar-padding-horizontal;\n }\n}\n\n\n// Component alignment\n//\n// Repurpose the pull utilities as their own navbar utilities to avoid specificity\n// issues with parents and chaining. Only do this when the navbar is uncollapsed\n// though so that navbar contents properly stack and align in mobile.\n//\n// Declared after the navbar components to ensure more specificity on the margins.\n\n@media (min-width: @grid-float-breakpoint) {\n .navbar-left { .pull-left(); }\n .navbar-right {\n .pull-right();\n margin-right: -@navbar-padding-horizontal;\n\n ~ .navbar-right {\n margin-right: 0;\n }\n }\n}\n\n\n// Alternate navbars\n// --------------------------------------------------\n\n// Default navbar\n.navbar-default {\n background-color: @navbar-default-bg;\n border-color: @navbar-default-border;\n\n .navbar-brand {\n color: @navbar-default-brand-color;\n &:hover,\n &:focus {\n color: @navbar-default-brand-hover-color;\n background-color: @navbar-default-brand-hover-bg;\n }\n }\n\n .navbar-text {\n color: @navbar-default-color;\n }\n\n .navbar-nav {\n > li > a {\n color: @navbar-default-link-color;\n\n &:hover,\n &:focus {\n color: @navbar-default-link-hover-color;\n background-color: @navbar-default-link-hover-bg;\n }\n }\n > .active > a {\n &,\n &:hover,\n &:focus {\n color: @navbar-default-link-active-color;\n background-color: @navbar-default-link-active-bg;\n }\n }\n > .disabled > a {\n &,\n &:hover,\n &:focus {\n color: @navbar-default-link-disabled-color;\n background-color: @navbar-default-link-disabled-bg;\n }\n }\n }\n\n .navbar-toggle {\n border-color: @navbar-default-toggle-border-color;\n &:hover,\n &:focus {\n background-color: @navbar-default-toggle-hover-bg;\n }\n .icon-bar {\n background-color: @navbar-default-toggle-icon-bar-bg;\n }\n }\n\n .navbar-collapse,\n .navbar-form {\n border-color: @navbar-default-border;\n }\n\n // Dropdown menu items\n .navbar-nav {\n // Remove background color from open dropdown\n > .open > a {\n &,\n &:hover,\n &:focus {\n background-color: @navbar-default-link-active-bg;\n color: @navbar-default-link-active-color;\n }\n }\n\n @media (max-width: @grid-float-breakpoint-max) {\n // Dropdowns get custom display when collapsed\n .open .dropdown-menu {\n > li > a {\n color: @navbar-default-link-color;\n &:hover,\n &:focus {\n color: @navbar-default-link-hover-color;\n background-color: @navbar-default-link-hover-bg;\n }\n }\n > .active > a {\n &,\n &:hover,\n &:focus {\n color: @navbar-default-link-active-color;\n background-color: @navbar-default-link-active-bg;\n }\n }\n > .disabled > a {\n &,\n &:hover,\n &:focus {\n color: @navbar-default-link-disabled-color;\n background-color: @navbar-default-link-disabled-bg;\n }\n }\n }\n }\n }\n\n\n // Links in navbars\n //\n // Add a class to ensure links outside the navbar nav are colored correctly.\n\n .navbar-link {\n color: @navbar-default-link-color;\n &:hover {\n color: @navbar-default-link-hover-color;\n }\n }\n\n .btn-link {\n color: @navbar-default-link-color;\n &:hover,\n &:focus {\n color: @navbar-default-link-hover-color;\n }\n &[disabled],\n fieldset[disabled] & {\n &:hover,\n &:focus {\n color: @navbar-default-link-disabled-color;\n }\n }\n }\n}\n\n// Inverse navbar\n\n.navbar-inverse {\n background-color: @navbar-inverse-bg;\n border-color: @navbar-inverse-border;\n\n .navbar-brand {\n color: @navbar-inverse-brand-color;\n &:hover,\n &:focus {\n color: @navbar-inverse-brand-hover-color;\n background-color: @navbar-inverse-brand-hover-bg;\n }\n }\n\n .navbar-text {\n color: @navbar-inverse-color;\n }\n\n .navbar-nav {\n > li > a {\n color: @navbar-inverse-link-color;\n\n &:hover,\n &:focus {\n color: @navbar-inverse-link-hover-color;\n background-color: @navbar-inverse-link-hover-bg;\n }\n }\n > .active > a {\n &,\n &:hover,\n &:focus {\n color: @navbar-inverse-link-active-color;\n background-color: @navbar-inverse-link-active-bg;\n }\n }\n > .disabled > a {\n &,\n &:hover,\n &:focus {\n color: @navbar-inverse-link-disabled-color;\n background-color: @navbar-inverse-link-disabled-bg;\n }\n }\n }\n\n // Darken the responsive nav toggle\n .navbar-toggle {\n border-color: @navbar-inverse-toggle-border-color;\n &:hover,\n &:focus {\n background-color: @navbar-inverse-toggle-hover-bg;\n }\n .icon-bar {\n background-color: @navbar-inverse-toggle-icon-bar-bg;\n }\n }\n\n .navbar-collapse,\n .navbar-form {\n border-color: darken(@navbar-inverse-bg, 7%);\n }\n\n // Dropdowns\n .navbar-nav {\n > .open > a {\n &,\n &:hover,\n &:focus {\n background-color: @navbar-inverse-link-active-bg;\n color: @navbar-inverse-link-active-color;\n }\n }\n\n @media (max-width: @grid-float-breakpoint-max) {\n // Dropdowns get custom display\n .open .dropdown-menu {\n > .dropdown-header {\n border-color: @navbar-inverse-border;\n }\n .divider {\n background-color: @navbar-inverse-border;\n }\n > li > a {\n color: @navbar-inverse-link-color;\n &:hover,\n &:focus {\n color: @navbar-inverse-link-hover-color;\n background-color: @navbar-inverse-link-hover-bg;\n }\n }\n > .active > a {\n &,\n &:hover,\n &:focus {\n color: @navbar-inverse-link-active-color;\n background-color: @navbar-inverse-link-active-bg;\n }\n }\n > .disabled > a {\n &,\n &:hover,\n &:focus {\n color: @navbar-inverse-link-disabled-color;\n background-color: @navbar-inverse-link-disabled-bg;\n }\n }\n }\n }\n }\n\n .navbar-link {\n color: @navbar-inverse-link-color;\n &:hover {\n color: @navbar-inverse-link-hover-color;\n }\n }\n\n .btn-link {\n color: @navbar-inverse-link-color;\n &:hover,\n &:focus {\n color: @navbar-inverse-link-hover-color;\n }\n &[disabled],\n fieldset[disabled] & {\n &:hover,\n &:focus {\n color: @navbar-inverse-link-disabled-color;\n }\n }\n }\n}\n","// Navbar vertical align\n//\n// Vertically center elements in the navbar.\n// Example: an element has a height of 30px, so write out `.navbar-vertical-align(30px);` to calculate the appropriate top margin.\n\n.navbar-vertical-align(@element-height) {\n margin-top: ((@navbar-height - @element-height) / 2);\n margin-bottom: ((@navbar-height - @element-height) / 2);\n}\n","//\n// Utility classes\n// --------------------------------------------------\n\n\n// Floats\n// -------------------------\n\n.clearfix {\n .clearfix();\n}\n.center-block {\n .center-block();\n}\n.pull-right {\n float: right !important;\n}\n.pull-left {\n float: left !important;\n}\n\n\n// Toggling content\n// -------------------------\n\n// Note: Deprecated .hide in favor of .hidden or .sr-only (as appropriate) in v3.0.1\n.hide {\n display: none !important;\n}\n.show {\n display: block !important;\n}\n.invisible {\n visibility: hidden;\n}\n.text-hide {\n .text-hide();\n}\n\n\n// Hide from screenreaders and browsers\n//\n// Credit: HTML5 Boilerplate\n\n.hidden {\n display: none !important;\n}\n\n\n// For Affix plugin\n// -------------------------\n\n.affix {\n position: fixed;\n}\n","//\n// Breadcrumbs\n// --------------------------------------------------\n\n\n.breadcrumb {\n padding: @breadcrumb-padding-vertical @breadcrumb-padding-horizontal;\n margin-bottom: @line-height-computed;\n list-style: none;\n background-color: @breadcrumb-bg;\n border-radius: @border-radius-base;\n\n > li {\n display: inline-block;\n\n + li:before {\n content: \"@{breadcrumb-separator}\\00a0\"; // Unicode space added since inline-block means non-collapsing white-space\n padding: 0 5px;\n color: @breadcrumb-color;\n }\n }\n\n > .active {\n color: @breadcrumb-active-color;\n }\n}\n","//\n// Pagination (multiple pages)\n// --------------------------------------------------\n.pagination {\n display: inline-block;\n padding-left: 0;\n margin: @line-height-computed 0;\n border-radius: @border-radius-base;\n\n > li {\n display: inline; // Remove list-style and block-level defaults\n > a,\n > span {\n position: relative;\n float: left; // Collapse white-space\n padding: @padding-base-vertical @padding-base-horizontal;\n line-height: @line-height-base;\n text-decoration: none;\n color: @pagination-color;\n background-color: @pagination-bg;\n border: 1px solid @pagination-border;\n margin-left: -1px;\n }\n &:first-child {\n > a,\n > span {\n margin-left: 0;\n .border-left-radius(@border-radius-base);\n }\n }\n &:last-child {\n > a,\n > span {\n .border-right-radius(@border-radius-base);\n }\n }\n }\n\n > li > a,\n > li > span {\n &:hover,\n &:focus {\n z-index: 2;\n color: @pagination-hover-color;\n background-color: @pagination-hover-bg;\n border-color: @pagination-hover-border;\n }\n }\n\n > .active > a,\n > .active > span {\n &,\n &:hover,\n &:focus {\n z-index: 3;\n color: @pagination-active-color;\n background-color: @pagination-active-bg;\n border-color: @pagination-active-border;\n cursor: default;\n }\n }\n\n > .disabled {\n > span,\n > span:hover,\n > span:focus,\n > a,\n > a:hover,\n > a:focus {\n color: @pagination-disabled-color;\n background-color: @pagination-disabled-bg;\n border-color: @pagination-disabled-border;\n cursor: @cursor-disabled;\n }\n }\n}\n\n// Sizing\n// --------------------------------------------------\n\n// Large\n.pagination-lg {\n .pagination-size(@padding-large-vertical; @padding-large-horizontal; @font-size-large; @line-height-large; @border-radius-large);\n}\n\n// Small\n.pagination-sm {\n .pagination-size(@padding-small-vertical; @padding-small-horizontal; @font-size-small; @line-height-small; @border-radius-small);\n}\n","// Pagination\n\n.pagination-size(@padding-vertical; @padding-horizontal; @font-size; @line-height; @border-radius) {\n > li {\n > a,\n > span {\n padding: @padding-vertical @padding-horizontal;\n font-size: @font-size;\n line-height: @line-height;\n }\n &:first-child {\n > a,\n > span {\n .border-left-radius(@border-radius);\n }\n }\n &:last-child {\n > a,\n > span {\n .border-right-radius(@border-radius);\n }\n }\n }\n}\n","//\n// Pager pagination\n// --------------------------------------------------\n\n\n.pager {\n padding-left: 0;\n margin: @line-height-computed 0;\n list-style: none;\n text-align: center;\n &:extend(.clearfix all);\n li {\n display: inline;\n > a,\n > span {\n display: inline-block;\n padding: 5px 14px;\n background-color: @pager-bg;\n border: 1px solid @pager-border;\n border-radius: @pager-border-radius;\n }\n\n > a:hover,\n > a:focus {\n text-decoration: none;\n background-color: @pager-hover-bg;\n }\n }\n\n .next {\n > a,\n > span {\n float: right;\n }\n }\n\n .previous {\n > a,\n > span {\n float: left;\n }\n }\n\n .disabled {\n > a,\n > a:hover,\n > a:focus,\n > span {\n color: @pager-disabled-color;\n background-color: @pager-bg;\n cursor: @cursor-disabled;\n }\n }\n}\n","//\n// Labels\n// --------------------------------------------------\n\n.label {\n display: inline;\n padding: .2em .6em .3em;\n font-size: 75%;\n font-weight: bold;\n line-height: 1;\n color: @label-color;\n text-align: center;\n white-space: nowrap;\n vertical-align: baseline;\n border-radius: .25em;\n\n // Add hover effects, but only for links\n a& {\n &:hover,\n &:focus {\n color: @label-link-hover-color;\n text-decoration: none;\n cursor: pointer;\n }\n }\n\n // Empty labels collapse automatically (not available in IE8)\n &:empty {\n display: none;\n }\n\n // Quick fix for labels in buttons\n .btn & {\n position: relative;\n top: -1px;\n }\n}\n\n// Colors\n// Contextual variations (linked labels get darker on :hover)\n\n.label-default {\n .label-variant(@label-default-bg);\n}\n\n.label-primary {\n .label-variant(@label-primary-bg);\n}\n\n.label-success {\n .label-variant(@label-success-bg);\n}\n\n.label-info {\n .label-variant(@label-info-bg);\n}\n\n.label-warning {\n .label-variant(@label-warning-bg);\n}\n\n.label-danger {\n .label-variant(@label-danger-bg);\n}\n","// Labels\n\n.label-variant(@color) {\n background-color: @color;\n\n &[href] {\n &:hover,\n &:focus {\n background-color: darken(@color, 10%);\n }\n }\n}\n","//\n// Badges\n// --------------------------------------------------\n\n\n// Base class\n.badge {\n display: inline-block;\n min-width: 10px;\n padding: 3px 7px;\n font-size: @font-size-small;\n font-weight: @badge-font-weight;\n color: @badge-color;\n line-height: @badge-line-height;\n vertical-align: middle;\n white-space: nowrap;\n text-align: center;\n background-color: @badge-bg;\n border-radius: @badge-border-radius;\n\n // Empty badges collapse automatically (not available in IE8)\n &:empty {\n display: none;\n }\n\n // Quick fix for badges in buttons\n .btn & {\n position: relative;\n top: -1px;\n }\n\n .btn-xs &,\n .btn-group-xs > .btn & {\n top: 0;\n padding: 1px 5px;\n }\n\n // Hover state, but only for links\n a& {\n &:hover,\n &:focus {\n color: @badge-link-hover-color;\n text-decoration: none;\n cursor: pointer;\n }\n }\n\n // Account for badges in navs\n .list-group-item.active > &,\n .nav-pills > .active > a > & {\n color: @badge-active-color;\n background-color: @badge-active-bg;\n }\n\n .list-group-item > & {\n float: right;\n }\n\n .list-group-item > & + & {\n margin-right: 5px;\n }\n\n .nav-pills > li > a > & {\n margin-left: 3px;\n }\n}\n","//\n// Jumbotron\n// --------------------------------------------------\n\n\n.jumbotron {\n padding-top: @jumbotron-padding;\n padding-bottom: @jumbotron-padding;\n margin-bottom: @jumbotron-padding;\n color: @jumbotron-color;\n background-color: @jumbotron-bg;\n\n h1,\n .h1 {\n color: @jumbotron-heading-color;\n }\n\n p {\n margin-bottom: (@jumbotron-padding / 2);\n font-size: @jumbotron-font-size;\n font-weight: 200;\n }\n\n > hr {\n border-top-color: darken(@jumbotron-bg, 10%);\n }\n\n .container &,\n .container-fluid & {\n border-radius: @border-radius-large; // Only round corners at higher resolutions if contained in a container\n padding-left: (@grid-gutter-width / 2);\n padding-right: (@grid-gutter-width / 2);\n }\n\n .container {\n max-width: 100%;\n }\n\n @media screen and (min-width: @screen-sm-min) {\n padding-top: (@jumbotron-padding * 1.6);\n padding-bottom: (@jumbotron-padding * 1.6);\n\n .container &,\n .container-fluid & {\n padding-left: (@jumbotron-padding * 2);\n padding-right: (@jumbotron-padding * 2);\n }\n\n h1,\n .h1 {\n font-size: @jumbotron-heading-font-size;\n }\n }\n}\n","//\n// Thumbnails\n// --------------------------------------------------\n\n\n// Mixin and adjust the regular image class\n.thumbnail {\n display: block;\n padding: @thumbnail-padding;\n margin-bottom: @line-height-computed;\n line-height: @line-height-base;\n background-color: @thumbnail-bg;\n border: 1px solid @thumbnail-border;\n border-radius: @thumbnail-border-radius;\n .transition(border .2s ease-in-out);\n\n > img,\n a > img {\n &:extend(.img-responsive);\n margin-left: auto;\n margin-right: auto;\n }\n\n // Add a hover state for linked versions only\n a&:hover,\n a&:focus,\n a&.active {\n border-color: @link-color;\n }\n\n // Image captions\n .caption {\n padding: @thumbnail-caption-padding;\n color: @thumbnail-caption-color;\n }\n}\n","//\n// Alerts\n// --------------------------------------------------\n\n\n// Base styles\n// -------------------------\n\n.alert {\n padding: @alert-padding;\n margin-bottom: @line-height-computed;\n border: 1px solid transparent;\n border-radius: @alert-border-radius;\n\n // Headings for larger alerts\n h4 {\n margin-top: 0;\n // Specified for the h4 to prevent conflicts of changing @headings-color\n color: inherit;\n }\n\n // Provide class for links that match alerts\n .alert-link {\n font-weight: @alert-link-font-weight;\n }\n\n // Improve alignment and spacing of inner content\n > p,\n > ul {\n margin-bottom: 0;\n }\n\n > p + p {\n margin-top: 5px;\n }\n}\n\n// Dismissible alerts\n//\n// Expand the right padding and account for the close button's positioning.\n\n.alert-dismissable, // The misspelled .alert-dismissable was deprecated in 3.2.0.\n.alert-dismissible {\n padding-right: (@alert-padding + 20);\n\n // Adjust close link position\n .close {\n position: relative;\n top: -2px;\n right: -21px;\n color: inherit;\n }\n}\n\n// Alternate styles\n//\n// Generate contextual modifier classes for colorizing the alert.\n\n.alert-success {\n .alert-variant(@alert-success-bg; @alert-success-border; @alert-success-text);\n}\n\n.alert-info {\n .alert-variant(@alert-info-bg; @alert-info-border; @alert-info-text);\n}\n\n.alert-warning {\n .alert-variant(@alert-warning-bg; @alert-warning-border; @alert-warning-text);\n}\n\n.alert-danger {\n .alert-variant(@alert-danger-bg; @alert-danger-border; @alert-danger-text);\n}\n","// Alerts\n\n.alert-variant(@background; @border; @text-color) {\n background-color: @background;\n border-color: @border;\n color: @text-color;\n\n hr {\n border-top-color: darken(@border, 5%);\n }\n .alert-link {\n color: darken(@text-color, 10%);\n }\n}\n","//\n// Progress bars\n// --------------------------------------------------\n\n\n// Bar animations\n// -------------------------\n\n// WebKit\n@-webkit-keyframes progress-bar-stripes {\n from { background-position: 40px 0; }\n to { background-position: 0 0; }\n}\n\n// Spec and IE10+\n@keyframes progress-bar-stripes {\n from { background-position: 40px 0; }\n to { background-position: 0 0; }\n}\n\n\n// Bar itself\n// -------------------------\n\n// Outer container\n.progress {\n overflow: hidden;\n height: @line-height-computed;\n margin-bottom: @line-height-computed;\n background-color: @progress-bg;\n border-radius: @progress-border-radius;\n .box-shadow(inset 0 1px 2px rgba(0,0,0,.1));\n}\n\n// Bar of progress\n.progress-bar {\n float: left;\n width: 0%;\n height: 100%;\n font-size: @font-size-small;\n line-height: @line-height-computed;\n color: @progress-bar-color;\n text-align: center;\n background-color: @progress-bar-bg;\n .box-shadow(inset 0 -1px 0 rgba(0,0,0,.15));\n .transition(width .6s ease);\n}\n\n// Striped bars\n//\n// `.progress-striped .progress-bar` is deprecated as of v3.2.0 in favor of the\n// `.progress-bar-striped` class, which you just add to an existing\n// `.progress-bar`.\n.progress-striped .progress-bar,\n.progress-bar-striped {\n #gradient > .striped();\n background-size: 40px 40px;\n}\n\n// Call animation for the active one\n//\n// `.progress.active .progress-bar` is deprecated as of v3.2.0 in favor of the\n// `.progress-bar.active` approach.\n.progress.active .progress-bar,\n.progress-bar.active {\n .animation(progress-bar-stripes 2s linear infinite);\n}\n\n\n// Variations\n// -------------------------\n\n.progress-bar-success {\n .progress-bar-variant(@progress-bar-success-bg);\n}\n\n.progress-bar-info {\n .progress-bar-variant(@progress-bar-info-bg);\n}\n\n.progress-bar-warning {\n .progress-bar-variant(@progress-bar-warning-bg);\n}\n\n.progress-bar-danger {\n .progress-bar-variant(@progress-bar-danger-bg);\n}\n","// Gradients\n\n#gradient {\n\n // Horizontal gradient, from left to right\n //\n // Creates two color stops, start and end, by specifying a color and position for each color stop.\n // Color stops are not available in IE9 and below.\n .horizontal(@start-color: #555; @end-color: #333; @start-percent: 0%; @end-percent: 100%) {\n background-image: -webkit-linear-gradient(left, @start-color @start-percent, @end-color @end-percent); // Safari 5.1-6, Chrome 10+\n background-image: -o-linear-gradient(left, @start-color @start-percent, @end-color @end-percent); // Opera 12\n background-image: linear-gradient(to right, @start-color @start-percent, @end-color @end-percent); // Standard, IE10, Firefox 16+, Opera 12.10+, Safari 7+, Chrome 26+\n background-repeat: repeat-x;\n filter: e(%(\"progid:DXImageTransform.Microsoft.gradient(startColorstr='%d', endColorstr='%d', GradientType=1)\",argb(@start-color),argb(@end-color))); // IE9 and down\n }\n\n // Vertical gradient, from top to bottom\n //\n // Creates two color stops, start and end, by specifying a color and position for each color stop.\n // Color stops are not available in IE9 and below.\n .vertical(@start-color: #555; @end-color: #333; @start-percent: 0%; @end-percent: 100%) {\n background-image: -webkit-linear-gradient(top, @start-color @start-percent, @end-color @end-percent); // Safari 5.1-6, Chrome 10+\n background-image: -o-linear-gradient(top, @start-color @start-percent, @end-color @end-percent); // Opera 12\n background-image: linear-gradient(to bottom, @start-color @start-percent, @end-color @end-percent); // Standard, IE10, Firefox 16+, Opera 12.10+, Safari 7+, Chrome 26+\n background-repeat: repeat-x;\n filter: e(%(\"progid:DXImageTransform.Microsoft.gradient(startColorstr='%d', endColorstr='%d', GradientType=0)\",argb(@start-color),argb(@end-color))); // IE9 and down\n }\n\n .directional(@start-color: #555; @end-color: #333; @deg: 45deg) {\n background-repeat: repeat-x;\n background-image: -webkit-linear-gradient(@deg, @start-color, @end-color); // Safari 5.1-6, Chrome 10+\n background-image: -o-linear-gradient(@deg, @start-color, @end-color); // Opera 12\n background-image: linear-gradient(@deg, @start-color, @end-color); // Standard, IE10, Firefox 16+, Opera 12.10+, Safari 7+, Chrome 26+\n }\n .horizontal-three-colors(@start-color: #00b3ee; @mid-color: #7a43b6; @color-stop: 50%; @end-color: #c3325f) {\n background-image: -webkit-linear-gradient(left, @start-color, @mid-color @color-stop, @end-color);\n background-image: -o-linear-gradient(left, @start-color, @mid-color @color-stop, @end-color);\n background-image: linear-gradient(to right, @start-color, @mid-color @color-stop, @end-color);\n background-repeat: no-repeat;\n filter: e(%(\"progid:DXImageTransform.Microsoft.gradient(startColorstr='%d', endColorstr='%d', GradientType=1)\",argb(@start-color),argb(@end-color))); // IE9 and down, gets no color-stop at all for proper fallback\n }\n .vertical-three-colors(@start-color: #00b3ee; @mid-color: #7a43b6; @color-stop: 50%; @end-color: #c3325f) {\n background-image: -webkit-linear-gradient(@start-color, @mid-color @color-stop, @end-color);\n background-image: -o-linear-gradient(@start-color, @mid-color @color-stop, @end-color);\n background-image: linear-gradient(@start-color, @mid-color @color-stop, @end-color);\n background-repeat: no-repeat;\n filter: e(%(\"progid:DXImageTransform.Microsoft.gradient(startColorstr='%d', endColorstr='%d', GradientType=0)\",argb(@start-color),argb(@end-color))); // IE9 and down, gets no color-stop at all for proper fallback\n }\n .radial(@inner-color: #555; @outer-color: #333) {\n background-image: -webkit-radial-gradient(circle, @inner-color, @outer-color);\n background-image: radial-gradient(circle, @inner-color, @outer-color);\n background-repeat: no-repeat;\n }\n .striped(@color: rgba(255,255,255,.15); @angle: 45deg) {\n background-image: -webkit-linear-gradient(@angle, @color 25%, transparent 25%, transparent 50%, @color 50%, @color 75%, transparent 75%, transparent);\n background-image: -o-linear-gradient(@angle, @color 25%, transparent 25%, transparent 50%, @color 50%, @color 75%, transparent 75%, transparent);\n background-image: linear-gradient(@angle, @color 25%, transparent 25%, transparent 50%, @color 50%, @color 75%, transparent 75%, transparent);\n }\n}\n","// Progress bars\n\n.progress-bar-variant(@color) {\n background-color: @color;\n\n // Deprecated parent class requirement as of v3.2.0\n .progress-striped & {\n #gradient > .striped();\n }\n}\n",".media {\n // Proper spacing between instances of .media\n margin-top: 15px;\n\n &:first-child {\n margin-top: 0;\n }\n}\n\n.media,\n.media-body {\n zoom: 1;\n overflow: hidden;\n}\n\n.media-body {\n width: 10000px;\n}\n\n.media-object {\n display: block;\n\n // Fix collapse in webkit from max-width: 100% and display: table-cell.\n &.img-thumbnail {\n max-width: none;\n }\n}\n\n.media-right,\n.media > .pull-right {\n padding-left: 10px;\n}\n\n.media-left,\n.media > .pull-left {\n padding-right: 10px;\n}\n\n.media-left,\n.media-right,\n.media-body {\n display: table-cell;\n vertical-align: top;\n}\n\n.media-middle {\n vertical-align: middle;\n}\n\n.media-bottom {\n vertical-align: bottom;\n}\n\n// Reset margins on headings for tighter default spacing\n.media-heading {\n margin-top: 0;\n margin-bottom: 5px;\n}\n\n// Media list variation\n//\n// Undo default ul/ol styles\n.media-list {\n padding-left: 0;\n list-style: none;\n}\n","//\n// List groups\n// --------------------------------------------------\n\n\n// Base class\n//\n// Easily usable on
      ,
        , or
        .\n\n.list-group {\n // No need to set list-style: none; since .list-group-item is block level\n margin-bottom: 20px;\n padding-left: 0; // reset padding because ul and ol\n}\n\n\n// Individual list items\n//\n// Use on `li`s or `div`s within the `.list-group` parent.\n\n.list-group-item {\n position: relative;\n display: block;\n padding: 10px 15px;\n // Place the border on the list items and negative margin up for better styling\n margin-bottom: -1px;\n background-color: @list-group-bg;\n border: 1px solid @list-group-border;\n\n // Round the first and last items\n &:first-child {\n .border-top-radius(@list-group-border-radius);\n }\n &:last-child {\n margin-bottom: 0;\n .border-bottom-radius(@list-group-border-radius);\n }\n}\n\n\n// Interactive list items\n//\n// Use anchor or button elements instead of `li`s or `div`s to create interactive items.\n// Includes an extra `.active` modifier class for showing selected items.\n\na.list-group-item,\nbutton.list-group-item {\n color: @list-group-link-color;\n\n .list-group-item-heading {\n color: @list-group-link-heading-color;\n }\n\n // Hover state\n &:hover,\n &:focus {\n text-decoration: none;\n color: @list-group-link-hover-color;\n background-color: @list-group-hover-bg;\n }\n}\n\nbutton.list-group-item {\n width: 100%;\n text-align: left;\n}\n\n.list-group-item {\n // Disabled state\n &.disabled,\n &.disabled:hover,\n &.disabled:focus {\n background-color: @list-group-disabled-bg;\n color: @list-group-disabled-color;\n cursor: @cursor-disabled;\n\n // Force color to inherit for custom content\n .list-group-item-heading {\n color: inherit;\n }\n .list-group-item-text {\n color: @list-group-disabled-text-color;\n }\n }\n\n // Active class on item itself, not parent\n &.active,\n &.active:hover,\n &.active:focus {\n z-index: 2; // Place active items above their siblings for proper border styling\n color: @list-group-active-color;\n background-color: @list-group-active-bg;\n border-color: @list-group-active-border;\n\n // Force color to inherit for custom content\n .list-group-item-heading,\n .list-group-item-heading > small,\n .list-group-item-heading > .small {\n color: inherit;\n }\n .list-group-item-text {\n color: @list-group-active-text-color;\n }\n }\n}\n\n\n// Contextual variants\n//\n// Add modifier classes to change text and background color on individual items.\n// Organizationally, this must come after the `:hover` states.\n\n.list-group-item-variant(success; @state-success-bg; @state-success-text);\n.list-group-item-variant(info; @state-info-bg; @state-info-text);\n.list-group-item-variant(warning; @state-warning-bg; @state-warning-text);\n.list-group-item-variant(danger; @state-danger-bg; @state-danger-text);\n\n\n// Custom content options\n//\n// Extra classes for creating well-formatted content within `.list-group-item`s.\n\n.list-group-item-heading {\n margin-top: 0;\n margin-bottom: 5px;\n}\n.list-group-item-text {\n margin-bottom: 0;\n line-height: 1.3;\n}\n","// List Groups\n\n.list-group-item-variant(@state; @background; @color) {\n .list-group-item-@{state} {\n color: @color;\n background-color: @background;\n\n a&,\n button& {\n color: @color;\n\n .list-group-item-heading {\n color: inherit;\n }\n\n &:hover,\n &:focus {\n color: @color;\n background-color: darken(@background, 5%);\n }\n &.active,\n &.active:hover,\n &.active:focus {\n color: #fff;\n background-color: @color;\n border-color: @color;\n }\n }\n }\n}\n","//\n// Panels\n// --------------------------------------------------\n\n\n// Base class\n.panel {\n margin-bottom: @line-height-computed;\n background-color: @panel-bg;\n border: 1px solid transparent;\n border-radius: @panel-border-radius;\n .box-shadow(0 1px 1px rgba(0,0,0,.05));\n}\n\n// Panel contents\n.panel-body {\n padding: @panel-body-padding;\n &:extend(.clearfix all);\n}\n\n// Optional heading\n.panel-heading {\n padding: @panel-heading-padding;\n border-bottom: 1px solid transparent;\n .border-top-radius((@panel-border-radius - 1));\n\n > .dropdown .dropdown-toggle {\n color: inherit;\n }\n}\n\n// Within heading, strip any `h*` tag of its default margins for spacing.\n.panel-title {\n margin-top: 0;\n margin-bottom: 0;\n font-size: ceil((@font-size-base * 1.125));\n color: inherit;\n\n > a,\n > small,\n > .small,\n > small > a,\n > .small > a {\n color: inherit;\n }\n}\n\n// Optional footer (stays gray in every modifier class)\n.panel-footer {\n padding: @panel-footer-padding;\n background-color: @panel-footer-bg;\n border-top: 1px solid @panel-inner-border;\n .border-bottom-radius((@panel-border-radius - 1));\n}\n\n\n// List groups in panels\n//\n// By default, space out list group content from panel headings to account for\n// any kind of custom content between the two.\n\n.panel {\n > .list-group,\n > .panel-collapse > .list-group {\n margin-bottom: 0;\n\n .list-group-item {\n border-width: 1px 0;\n border-radius: 0;\n }\n\n // Add border top radius for first one\n &:first-child {\n .list-group-item:first-child {\n border-top: 0;\n .border-top-radius((@panel-border-radius - 1));\n }\n }\n\n // Add border bottom radius for last one\n &:last-child {\n .list-group-item:last-child {\n border-bottom: 0;\n .border-bottom-radius((@panel-border-radius - 1));\n }\n }\n }\n > .panel-heading + .panel-collapse > .list-group {\n .list-group-item:first-child {\n .border-top-radius(0);\n }\n }\n}\n// Collapse space between when there's no additional content.\n.panel-heading + .list-group {\n .list-group-item:first-child {\n border-top-width: 0;\n }\n}\n.list-group + .panel-footer {\n border-top-width: 0;\n}\n\n// Tables in panels\n//\n// Place a non-bordered `.table` within a panel (not within a `.panel-body`) and\n// watch it go full width.\n\n.panel {\n > .table,\n > .table-responsive > .table,\n > .panel-collapse > .table {\n margin-bottom: 0;\n\n caption {\n padding-left: @panel-body-padding;\n padding-right: @panel-body-padding;\n }\n }\n // Add border top radius for first one\n > .table:first-child,\n > .table-responsive:first-child > .table:first-child {\n .border-top-radius((@panel-border-radius - 1));\n\n > thead:first-child,\n > tbody:first-child {\n > tr:first-child {\n border-top-left-radius: (@panel-border-radius - 1);\n border-top-right-radius: (@panel-border-radius - 1);\n\n td:first-child,\n th:first-child {\n border-top-left-radius: (@panel-border-radius - 1);\n }\n td:last-child,\n th:last-child {\n border-top-right-radius: (@panel-border-radius - 1);\n }\n }\n }\n }\n // Add border bottom radius for last one\n > .table:last-child,\n > .table-responsive:last-child > .table:last-child {\n .border-bottom-radius((@panel-border-radius - 1));\n\n > tbody:last-child,\n > tfoot:last-child {\n > tr:last-child {\n border-bottom-left-radius: (@panel-border-radius - 1);\n border-bottom-right-radius: (@panel-border-radius - 1);\n\n td:first-child,\n th:first-child {\n border-bottom-left-radius: (@panel-border-radius - 1);\n }\n td:last-child,\n th:last-child {\n border-bottom-right-radius: (@panel-border-radius - 1);\n }\n }\n }\n }\n > .panel-body + .table,\n > .panel-body + .table-responsive,\n > .table + .panel-body,\n > .table-responsive + .panel-body {\n border-top: 1px solid @table-border-color;\n }\n > .table > tbody:first-child > tr:first-child th,\n > .table > tbody:first-child > tr:first-child td {\n border-top: 0;\n }\n > .table-bordered,\n > .table-responsive > .table-bordered {\n border: 0;\n > thead,\n > tbody,\n > tfoot {\n > tr {\n > th:first-child,\n > td:first-child {\n border-left: 0;\n }\n > th:last-child,\n > td:last-child {\n border-right: 0;\n }\n }\n }\n > thead,\n > tbody {\n > tr:first-child {\n > td,\n > th {\n border-bottom: 0;\n }\n }\n }\n > tbody,\n > tfoot {\n > tr:last-child {\n > td,\n > th {\n border-bottom: 0;\n }\n }\n }\n }\n > .table-responsive {\n border: 0;\n margin-bottom: 0;\n }\n}\n\n\n// Collapsible panels (aka, accordion)\n//\n// Wrap a series of panels in `.panel-group` to turn them into an accordion with\n// the help of our collapse JavaScript plugin.\n\n.panel-group {\n margin-bottom: @line-height-computed;\n\n // Tighten up margin so it's only between panels\n .panel {\n margin-bottom: 0;\n border-radius: @panel-border-radius;\n\n + .panel {\n margin-top: 5px;\n }\n }\n\n .panel-heading {\n border-bottom: 0;\n\n + .panel-collapse > .panel-body,\n + .panel-collapse > .list-group {\n border-top: 1px solid @panel-inner-border;\n }\n }\n\n .panel-footer {\n border-top: 0;\n + .panel-collapse .panel-body {\n border-bottom: 1px solid @panel-inner-border;\n }\n }\n}\n\n\n// Contextual variations\n.panel-default {\n .panel-variant(@panel-default-border; @panel-default-text; @panel-default-heading-bg; @panel-default-border);\n}\n.panel-primary {\n .panel-variant(@panel-primary-border; @panel-primary-text; @panel-primary-heading-bg; @panel-primary-border);\n}\n.panel-success {\n .panel-variant(@panel-success-border; @panel-success-text; @panel-success-heading-bg; @panel-success-border);\n}\n.panel-info {\n .panel-variant(@panel-info-border; @panel-info-text; @panel-info-heading-bg; @panel-info-border);\n}\n.panel-warning {\n .panel-variant(@panel-warning-border; @panel-warning-text; @panel-warning-heading-bg; @panel-warning-border);\n}\n.panel-danger {\n .panel-variant(@panel-danger-border; @panel-danger-text; @panel-danger-heading-bg; @panel-danger-border);\n}\n","// Panels\n\n.panel-variant(@border; @heading-text-color; @heading-bg-color; @heading-border) {\n border-color: @border;\n\n & > .panel-heading {\n color: @heading-text-color;\n background-color: @heading-bg-color;\n border-color: @heading-border;\n\n + .panel-collapse > .panel-body {\n border-top-color: @border;\n }\n .badge {\n color: @heading-bg-color;\n background-color: @heading-text-color;\n }\n }\n & > .panel-footer {\n + .panel-collapse > .panel-body {\n border-bottom-color: @border;\n }\n }\n}\n","// Embeds responsive\n//\n// Credit: Nicolas Gallagher and SUIT CSS.\n\n.embed-responsive {\n position: relative;\n display: block;\n height: 0;\n padding: 0;\n overflow: hidden;\n\n .embed-responsive-item,\n iframe,\n embed,\n object,\n video {\n position: absolute;\n top: 0;\n left: 0;\n bottom: 0;\n height: 100%;\n width: 100%;\n border: 0;\n }\n}\n\n// Modifier class for 16:9 aspect ratio\n.embed-responsive-16by9 {\n padding-bottom: 56.25%;\n}\n\n// Modifier class for 4:3 aspect ratio\n.embed-responsive-4by3 {\n padding-bottom: 75%;\n}\n","//\n// Wells\n// --------------------------------------------------\n\n\n// Base class\n.well {\n min-height: 20px;\n padding: 19px;\n margin-bottom: 20px;\n background-color: @well-bg;\n border: 1px solid @well-border;\n border-radius: @border-radius-base;\n .box-shadow(inset 0 1px 1px rgba(0,0,0,.05));\n blockquote {\n border-color: #ddd;\n border-color: rgba(0,0,0,.15);\n }\n}\n\n// Sizes\n.well-lg {\n padding: 24px;\n border-radius: @border-radius-large;\n}\n.well-sm {\n padding: 9px;\n border-radius: @border-radius-small;\n}\n","//\n// Close icons\n// --------------------------------------------------\n\n\n.close {\n float: right;\n font-size: (@font-size-base * 1.5);\n font-weight: @close-font-weight;\n line-height: 1;\n color: @close-color;\n text-shadow: @close-text-shadow;\n .opacity(.2);\n\n &:hover,\n &:focus {\n color: @close-color;\n text-decoration: none;\n cursor: pointer;\n .opacity(.5);\n }\n\n // Additional properties for button version\n // iOS requires the button element instead of an anchor tag.\n // If you want the anchor version, it requires `href=\"#\"`.\n // See https://developer.mozilla.org/en-US/docs/Web/Events/click#Safari_Mobile\n button& {\n padding: 0;\n cursor: pointer;\n background: transparent;\n border: 0;\n -webkit-appearance: none;\n }\n}\n","//\n// Modals\n// --------------------------------------------------\n\n// .modal-open - body class for killing the scroll\n// .modal - container to scroll within\n// .modal-dialog - positioning shell for the actual modal\n// .modal-content - actual modal w/ bg and corners and shit\n\n// Kill the scroll on the body\n.modal-open {\n overflow: hidden;\n}\n\n// Container that the modal scrolls within\n.modal {\n display: none;\n overflow: hidden;\n position: fixed;\n top: 0;\n right: 0;\n bottom: 0;\n left: 0;\n z-index: @zindex-modal;\n -webkit-overflow-scrolling: touch;\n\n // Prevent Chrome on Windows from adding a focus outline. For details, see\n // https://github.com/twbs/bootstrap/pull/10951.\n outline: 0;\n\n // When fading in the modal, animate it to slide down\n &.fade .modal-dialog {\n .translate(0, -25%);\n .transition-transform(~\"0.3s ease-out\");\n }\n &.in .modal-dialog { .translate(0, 0) }\n}\n.modal-open .modal {\n overflow-x: hidden;\n overflow-y: auto;\n}\n\n// Shell div to position the modal with bottom padding\n.modal-dialog {\n position: relative;\n width: auto;\n margin: 10px;\n}\n\n// Actual modal\n.modal-content {\n position: relative;\n background-color: @modal-content-bg;\n border: 1px solid @modal-content-fallback-border-color; //old browsers fallback (ie8 etc)\n border: 1px solid @modal-content-border-color;\n border-radius: @border-radius-large;\n .box-shadow(0 3px 9px rgba(0,0,0,.5));\n background-clip: padding-box;\n // Remove focus outline from opened modal\n outline: 0;\n}\n\n// Modal background\n.modal-backdrop {\n position: fixed;\n top: 0;\n right: 0;\n bottom: 0;\n left: 0;\n z-index: @zindex-modal-background;\n background-color: @modal-backdrop-bg;\n // Fade for backdrop\n &.fade { .opacity(0); }\n &.in { .opacity(@modal-backdrop-opacity); }\n}\n\n// Modal header\n// Top section of the modal w/ title and dismiss\n.modal-header {\n padding: @modal-title-padding;\n border-bottom: 1px solid @modal-header-border-color;\n &:extend(.clearfix all);\n}\n// Close icon\n.modal-header .close {\n margin-top: -2px;\n}\n\n// Title text within header\n.modal-title {\n margin: 0;\n line-height: @modal-title-line-height;\n}\n\n// Modal body\n// Where all modal content resides (sibling of .modal-header and .modal-footer)\n.modal-body {\n position: relative;\n padding: @modal-inner-padding;\n}\n\n// Footer (for actions)\n.modal-footer {\n padding: @modal-inner-padding;\n text-align: right; // right align buttons\n border-top: 1px solid @modal-footer-border-color;\n &:extend(.clearfix all); // clear it in case folks use .pull-* classes on buttons\n\n // Properly space out buttons\n .btn + .btn {\n margin-left: 5px;\n margin-bottom: 0; // account for input[type=\"submit\"] which gets the bottom margin like all other inputs\n }\n // but override that for button groups\n .btn-group .btn + .btn {\n margin-left: -1px;\n }\n // and override it for block buttons as well\n .btn-block + .btn-block {\n margin-left: 0;\n }\n}\n\n// Measure scrollbar width for padding body during modal show/hide\n.modal-scrollbar-measure {\n position: absolute;\n top: -9999px;\n width: 50px;\n height: 50px;\n overflow: scroll;\n}\n\n// Scale up the modal\n@media (min-width: @screen-sm-min) {\n // Automatically set modal's width for larger viewports\n .modal-dialog {\n width: @modal-md;\n margin: 30px auto;\n }\n .modal-content {\n .box-shadow(0 5px 15px rgba(0,0,0,.5));\n }\n\n // Modal sizes\n .modal-sm { width: @modal-sm; }\n}\n\n@media (min-width: @screen-md-min) {\n .modal-lg { width: @modal-lg; }\n}\n","//\n// Tooltips\n// --------------------------------------------------\n\n\n// Base class\n.tooltip {\n position: absolute;\n z-index: @zindex-tooltip;\n display: block;\n // Our parent element can be arbitrary since tooltips are by default inserted as a sibling of their target element.\n // So reset our font and text properties to avoid inheriting weird values.\n .reset-text();\n font-size: @font-size-small;\n\n .opacity(0);\n\n &.in { .opacity(@tooltip-opacity); }\n &.top { margin-top: -3px; padding: @tooltip-arrow-width 0; }\n &.right { margin-left: 3px; padding: 0 @tooltip-arrow-width; }\n &.bottom { margin-top: 3px; padding: @tooltip-arrow-width 0; }\n &.left { margin-left: -3px; padding: 0 @tooltip-arrow-width; }\n}\n\n// Wrapper for the tooltip content\n.tooltip-inner {\n max-width: @tooltip-max-width;\n padding: 3px 8px;\n color: @tooltip-color;\n text-align: center;\n background-color: @tooltip-bg;\n border-radius: @border-radius-base;\n}\n\n// Arrows\n.tooltip-arrow {\n position: absolute;\n width: 0;\n height: 0;\n border-color: transparent;\n border-style: solid;\n}\n// Note: Deprecated .top-left, .top-right, .bottom-left, and .bottom-right as of v3.3.1\n.tooltip {\n &.top .tooltip-arrow {\n bottom: 0;\n left: 50%;\n margin-left: -@tooltip-arrow-width;\n border-width: @tooltip-arrow-width @tooltip-arrow-width 0;\n border-top-color: @tooltip-arrow-color;\n }\n &.top-left .tooltip-arrow {\n bottom: 0;\n right: @tooltip-arrow-width;\n margin-bottom: -@tooltip-arrow-width;\n border-width: @tooltip-arrow-width @tooltip-arrow-width 0;\n border-top-color: @tooltip-arrow-color;\n }\n &.top-right .tooltip-arrow {\n bottom: 0;\n left: @tooltip-arrow-width;\n margin-bottom: -@tooltip-arrow-width;\n border-width: @tooltip-arrow-width @tooltip-arrow-width 0;\n border-top-color: @tooltip-arrow-color;\n }\n &.right .tooltip-arrow {\n top: 50%;\n left: 0;\n margin-top: -@tooltip-arrow-width;\n border-width: @tooltip-arrow-width @tooltip-arrow-width @tooltip-arrow-width 0;\n border-right-color: @tooltip-arrow-color;\n }\n &.left .tooltip-arrow {\n top: 50%;\n right: 0;\n margin-top: -@tooltip-arrow-width;\n border-width: @tooltip-arrow-width 0 @tooltip-arrow-width @tooltip-arrow-width;\n border-left-color: @tooltip-arrow-color;\n }\n &.bottom .tooltip-arrow {\n top: 0;\n left: 50%;\n margin-left: -@tooltip-arrow-width;\n border-width: 0 @tooltip-arrow-width @tooltip-arrow-width;\n border-bottom-color: @tooltip-arrow-color;\n }\n &.bottom-left .tooltip-arrow {\n top: 0;\n right: @tooltip-arrow-width;\n margin-top: -@tooltip-arrow-width;\n border-width: 0 @tooltip-arrow-width @tooltip-arrow-width;\n border-bottom-color: @tooltip-arrow-color;\n }\n &.bottom-right .tooltip-arrow {\n top: 0;\n left: @tooltip-arrow-width;\n margin-top: -@tooltip-arrow-width;\n border-width: 0 @tooltip-arrow-width @tooltip-arrow-width;\n border-bottom-color: @tooltip-arrow-color;\n }\n}\n",".reset-text() {\n font-family: @font-family-base;\n // We deliberately do NOT reset font-size.\n font-style: normal;\n font-weight: normal;\n letter-spacing: normal;\n line-break: auto;\n line-height: @line-height-base;\n text-align: left; // Fallback for where `start` is not supported\n text-align: start;\n text-decoration: none;\n text-shadow: none;\n text-transform: none;\n white-space: normal;\n word-break: normal;\n word-spacing: normal;\n word-wrap: normal;\n}\n","//\n// Popovers\n// --------------------------------------------------\n\n\n.popover {\n position: absolute;\n top: 0;\n left: 0;\n z-index: @zindex-popover;\n display: none;\n max-width: @popover-max-width;\n padding: 1px;\n // Our parent element can be arbitrary since popovers are by default inserted as a sibling of their target element.\n // So reset our font and text properties to avoid inheriting weird values.\n .reset-text();\n font-size: @font-size-base;\n\n background-color: @popover-bg;\n background-clip: padding-box;\n border: 1px solid @popover-fallback-border-color;\n border: 1px solid @popover-border-color;\n border-radius: @border-radius-large;\n .box-shadow(0 5px 10px rgba(0,0,0,.2));\n\n // Offset the popover to account for the popover arrow\n &.top { margin-top: -@popover-arrow-width; }\n &.right { margin-left: @popover-arrow-width; }\n &.bottom { margin-top: @popover-arrow-width; }\n &.left { margin-left: -@popover-arrow-width; }\n}\n\n.popover-title {\n margin: 0; // reset heading margin\n padding: 8px 14px;\n font-size: @font-size-base;\n background-color: @popover-title-bg;\n border-bottom: 1px solid darken(@popover-title-bg, 5%);\n border-radius: (@border-radius-large - 1) (@border-radius-large - 1) 0 0;\n}\n\n.popover-content {\n padding: 9px 14px;\n}\n\n// Arrows\n//\n// .arrow is outer, .arrow:after is inner\n\n.popover > .arrow {\n &,\n &:after {\n position: absolute;\n display: block;\n width: 0;\n height: 0;\n border-color: transparent;\n border-style: solid;\n }\n}\n.popover > .arrow {\n border-width: @popover-arrow-outer-width;\n}\n.popover > .arrow:after {\n border-width: @popover-arrow-width;\n content: \"\";\n}\n\n.popover {\n &.top > .arrow {\n left: 50%;\n margin-left: -@popover-arrow-outer-width;\n border-bottom-width: 0;\n border-top-color: @popover-arrow-outer-fallback-color; // IE8 fallback\n border-top-color: @popover-arrow-outer-color;\n bottom: -@popover-arrow-outer-width;\n &:after {\n content: \" \";\n bottom: 1px;\n margin-left: -@popover-arrow-width;\n border-bottom-width: 0;\n border-top-color: @popover-arrow-color;\n }\n }\n &.right > .arrow {\n top: 50%;\n left: -@popover-arrow-outer-width;\n margin-top: -@popover-arrow-outer-width;\n border-left-width: 0;\n border-right-color: @popover-arrow-outer-fallback-color; // IE8 fallback\n border-right-color: @popover-arrow-outer-color;\n &:after {\n content: \" \";\n left: 1px;\n bottom: -@popover-arrow-width;\n border-left-width: 0;\n border-right-color: @popover-arrow-color;\n }\n }\n &.bottom > .arrow {\n left: 50%;\n margin-left: -@popover-arrow-outer-width;\n border-top-width: 0;\n border-bottom-color: @popover-arrow-outer-fallback-color; // IE8 fallback\n border-bottom-color: @popover-arrow-outer-color;\n top: -@popover-arrow-outer-width;\n &:after {\n content: \" \";\n top: 1px;\n margin-left: -@popover-arrow-width;\n border-top-width: 0;\n border-bottom-color: @popover-arrow-color;\n }\n }\n\n &.left > .arrow {\n top: 50%;\n right: -@popover-arrow-outer-width;\n margin-top: -@popover-arrow-outer-width;\n border-right-width: 0;\n border-left-color: @popover-arrow-outer-fallback-color; // IE8 fallback\n border-left-color: @popover-arrow-outer-color;\n &:after {\n content: \" \";\n right: 1px;\n border-right-width: 0;\n border-left-color: @popover-arrow-color;\n bottom: -@popover-arrow-width;\n }\n }\n}\n","//\n// Carousel\n// --------------------------------------------------\n\n\n// Wrapper for the slide container and indicators\n.carousel {\n position: relative;\n}\n\n.carousel-inner {\n position: relative;\n overflow: hidden;\n width: 100%;\n\n > .item {\n display: none;\n position: relative;\n .transition(.6s ease-in-out left);\n\n // Account for jankitude on images\n > img,\n > a > img {\n &:extend(.img-responsive);\n line-height: 1;\n }\n\n // WebKit CSS3 transforms for supported devices\n @media all and (transform-3d), (-webkit-transform-3d) {\n .transition-transform(~'0.6s ease-in-out');\n .backface-visibility(~'hidden');\n .perspective(1000px);\n\n &.next,\n &.active.right {\n .translate3d(100%, 0, 0);\n left: 0;\n }\n &.prev,\n &.active.left {\n .translate3d(-100%, 0, 0);\n left: 0;\n }\n &.next.left,\n &.prev.right,\n &.active {\n .translate3d(0, 0, 0);\n left: 0;\n }\n }\n }\n\n > .active,\n > .next,\n > .prev {\n display: block;\n }\n\n > .active {\n left: 0;\n }\n\n > .next,\n > .prev {\n position: absolute;\n top: 0;\n width: 100%;\n }\n\n > .next {\n left: 100%;\n }\n > .prev {\n left: -100%;\n }\n > .next.left,\n > .prev.right {\n left: 0;\n }\n\n > .active.left {\n left: -100%;\n }\n > .active.right {\n left: 100%;\n }\n\n}\n\n// Left/right controls for nav\n// ---------------------------\n\n.carousel-control {\n position: absolute;\n top: 0;\n left: 0;\n bottom: 0;\n width: @carousel-control-width;\n .opacity(@carousel-control-opacity);\n font-size: @carousel-control-font-size;\n color: @carousel-control-color;\n text-align: center;\n text-shadow: @carousel-text-shadow;\n background-color: rgba(0, 0, 0, 0); // Fix IE9 click-thru bug\n // We can't have this transition here because WebKit cancels the carousel\n // animation if you trip this while in the middle of another animation.\n\n // Set gradients for backgrounds\n &.left {\n #gradient > .horizontal(@start-color: rgba(0,0,0,.5); @end-color: rgba(0,0,0,.0001));\n }\n &.right {\n left: auto;\n right: 0;\n #gradient > .horizontal(@start-color: rgba(0,0,0,.0001); @end-color: rgba(0,0,0,.5));\n }\n\n // Hover/focus state\n &:hover,\n &:focus {\n outline: 0;\n color: @carousel-control-color;\n text-decoration: none;\n .opacity(.9);\n }\n\n // Toggles\n .icon-prev,\n .icon-next,\n .glyphicon-chevron-left,\n .glyphicon-chevron-right {\n position: absolute;\n top: 50%;\n margin-top: -10px;\n z-index: 5;\n display: inline-block;\n }\n .icon-prev,\n .glyphicon-chevron-left {\n left: 50%;\n margin-left: -10px;\n }\n .icon-next,\n .glyphicon-chevron-right {\n right: 50%;\n margin-right: -10px;\n }\n .icon-prev,\n .icon-next {\n width: 20px;\n height: 20px;\n line-height: 1;\n font-family: serif;\n }\n\n\n .icon-prev {\n &:before {\n content: '\\2039';// SINGLE LEFT-POINTING ANGLE QUOTATION MARK (U+2039)\n }\n }\n .icon-next {\n &:before {\n content: '\\203a';// SINGLE RIGHT-POINTING ANGLE QUOTATION MARK (U+203A)\n }\n }\n}\n\n// Optional indicator pips\n//\n// Add an unordered list with the following class and add a list item for each\n// slide your carousel holds.\n\n.carousel-indicators {\n position: absolute;\n bottom: 10px;\n left: 50%;\n z-index: 15;\n width: 60%;\n margin-left: -30%;\n padding-left: 0;\n list-style: none;\n text-align: center;\n\n li {\n display: inline-block;\n width: 10px;\n height: 10px;\n margin: 1px;\n text-indent: -999px;\n border: 1px solid @carousel-indicator-border-color;\n border-radius: 10px;\n cursor: pointer;\n\n // IE8-9 hack for event handling\n //\n // Internet Explorer 8-9 does not support clicks on elements without a set\n // `background-color`. We cannot use `filter` since that's not viewed as a\n // background color by the browser. Thus, a hack is needed.\n // See https://developer.mozilla.org/en-US/docs/Web/Events/click#Internet_Explorer\n //\n // For IE8, we set solid black as it doesn't support `rgba()`. For IE9, we\n // set alpha transparency for the best results possible.\n background-color: #000 \\9; // IE8\n background-color: rgba(0,0,0,0); // IE9\n }\n .active {\n margin: 0;\n width: 12px;\n height: 12px;\n background-color: @carousel-indicator-active-bg;\n }\n}\n\n// Optional captions\n// -----------------------------\n// Hidden by default for smaller viewports\n.carousel-caption {\n position: absolute;\n left: 15%;\n right: 15%;\n bottom: 20px;\n z-index: 10;\n padding-top: 20px;\n padding-bottom: 20px;\n color: @carousel-caption-color;\n text-align: center;\n text-shadow: @carousel-text-shadow;\n & .btn {\n text-shadow: none; // No shadow for button elements in carousel-caption\n }\n}\n\n\n// Scale up controls for tablets and up\n@media screen and (min-width: @screen-sm-min) {\n\n // Scale up the controls a smidge\n .carousel-control {\n .glyphicon-chevron-left,\n .glyphicon-chevron-right,\n .icon-prev,\n .icon-next {\n width: (@carousel-control-font-size * 1.5);\n height: (@carousel-control-font-size * 1.5);\n margin-top: (@carousel-control-font-size / -2);\n font-size: (@carousel-control-font-size * 1.5);\n }\n .glyphicon-chevron-left,\n .icon-prev {\n margin-left: (@carousel-control-font-size / -2);\n }\n .glyphicon-chevron-right,\n .icon-next {\n margin-right: (@carousel-control-font-size / -2);\n }\n }\n\n // Show and left align the captions\n .carousel-caption {\n left: 20%;\n right: 20%;\n padding-bottom: 30px;\n }\n\n // Move up the indicators\n .carousel-indicators {\n bottom: 20px;\n }\n}\n","// Clearfix\n//\n// For modern browsers\n// 1. The space content is one way to avoid an Opera bug when the\n// contenteditable attribute is included anywhere else in the document.\n// Otherwise it causes space to appear at the top and bottom of elements\n// that are clearfixed.\n// 2. The use of `table` rather than `block` is only necessary if using\n// `:before` to contain the top-margins of child elements.\n//\n// Source: http://nicolasgallagher.com/micro-clearfix-hack/\n\n.clearfix() {\n &:before,\n &:after {\n content: \" \"; // 1\n display: table; // 2\n }\n &:after {\n clear: both;\n }\n}\n","// Center-align a block level element\n\n.center-block() {\n display: block;\n margin-left: auto;\n margin-right: auto;\n}\n","// CSS image replacement\n//\n// Heads up! v3 launched with only `.hide-text()`, but per our pattern for\n// mixins being reused as classes with the same name, this doesn't hold up. As\n// of v3.0.1 we have added `.text-hide()` and deprecated `.hide-text()`.\n//\n// Source: https://github.com/h5bp/html5-boilerplate/commit/aa0396eae757\n\n// Deprecated as of v3.0.1 (has been removed in v4)\n.hide-text() {\n font: ~\"0/0\" a;\n color: transparent;\n text-shadow: none;\n background-color: transparent;\n border: 0;\n}\n\n// New mixin to use as of v3.0.1\n.text-hide() {\n .hide-text();\n}\n","//\n// Responsive: Utility classes\n// --------------------------------------------------\n\n\n// IE10 in Windows (Phone) 8\n//\n// Support for responsive views via media queries is kind of borked in IE10, for\n// Surface/desktop in split view and for Windows Phone 8. This particular fix\n// must be accompanied by a snippet of JavaScript to sniff the user agent and\n// apply some conditional CSS to *only* the Surface/desktop Windows 8. Look at\n// our Getting Started page for more information on this bug.\n//\n// For more information, see the following:\n//\n// Issue: https://github.com/twbs/bootstrap/issues/10497\n// Docs: http://getbootstrap.com/getting-started/#support-ie10-width\n// Source: http://timkadlec.com/2013/01/windows-phone-8-and-device-width/\n// Source: http://timkadlec.com/2012/10/ie10-snap-mode-and-responsive-design/\n\n@-ms-viewport {\n width: device-width;\n}\n\n\n// Visibility utilities\n// Note: Deprecated .visible-xs, .visible-sm, .visible-md, and .visible-lg as of v3.2.0\n.visible-xs,\n.visible-sm,\n.visible-md,\n.visible-lg {\n .responsive-invisibility();\n}\n\n.visible-xs-block,\n.visible-xs-inline,\n.visible-xs-inline-block,\n.visible-sm-block,\n.visible-sm-inline,\n.visible-sm-inline-block,\n.visible-md-block,\n.visible-md-inline,\n.visible-md-inline-block,\n.visible-lg-block,\n.visible-lg-inline,\n.visible-lg-inline-block {\n display: none !important;\n}\n\n.visible-xs {\n @media (max-width: @screen-xs-max) {\n .responsive-visibility();\n }\n}\n.visible-xs-block {\n @media (max-width: @screen-xs-max) {\n display: block !important;\n }\n}\n.visible-xs-inline {\n @media (max-width: @screen-xs-max) {\n display: inline !important;\n }\n}\n.visible-xs-inline-block {\n @media (max-width: @screen-xs-max) {\n display: inline-block !important;\n }\n}\n\n.visible-sm {\n @media (min-width: @screen-sm-min) and (max-width: @screen-sm-max) {\n .responsive-visibility();\n }\n}\n.visible-sm-block {\n @media (min-width: @screen-sm-min) and (max-width: @screen-sm-max) {\n display: block !important;\n }\n}\n.visible-sm-inline {\n @media (min-width: @screen-sm-min) and (max-width: @screen-sm-max) {\n display: inline !important;\n }\n}\n.visible-sm-inline-block {\n @media (min-width: @screen-sm-min) and (max-width: @screen-sm-max) {\n display: inline-block !important;\n }\n}\n\n.visible-md {\n @media (min-width: @screen-md-min) and (max-width: @screen-md-max) {\n .responsive-visibility();\n }\n}\n.visible-md-block {\n @media (min-width: @screen-md-min) and (max-width: @screen-md-max) {\n display: block !important;\n }\n}\n.visible-md-inline {\n @media (min-width: @screen-md-min) and (max-width: @screen-md-max) {\n display: inline !important;\n }\n}\n.visible-md-inline-block {\n @media (min-width: @screen-md-min) and (max-width: @screen-md-max) {\n display: inline-block !important;\n }\n}\n\n.visible-lg {\n @media (min-width: @screen-lg-min) {\n .responsive-visibility();\n }\n}\n.visible-lg-block {\n @media (min-width: @screen-lg-min) {\n display: block !important;\n }\n}\n.visible-lg-inline {\n @media (min-width: @screen-lg-min) {\n display: inline !important;\n }\n}\n.visible-lg-inline-block {\n @media (min-width: @screen-lg-min) {\n display: inline-block !important;\n }\n}\n\n.hidden-xs {\n @media (max-width: @screen-xs-max) {\n .responsive-invisibility();\n }\n}\n.hidden-sm {\n @media (min-width: @screen-sm-min) and (max-width: @screen-sm-max) {\n .responsive-invisibility();\n }\n}\n.hidden-md {\n @media (min-width: @screen-md-min) and (max-width: @screen-md-max) {\n .responsive-invisibility();\n }\n}\n.hidden-lg {\n @media (min-width: @screen-lg-min) {\n .responsive-invisibility();\n }\n}\n\n\n// Print utilities\n//\n// Media queries are placed on the inside to be mixin-friendly.\n\n// Note: Deprecated .visible-print as of v3.2.0\n.visible-print {\n .responsive-invisibility();\n\n @media print {\n .responsive-visibility();\n }\n}\n.visible-print-block {\n display: none !important;\n\n @media print {\n display: block !important;\n }\n}\n.visible-print-inline {\n display: none !important;\n\n @media print {\n display: inline !important;\n }\n}\n.visible-print-inline-block {\n display: none !important;\n\n @media print {\n display: inline-block !important;\n }\n}\n\n.hidden-print {\n @media print {\n .responsive-invisibility();\n }\n}\n","// Responsive utilities\n\n//\n// More easily include all the states for responsive-utilities.less.\n.responsive-visibility() {\n display: block !important;\n table& { display: table !important; }\n tr& { display: table-row !important; }\n th&,\n td& { display: table-cell !important; }\n}\n\n.responsive-invisibility() {\n display: none !important;\n}\n"]} \ No newline at end of file diff --git a/csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.eot b/csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.eot new file mode 100644 index 0000000..b93a495 Binary files /dev/null and b/csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.eot differ diff --git a/csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.svg b/csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.svg new file mode 100644 index 0000000..94fb549 --- /dev/null +++ b/csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.svg @@ -0,0 +1,288 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.ttf b/csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.ttf new file mode 100644 index 0000000..1413fc6 Binary files /dev/null and b/csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.ttf differ diff --git a/csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.woff b/csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.woff new file mode 100644 index 0000000..9e61285 Binary files /dev/null and b/csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.woff differ diff --git a/csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.woff2 b/csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.woff2 new file mode 100644 index 0000000..64539b5 Binary files /dev/null and b/csf/ui/images/bootstrap/fonts/glyphicons-halflings-regular.woff2 differ diff --git a/csf/ui/images/bootstrap/js/bootstrap.min.js b/csf/ui/images/bootstrap/js/bootstrap.min.js new file mode 100644 index 0000000..07cf295 --- /dev/null +++ b/csf/ui/images/bootstrap/js/bootstrap.min.js @@ -0,0 +1,7 @@ +/*! + * Bootstrap v3.3.7 (http://getbootstrap.com) + * Copyright 2011-2017 Twitter, Inc. + * Licensed under the MIT license + */ +if("undefined"==typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery");+function(a){"use strict";var b=a.fn.jquery.split(" ")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1||b[0]>3)throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher, but lower than version 4")}(jQuery),+function(a){"use strict";function b(){var a=document.createElement("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var c in b)if(void 0!==a.style[c])return{end:b[c]};return!1}a.fn.emulateTransitionEnd=function(b){var c=!1,d=this;a(this).one("bsTransitionEnd",function(){c=!0});var e=function(){c||a(d).trigger(a.support.transition.end)};return setTimeout(e,b),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.special.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.support.transition.end,handle:function(b){if(a(b.target).is(this))return b.handleObj.handler.apply(this,arguments)}})})}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var c=a(this),e=c.data("bs.alert");e||c.data("bs.alert",e=new d(this)),"string"==typeof b&&e[b].call(c)})}var c='[data-dismiss="alert"]',d=function(b){a(b).on("click",c,this.close)};d.VERSION="3.3.7",d.TRANSITION_DURATION=150,d.prototype.close=function(b){function c(){g.detach().trigger("closed.bs.alert").remove()}var e=a(this),f=e.attr("data-target");f||(f=e.attr("href"),f=f&&f.replace(/.*(?=#[^\s]*$)/,""));var g=a("#"===f?[]:f);b&&b.preventDefault(),g.length||(g=e.closest(".alert")),g.trigger(b=a.Event("close.bs.alert")),b.isDefaultPrevented()||(g.removeClass("in"),a.support.transition&&g.hasClass("fade")?g.one("bsTransitionEnd",c).emulateTransitionEnd(d.TRANSITION_DURATION):c())};var e=a.fn.alert;a.fn.alert=b,a.fn.alert.Constructor=d,a.fn.alert.noConflict=function(){return a.fn.alert=e,this},a(document).on("click.bs.alert.data-api",c,d.prototype.close)}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.button"),f="object"==typeof b&&b;e||d.data("bs.button",e=new c(this,f)),"toggle"==b?e.toggle():b&&e.setState(b)})}var c=function(b,d){this.$element=a(b),this.options=a.extend({},c.DEFAULTS,d),this.isLoading=!1};c.VERSION="3.3.7",c.DEFAULTS={loadingText:"loading..."},c.prototype.setState=function(b){var c="disabled",d=this.$element,e=d.is("input")?"val":"html",f=d.data();b+="Text",null==f.resetText&&d.data("resetText",d[e]()),setTimeout(a.proxy(function(){d[e](null==f[b]?this.options[b]:f[b]),"loadingText"==b?(this.isLoading=!0,d.addClass(c).attr(c,c).prop(c,!0)):this.isLoading&&(this.isLoading=!1,d.removeClass(c).removeAttr(c).prop(c,!1))},this),0)},c.prototype.toggle=function(){var a=!0,b=this.$element.closest('[data-toggle="buttons"]');if(b.length){var c=this.$element.find("input");"radio"==c.prop("type")?(c.prop("checked")&&(a=!1),b.find(".active").removeClass("active"),this.$element.addClass("active")):"checkbox"==c.prop("type")&&(c.prop("checked")!==this.$element.hasClass("active")&&(a=!1),this.$element.toggleClass("active")),c.prop("checked",this.$element.hasClass("active")),a&&c.trigger("change")}else this.$element.attr("aria-pressed",!this.$element.hasClass("active")),this.$element.toggleClass("active")};var d=a.fn.button;a.fn.button=b,a.fn.button.Constructor=c,a.fn.button.noConflict=function(){return a.fn.button=d,this},a(document).on("click.bs.button.data-api",'[data-toggle^="button"]',function(c){var d=a(c.target).closest(".btn");b.call(d,"toggle"),a(c.target).is('input[type="radio"], input[type="checkbox"]')||(c.preventDefault(),d.is("input,button")?d.trigger("focus"):d.find("input:visible,button:visible").first().trigger("focus"))}).on("focus.bs.button.data-api blur.bs.button.data-api",'[data-toggle^="button"]',function(b){a(b.target).closest(".btn").toggleClass("focus",/^focus(in)?$/.test(b.type))})}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.carousel"),f=a.extend({},c.DEFAULTS,d.data(),"object"==typeof b&&b),g="string"==typeof b?b:f.slide;e||d.data("bs.carousel",e=new c(this,f)),"number"==typeof b?e.to(b):g?e[g]():f.interval&&e.pause().cycle()})}var c=function(b,c){this.$element=a(b),this.$indicators=this.$element.find(".carousel-indicators"),this.options=c,this.paused=null,this.sliding=null,this.interval=null,this.$active=null,this.$items=null,this.options.keyboard&&this.$element.on("keydown.bs.carousel",a.proxy(this.keydown,this)),"hover"==this.options.pause&&!("ontouchstart"in document.documentElement)&&this.$element.on("mouseenter.bs.carousel",a.proxy(this.pause,this)).on("mouseleave.bs.carousel",a.proxy(this.cycle,this))};c.VERSION="3.3.7",c.TRANSITION_DURATION=600,c.DEFAULTS={interval:5e3,pause:"hover",wrap:!0,keyboard:!0},c.prototype.keydown=function(a){if(!/input|textarea/i.test(a.target.tagName)){switch(a.which){case 37:this.prev();break;case 39:this.next();break;default:return}a.preventDefault()}},c.prototype.cycle=function(b){return b||(this.paused=!1),this.interval&&clearInterval(this.interval),this.options.interval&&!this.paused&&(this.interval=setInterval(a.proxy(this.next,this),this.options.interval)),this},c.prototype.getItemIndex=function(a){return this.$items=a.parent().children(".item"),this.$items.index(a||this.$active)},c.prototype.getItemForDirection=function(a,b){var c=this.getItemIndex(b),d="prev"==a&&0===c||"next"==a&&c==this.$items.length-1;if(d&&!this.options.wrap)return b;var e="prev"==a?-1:1,f=(c+e)%this.$items.length;return this.$items.eq(f)},c.prototype.to=function(a){var b=this,c=this.getItemIndex(this.$active=this.$element.find(".item.active"));if(!(a>this.$items.length-1||a<0))return this.sliding?this.$element.one("slid.bs.carousel",function(){b.to(a)}):c==a?this.pause().cycle():this.slide(a>c?"next":"prev",this.$items.eq(a))},c.prototype.pause=function(b){return b||(this.paused=!0),this.$element.find(".next, .prev").length&&a.support.transition&&(this.$element.trigger(a.support.transition.end),this.cycle(!0)),this.interval=clearInterval(this.interval),this},c.prototype.next=function(){if(!this.sliding)return this.slide("next")},c.prototype.prev=function(){if(!this.sliding)return this.slide("prev")},c.prototype.slide=function(b,d){var e=this.$element.find(".item.active"),f=d||this.getItemForDirection(b,e),g=this.interval,h="next"==b?"left":"right",i=this;if(f.hasClass("active"))return this.sliding=!1;var j=f[0],k=a.Event("slide.bs.carousel",{relatedTarget:j,direction:h});if(this.$element.trigger(k),!k.isDefaultPrevented()){if(this.sliding=!0,g&&this.pause(),this.$indicators.length){this.$indicators.find(".active").removeClass("active");var l=a(this.$indicators.children()[this.getItemIndex(f)]);l&&l.addClass("active")}var m=a.Event("slid.bs.carousel",{relatedTarget:j,direction:h});return a.support.transition&&this.$element.hasClass("slide")?(f.addClass(b),f[0].offsetWidth,e.addClass(h),f.addClass(h),e.one("bsTransitionEnd",function(){f.removeClass([b,h].join(" ")).addClass("active"),e.removeClass(["active",h].join(" ")),i.sliding=!1,setTimeout(function(){i.$element.trigger(m)},0)}).emulateTransitionEnd(c.TRANSITION_DURATION)):(e.removeClass("active"),f.addClass("active"),this.sliding=!1,this.$element.trigger(m)),g&&this.cycle(),this}};var d=a.fn.carousel;a.fn.carousel=b,a.fn.carousel.Constructor=c,a.fn.carousel.noConflict=function(){return a.fn.carousel=d,this};var e=function(c){var d,e=a(this),f=a(e.attr("data-target")||(d=e.attr("href"))&&d.replace(/.*(?=#[^\s]+$)/,""));if(f.hasClass("carousel")){var g=a.extend({},f.data(),e.data()),h=e.attr("data-slide-to");h&&(g.interval=!1),b.call(f,g),h&&f.data("bs.carousel").to(h),c.preventDefault()}};a(document).on("click.bs.carousel.data-api","[data-slide]",e).on("click.bs.carousel.data-api","[data-slide-to]",e),a(window).on("load",function(){a('[data-ride="carousel"]').each(function(){var c=a(this);b.call(c,c.data())})})}(jQuery),+function(a){"use strict";function b(b){var c,d=b.attr("data-target")||(c=b.attr("href"))&&c.replace(/.*(?=#[^\s]+$)/,"");return a(d)}function c(b){return this.each(function(){var c=a(this),e=c.data("bs.collapse"),f=a.extend({},d.DEFAULTS,c.data(),"object"==typeof b&&b);!e&&f.toggle&&/show|hide/.test(b)&&(f.toggle=!1),e||c.data("bs.collapse",e=new d(this,f)),"string"==typeof b&&e[b]()})}var d=function(b,c){this.$element=a(b),this.options=a.extend({},d.DEFAULTS,c),this.$trigger=a('[data-toggle="collapse"][href="#'+b.id+'"],[data-toggle="collapse"][data-target="#'+b.id+'"]'),this.transitioning=null,this.options.parent?this.$parent=this.getParent():this.addAriaAndCollapsedClass(this.$element,this.$trigger),this.options.toggle&&this.toggle()};d.VERSION="3.3.7",d.TRANSITION_DURATION=350,d.DEFAULTS={toggle:!0},d.prototype.dimension=function(){var a=this.$element.hasClass("width");return a?"width":"height"},d.prototype.show=function(){if(!this.transitioning&&!this.$element.hasClass("in")){var b,e=this.$parent&&this.$parent.children(".panel").children(".in, .collapsing");if(!(e&&e.length&&(b=e.data("bs.collapse"),b&&b.transitioning))){var f=a.Event("show.bs.collapse");if(this.$element.trigger(f),!f.isDefaultPrevented()){e&&e.length&&(c.call(e,"hide"),b||e.data("bs.collapse",null));var g=this.dimension();this.$element.removeClass("collapse").addClass("collapsing")[g](0).attr("aria-expanded",!0),this.$trigger.removeClass("collapsed").attr("aria-expanded",!0),this.transitioning=1;var h=function(){this.$element.removeClass("collapsing").addClass("collapse in")[g](""),this.transitioning=0,this.$element.trigger("shown.bs.collapse")};if(!a.support.transition)return h.call(this);var i=a.camelCase(["scroll",g].join("-"));this.$element.one("bsTransitionEnd",a.proxy(h,this)).emulateTransitionEnd(d.TRANSITION_DURATION)[g](this.$element[0][i])}}}},d.prototype.hide=function(){if(!this.transitioning&&this.$element.hasClass("in")){var b=a.Event("hide.bs.collapse");if(this.$element.trigger(b),!b.isDefaultPrevented()){var c=this.dimension();this.$element[c](this.$element[c]())[0].offsetHeight,this.$element.addClass("collapsing").removeClass("collapse in").attr("aria-expanded",!1),this.$trigger.addClass("collapsed").attr("aria-expanded",!1),this.transitioning=1;var e=function(){this.transitioning=0,this.$element.removeClass("collapsing").addClass("collapse").trigger("hidden.bs.collapse")};return a.support.transition?void this.$element[c](0).one("bsTransitionEnd",a.proxy(e,this)).emulateTransitionEnd(d.TRANSITION_DURATION):e.call(this)}}},d.prototype.toggle=function(){this[this.$element.hasClass("in")?"hide":"show"]()},d.prototype.getParent=function(){return a(this.options.parent).find('[data-toggle="collapse"][data-parent="'+this.options.parent+'"]').each(a.proxy(function(c,d){var e=a(d);this.addAriaAndCollapsedClass(b(e),e)},this)).end()},d.prototype.addAriaAndCollapsedClass=function(a,b){var c=a.hasClass("in");a.attr("aria-expanded",c),b.toggleClass("collapsed",!c).attr("aria-expanded",c)};var e=a.fn.collapse;a.fn.collapse=c,a.fn.collapse.Constructor=d,a.fn.collapse.noConflict=function(){return a.fn.collapse=e,this},a(document).on("click.bs.collapse.data-api",'[data-toggle="collapse"]',function(d){var e=a(this);e.attr("data-target")||d.preventDefault();var f=b(e),g=f.data("bs.collapse"),h=g?"toggle":e.data();c.call(f,h)})}(jQuery),+function(a){"use strict";function b(b){var c=b.attr("data-target");c||(c=b.attr("href"),c=c&&/#[A-Za-z]/.test(c)&&c.replace(/.*(?=#[^\s]*$)/,""));var d=c&&a(c);return d&&d.length?d:b.parent()}function c(c){c&&3===c.which||(a(e).remove(),a(f).each(function(){var d=a(this),e=b(d),f={relatedTarget:this};e.hasClass("open")&&(c&&"click"==c.type&&/input|textarea/i.test(c.target.tagName)&&a.contains(e[0],c.target)||(e.trigger(c=a.Event("hide.bs.dropdown",f)),c.isDefaultPrevented()||(d.attr("aria-expanded","false"),e.removeClass("open").trigger(a.Event("hidden.bs.dropdown",f)))))}))}function d(b){return this.each(function(){var c=a(this),d=c.data("bs.dropdown");d||c.data("bs.dropdown",d=new g(this)),"string"==typeof b&&d[b].call(c)})}var e=".dropdown-backdrop",f='[data-toggle="dropdown"]',g=function(b){a(b).on("click.bs.dropdown",this.toggle)};g.VERSION="3.3.7",g.prototype.toggle=function(d){var e=a(this);if(!e.is(".disabled, :disabled")){var f=b(e),g=f.hasClass("open");if(c(),!g){"ontouchstart"in document.documentElement&&!f.closest(".navbar-nav").length&&a(document.createElement("div")).addClass("dropdown-backdrop").insertAfter(a(this)).on("click",c);var h={relatedTarget:this};if(f.trigger(d=a.Event("show.bs.dropdown",h)),d.isDefaultPrevented())return;e.trigger("focus").attr("aria-expanded","true"),f.toggleClass("open").trigger(a.Event("shown.bs.dropdown",h))}return!1}},g.prototype.keydown=function(c){if(/(38|40|27|32)/.test(c.which)&&!/input|textarea/i.test(c.target.tagName)){var d=a(this);if(c.preventDefault(),c.stopPropagation(),!d.is(".disabled, :disabled")){var e=b(d),g=e.hasClass("open");if(!g&&27!=c.which||g&&27==c.which)return 27==c.which&&e.find(f).trigger("focus"),d.trigger("click");var h=" li:not(.disabled):visible a",i=e.find(".dropdown-menu"+h);if(i.length){var j=i.index(c.target);38==c.which&&j>0&&j--,40==c.which&&jdocument.documentElement.clientHeight;this.$element.css({paddingLeft:!this.bodyIsOverflowing&&a?this.scrollbarWidth:"",paddingRight:this.bodyIsOverflowing&&!a?this.scrollbarWidth:""})},c.prototype.resetAdjustments=function(){this.$element.css({paddingLeft:"",paddingRight:""})},c.prototype.checkScrollbar=function(){var a=window.innerWidth;if(!a){var b=document.documentElement.getBoundingClientRect();a=b.right-Math.abs(b.left)}this.bodyIsOverflowing=document.body.clientWidth
        ',trigger:"hover focus",title:"",delay:0,html:!1,container:!1,viewport:{selector:"body",padding:0}},c.prototype.init=function(b,c,d){if(this.enabled=!0,this.type=b,this.$element=a(c),this.options=this.getOptions(d),this.$viewport=this.options.viewport&&a(a.isFunction(this.options.viewport)?this.options.viewport.call(this,this.$element):this.options.viewport.selector||this.options.viewport),this.inState={click:!1,hover:!1,focus:!1},this.$element[0]instanceof document.constructor&&!this.options.selector)throw new Error("`selector` option must be specified when initializing "+this.type+" on the window.document object!");for(var e=this.options.trigger.split(" "),f=e.length;f--;){var g=e[f];if("click"==g)this.$element.on("click."+this.type,this.options.selector,a.proxy(this.toggle,this));else if("manual"!=g){var h="hover"==g?"mouseenter":"focusin",i="hover"==g?"mouseleave":"focusout";this.$element.on(h+"."+this.type,this.options.selector,a.proxy(this.enter,this)),this.$element.on(i+"."+this.type,this.options.selector,a.proxy(this.leave,this))}}this.options.selector?this._options=a.extend({},this.options,{trigger:"manual",selector:""}):this.fixTitle()},c.prototype.getDefaults=function(){return c.DEFAULTS},c.prototype.getOptions=function(b){return b=a.extend({},this.getDefaults(),this.$element.data(),b),b.delay&&"number"==typeof b.delay&&(b.delay={show:b.delay,hide:b.delay}),b},c.prototype.getDelegateOptions=function(){var b={},c=this.getDefaults();return this._options&&a.each(this._options,function(a,d){c[a]!=d&&(b[a]=d)}),b},c.prototype.enter=function(b){var c=b instanceof this.constructor?b:a(b.currentTarget).data("bs."+this.type);return c||(c=new this.constructor(b.currentTarget,this.getDelegateOptions()),a(b.currentTarget).data("bs."+this.type,c)),b instanceof a.Event&&(c.inState["focusin"==b.type?"focus":"hover"]=!0),c.tip().hasClass("in")||"in"==c.hoverState?void(c.hoverState="in"):(clearTimeout(c.timeout),c.hoverState="in",c.options.delay&&c.options.delay.show?void(c.timeout=setTimeout(function(){"in"==c.hoverState&&c.show()},c.options.delay.show)):c.show())},c.prototype.isInStateTrue=function(){for(var a in this.inState)if(this.inState[a])return!0;return!1},c.prototype.leave=function(b){var c=b instanceof this.constructor?b:a(b.currentTarget).data("bs."+this.type);if(c||(c=new this.constructor(b.currentTarget,this.getDelegateOptions()),a(b.currentTarget).data("bs."+this.type,c)),b instanceof a.Event&&(c.inState["focusout"==b.type?"focus":"hover"]=!1),!c.isInStateTrue())return clearTimeout(c.timeout),c.hoverState="out",c.options.delay&&c.options.delay.hide?void(c.timeout=setTimeout(function(){"out"==c.hoverState&&c.hide()},c.options.delay.hide)):c.hide()},c.prototype.show=function(){var b=a.Event("show.bs."+this.type);if(this.hasContent()&&this.enabled){this.$element.trigger(b);var d=a.contains(this.$element[0].ownerDocument.documentElement,this.$element[0]);if(b.isDefaultPrevented()||!d)return;var e=this,f=this.tip(),g=this.getUID(this.type);this.setContent(),f.attr("id",g),this.$element.attr("aria-describedby",g),this.options.animation&&f.addClass("fade");var h="function"==typeof this.options.placement?this.options.placement.call(this,f[0],this.$element[0]):this.options.placement,i=/\s?auto?\s?/i,j=i.test(h);j&&(h=h.replace(i,"")||"top"),f.detach().css({top:0,left:0,display:"block"}).addClass(h).data("bs."+this.type,this),this.options.container?f.appendTo(this.options.container):f.insertAfter(this.$element),this.$element.trigger("inserted.bs."+this.type);var k=this.getPosition(),l=f[0].offsetWidth,m=f[0].offsetHeight;if(j){var n=h,o=this.getPosition(this.$viewport);h="bottom"==h&&k.bottom+m>o.bottom?"top":"top"==h&&k.top-mo.width?"left":"left"==h&&k.left-lg.top+g.height&&(e.top=g.top+g.height-i)}else{var j=b.left-f,k=b.left+f+c;jg.right&&(e.left=g.left+g.width-k)}return e},c.prototype.getTitle=function(){var a,b=this.$element,c=this.options;return a=b.attr("data-original-title")||("function"==typeof c.title?c.title.call(b[0]):c.title)},c.prototype.getUID=function(a){do a+=~~(1e6*Math.random());while(document.getElementById(a));return a},c.prototype.tip=function(){if(!this.$tip&&(this.$tip=a(this.options.template),1!=this.$tip.length))throw new Error(this.type+" `template` option must consist of exactly 1 top-level element!");return this.$tip},c.prototype.arrow=function(){return this.$arrow=this.$arrow||this.tip().find(".tooltip-arrow")},c.prototype.enable=function(){this.enabled=!0},c.prototype.disable=function(){this.enabled=!1},c.prototype.toggleEnabled=function(){this.enabled=!this.enabled},c.prototype.toggle=function(b){var c=this;b&&(c=a(b.currentTarget).data("bs."+this.type),c||(c=new this.constructor(b.currentTarget,this.getDelegateOptions()),a(b.currentTarget).data("bs."+this.type,c))),b?(c.inState.click=!c.inState.click,c.isInStateTrue()?c.enter(c):c.leave(c)):c.tip().hasClass("in")?c.leave(c):c.enter(c)},c.prototype.destroy=function(){var a=this;clearTimeout(this.timeout),this.hide(function(){a.$element.off("."+a.type).removeData("bs."+a.type),a.$tip&&a.$tip.detach(),a.$tip=null,a.$arrow=null,a.$viewport=null,a.$element=null})};var d=a.fn.tooltip;a.fn.tooltip=b,a.fn.tooltip.Constructor=c,a.fn.tooltip.noConflict=function(){return a.fn.tooltip=d,this}}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.popover"),f="object"==typeof b&&b;!e&&/destroy|hide/.test(b)||(e||d.data("bs.popover",e=new c(this,f)),"string"==typeof b&&e[b]())})}var c=function(a,b){this.init("popover",a,b)};if(!a.fn.tooltip)throw new Error("Popover requires tooltip.js");c.VERSION="3.3.7",c.DEFAULTS=a.extend({},a.fn.tooltip.Constructor.DEFAULTS,{placement:"right",trigger:"click",content:"",template:''}),c.prototype=a.extend({},a.fn.tooltip.Constructor.prototype),c.prototype.constructor=c,c.prototype.getDefaults=function(){return c.DEFAULTS},c.prototype.setContent=function(){var a=this.tip(),b=this.getTitle(),c=this.getContent();a.find(".popover-title")[this.options.html?"html":"text"](b),a.find(".popover-content").children().detach().end()[this.options.html?"string"==typeof c?"html":"append":"text"](c),a.removeClass("fade top bottom left right in"),a.find(".popover-title").html()||a.find(".popover-title").hide()},c.prototype.hasContent=function(){return this.getTitle()||this.getContent()},c.prototype.getContent=function(){var a=this.$element,b=this.options;return a.attr("data-content")||("function"==typeof b.content?b.content.call(a[0]):b.content)},c.prototype.arrow=function(){return this.$arrow=this.$arrow||this.tip().find(".arrow")};var d=a.fn.popover;a.fn.popover=b,a.fn.popover.Constructor=c,a.fn.popover.noConflict=function(){return a.fn.popover=d,this}}(jQuery),+function(a){"use strict";function b(c,d){this.$body=a(document.body),this.$scrollElement=a(a(c).is(document.body)?window:c),this.options=a.extend({},b.DEFAULTS,d),this.selector=(this.options.target||"")+" .nav li > a",this.offsets=[],this.targets=[],this.activeTarget=null,this.scrollHeight=0,this.$scrollElement.on("scroll.bs.scrollspy",a.proxy(this.process,this)),this.refresh(),this.process()}function c(c){return this.each(function(){var d=a(this),e=d.data("bs.scrollspy"),f="object"==typeof c&&c;e||d.data("bs.scrollspy",e=new b(this,f)),"string"==typeof c&&e[c]()})}b.VERSION="3.3.7",b.DEFAULTS={offset:10},b.prototype.getScrollHeight=function(){return this.$scrollElement[0].scrollHeight||Math.max(this.$body[0].scrollHeight,document.documentElement.scrollHeight)},b.prototype.refresh=function(){var b=this,c="offset",d=0;this.offsets=[],this.targets=[],this.scrollHeight=this.getScrollHeight(),a.isWindow(this.$scrollElement[0])||(c="position",d=this.$scrollElement.scrollTop()),this.$body.find(this.selector).map(function(){var b=a(this),e=b.data("target")||b.attr("href"),f=/^#./.test(e)&&a(e);return f&&f.length&&f.is(":visible")&&[[f[c]().top+d,e]]||null}).sort(function(a,b){return a[0]-b[0]}).each(function(){b.offsets.push(this[0]),b.targets.push(this[1])})},b.prototype.process=function(){var a,b=this.$scrollElement.scrollTop()+this.options.offset,c=this.getScrollHeight(),d=this.options.offset+c-this.$scrollElement.height(),e=this.offsets,f=this.targets,g=this.activeTarget;if(this.scrollHeight!=c&&this.refresh(),b>=d)return g!=(a=f[f.length-1])&&this.activate(a);if(g&&b=e[a]&&(void 0===e[a+1]||b .dropdown-menu > .active").removeClass("active").end().find('[data-toggle="tab"]').attr("aria-expanded",!1),b.addClass("active").find('[data-toggle="tab"]').attr("aria-expanded",!0),h?(b[0].offsetWidth,b.addClass("in")):b.removeClass("fade"),b.parent(".dropdown-menu").length&&b.closest("li.dropdown").addClass("active").end().find('[data-toggle="tab"]').attr("aria-expanded",!0),e&&e()}var g=d.find("> .active"),h=e&&a.support.transition&&(g.length&&g.hasClass("fade")||!!d.find("> .fade").length);g.length&&h?g.one("bsTransitionEnd",f).emulateTransitionEnd(c.TRANSITION_DURATION):f(),g.removeClass("in")};var d=a.fn.tab;a.fn.tab=b,a.fn.tab.Constructor=c,a.fn.tab.noConflict=function(){return a.fn.tab=d,this};var e=function(c){c.preventDefault(),b.call(a(this),"show")};a(document).on("click.bs.tab.data-api",'[data-toggle="tab"]',e).on("click.bs.tab.data-api",'[data-toggle="pill"]',e)}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.affix"),f="object"==typeof b&&b;e||d.data("bs.affix",e=new c(this,f)),"string"==typeof b&&e[b]()})}var c=function(b,d){this.options=a.extend({},c.DEFAULTS,d),this.$target=a(this.options.target).on("scroll.bs.affix.data-api",a.proxy(this.checkPosition,this)).on("click.bs.affix.data-api",a.proxy(this.checkPositionWithEventLoop,this)),this.$element=a(b),this.affixed=null,this.unpin=null,this.pinnedOffset=null,this.checkPosition()};c.VERSION="3.3.7",c.RESET="affix affix-top affix-bottom",c.DEFAULTS={offset:0,target:window},c.prototype.getState=function(a,b,c,d){var e=this.$target.scrollTop(),f=this.$element.offset(),g=this.$target.height();if(null!=c&&"top"==this.affixed)return e=a-d&&"bottom"},c.prototype.getPinnedOffset=function(){if(this.pinnedOffset)return this.pinnedOffset;this.$element.removeClass(c.RESET).addClass("affix");var a=this.$target.scrollTop(),b=this.$element.offset();return this.pinnedOffset=b.top-a},c.prototype.checkPositionWithEventLoop=function(){setTimeout(a.proxy(this.checkPosition,this),1)},c.prototype.checkPosition=function(){if(this.$element.is(":visible")){var b=this.$element.height(),d=this.options.offset,e=d.top,f=d.bottom,g=Math.max(a(document).height(),a(document.body).height());"object"!=typeof d&&(f=e=d),"function"==typeof e&&(e=d.top(this.$element)),"function"==typeof f&&(f=d.bottom(this.$element));var h=this.getState(g,b,e,f);if(this.affixed!=h){null!=this.unpin&&this.$element.css("top","");var i="affix"+(h?"-"+h:""),j=a.Event(i+".bs.affix");if(this.$element.trigger(j),j.isDefaultPrevented())return;this.affixed=h,this.unpin="bottom"==h?this.getPinnedOffset():null,this.$element.removeClass(c.RESET).addClass(i).trigger(i.replace("affix","affixed")+".bs.affix")}"bottom"==h&&this.$element.offset({top:g-b-f})}};var d=a.fn.affix;a.fn.affix=b,a.fn.affix.Constructor=c,a.fn.affix.noConflict=function(){return a.fn.affix=d,this},a(window).on("load",function(){a('[data-spy="affix"]').each(function(){var c=a(this),d=c.data();d.offset=d.offset||{},null!=d.offsetBottom&&(d.offset.bottom=d.offsetBottom),null!=d.offsetTop&&(d.offset.top=d.offsetTop),b.call(c,d)})})}(jQuery); \ No newline at end of file diff --git a/csf/ui/images/chosen-sprite.png b/csf/ui/images/chosen-sprite.png new file mode 100644 index 0000000..3611ae4 Binary files /dev/null and b/csf/ui/images/chosen-sprite.png differ diff --git a/csf/ui/images/chosen-sprite@2x.png b/csf/ui/images/chosen-sprite@2x.png new file mode 100644 index 0000000..ffe4d7d Binary files /dev/null and b/csf/ui/images/chosen-sprite@2x.png differ diff --git a/csf/ui/images/chosen.jquery.min.js b/csf/ui/images/chosen.jquery.min.js new file mode 100644 index 0000000..d67677f --- /dev/null +++ b/csf/ui/images/chosen.jquery.min.js @@ -0,0 +1,3 @@ +/* Chosen v1.8.2 | (c) 2011-2017 by Harvest | MIT License, https://github.com/harvesthq/chosen/blob/master/LICENSE.md */ + +(function(){var t,e,s,i,n=function(t,e){return function(){return t.apply(e,arguments)}},r=function(t,e){function s(){this.constructor=t}for(var i in e)o.call(e,i)&&(t[i]=e[i]);return s.prototype=e.prototype,t.prototype=new s,t.__super__=e.prototype,t},o={}.hasOwnProperty;(i=function(){function t(){this.options_index=0,this.parsed=[]}return t.prototype.add_node=function(t){return"OPTGROUP"===t.nodeName.toUpperCase()?this.add_group(t):this.add_option(t)},t.prototype.add_group=function(t){var e,s,i,n,r,o;for(e=this.parsed.length,this.parsed.push({array_index:e,group:!0,label:t.label,title:t.title?t.title:void 0,children:0,disabled:t.disabled,classes:t.className}),o=[],s=0,i=(r=t.childNodes).length;s"+t.group_label+""+t.html:t.html},t.prototype.mouse_enter=function(){return this.mouse_on_container=!0},t.prototype.mouse_leave=function(){return this.mouse_on_container=!1},t.prototype.input_focus=function(t){if(this.is_multiple){if(!this.active_field)return setTimeout(function(t){return function(){return t.container_mousedown()}}(this),50)}else if(!this.active_field)return this.activate_field()},t.prototype.input_blur=function(t){if(!this.mouse_on_container)return this.active_field=!1,setTimeout(function(t){return function(){return t.blur_test()}}(this),100)},t.prototype.label_click_handler=function(t){return this.is_multiple?this.container_mousedown(t):this.activate_field()},t.prototype.results_option_build=function(t){var e,s,i,n,r,o,h;for(e="",h=0,n=0,r=(o=this.results_data).length;n=this.max_shown_results));n++);return e},t.prototype.result_add_option=function(t){var e,s;return t.search_match&&this.include_option_in_results(t)?(e=[],t.disabled||t.selected&&this.is_multiple||e.push("active-result"),!t.disabled||t.selected&&this.is_multiple||e.push("disabled-result"),t.selected&&e.push("result-selected"),null!=t.group_array_index&&e.push("group-option"),""!==t.classes&&e.push(t.classes),s=document.createElement("li"),s.className=e.join(" "),s.style.cssText=t.style,s.setAttribute("data-option-array-index",t.array_index),s.innerHTML=t.highlighted_html||t.html,t.title&&(s.title=t.title),this.outerHTML(s)):""},t.prototype.result_add_group=function(t){var e,s;return(t.search_match||t.group_match)&&t.active_options>0?((e=[]).push("group-result"),t.classes&&e.push(t.classes),s=document.createElement("li"),s.className=e.join(" "),s.innerHTML=t.highlighted_html||this.escape_html(t.label),t.title&&(s.title=t.title),this.outerHTML(s)):""},t.prototype.results_update_field=function(){if(this.set_default_text(),this.is_multiple||this.results_reset_cleanup(),this.result_clear_highlight(),this.results_build(),this.results_showing)return this.winnow_results()},t.prototype.reset_single_select_options=function(){var t,e,s,i,n;for(n=[],t=0,e=(s=this.results_data).length;t"+this.escape_html(e)+""+this.escape_html(d)),null!=_&&(_.group_match=!0)):null!=n.group_array_index&&this.results_data[n.group_array_index].search_match&&(n.search_match=!0)));return this.result_clear_highlight(),c<1&&o.length?(this.update_results_content(""),this.no_results(o)):(this.update_results_content(this.results_option_build()),this.winnow_results_set_highlight())},t.prototype.get_search_regex=function(t){var e,s;return s=this.search_contains?t:"(^|\\s|\\b)"+t+"[^\\s]*",this.enable_split_word_search||this.search_contains||(s="^"+s),e=this.case_sensitive_search?"":"i",new RegExp(s,e)},t.prototype.search_string_match=function(t,e){var s;return s=e.exec(t),!this.search_contains&&(null!=s?s[1]:void 0)&&(s.index+=1),s},t.prototype.choices_count=function(){var t,e,s;if(null!=this.selected_option_count)return this.selected_option_count;for(this.selected_option_count=0,t=0,e=(s=this.form_field.options).length;t0?this.keydown_backstroke():this.pending_backstroke||(this.result_clear_highlight(),this.results_search());break;case 13:t.preventDefault(),this.results_showing&&this.result_select(t);break;case 27:this.results_showing&&this.results_hide();break;case 9:case 16:case 17:case 18:case 38:case 40:case 91:break;default:this.results_search()}},t.prototype.clipboard_event_checker=function(t){if(!this.is_disabled)return setTimeout(function(t){return function(){return t.results_search()}}(this),50)},t.prototype.container_width=function(){return null!=this.options.width?this.options.width:this.form_field.offsetWidth+"px"},t.prototype.include_option_in_results=function(t){return!(this.is_multiple&&!this.display_selected_options&&t.selected)&&(!(!this.display_disabled_options&&t.disabled)&&!t.empty)},t.prototype.search_results_touchstart=function(t){return this.touch_started=!0,this.search_results_mouseover(t)},t.prototype.search_results_touchmove=function(t){return this.touch_started=!1,this.search_results_mouseout(t)},t.prototype.search_results_touchend=function(t){if(this.touch_started)return this.search_results_mouseup(t)},t.prototype.outerHTML=function(t){var e;return t.outerHTML?t.outerHTML:((e=document.createElement("div")).appendChild(t),e.innerHTML)},t.prototype.get_single_html=function(){return'        \n '+this.default_text+'\n
        \n        \n
        \n
        \n \n
        \n
          \n
          '},t.prototype.get_multi_html=function(){return'
            \n
          • \n \n
            • \n
          \n
          \n
            \n
            '},t.prototype.get_no_results_html=function(t){return'
          • \n '+this.results_none_found+" "+this.escape_html(t)+"\n
            • "},t.browser_is_supported=function(){return"Microsoft Internet Explorer"===window.navigator.appName?document.documentMode>=8:!(/iP(od|hone)/i.test(window.navigator.userAgent)||/IEMobile/i.test(window.navigator.userAgent)||/Windows Phone/i.test(window.navigator.userAgent)||/BlackBerry/i.test(window.navigator.userAgent)||/BB10/i.test(window.navigator.userAgent)||/Android.*Mobile/i.test(window.navigator.userAgent))},t.default_multiple_text="Select Some Options",t.default_single_text="Select an Option",t.default_no_result_text="No results match",t}(),(t=jQuery).fn.extend({chosen:function(i){return e.browser_is_supported()?this.each(function(e){var n,r;r=(n=t(this)).data("chosen"),"destroy"!==i?r instanceof s||n.data("chosen",new s(this,i)):r instanceof s&&r.destroy()}):this}}),s=function(s){function n(){return n.__super__.constructor.apply(this,arguments)}return r(n,e),n.prototype.setup=function(){return this.form_field_jq=t(this.form_field),this.current_selectedIndex=this.form_field.selectedIndex},n.prototype.set_up_html=function(){var e,s;return(e=["chosen-container"]).push("chosen-container-"+(this.is_multiple?"multi":"single")),this.inherit_select_classes&&this.form_field.className&&e.push(this.form_field.className),this.is_rtl&&e.push("chosen-rtl"),s={"class":e.join(" "),title:this.form_field.title},this.form_field.id.length&&(s.id=this.form_field.id.replace(/[^\w]/g,"_")+"_chosen"),this.container=t("
            ",s),this.container.width(this.container_width()),this.is_multiple?this.container.html(this.get_multi_html()):this.container.html(this.get_single_html()),this.form_field_jq.hide().after(this.container),this.dropdown=this.container.find("div.chosen-drop").first(),this.search_field=this.container.find("input").first(),this.search_results=this.container.find("ul.chosen-results").first(),this.search_field_scale(),this.search_no_results=this.container.find("li.no-results").first(),this.is_multiple?(this.search_choices=this.container.find("ul.chosen-choices").first(),this.search_container=this.container.find("li.search-field").first()):(this.search_container=this.container.find("div.chosen-search").first(),this.selected_item=this.container.find(".chosen-single").first()),this.results_build(),this.set_tab_index(),this.set_label_behavior()},n.prototype.on_ready=function(){return this.form_field_jq.trigger("chosen:ready",{chosen:this})},n.prototype.register_observers=function(){return this.container.on("touchstart.chosen",function(t){return function(e){t.container_mousedown(e)}}(this)),this.container.on("touchend.chosen",function(t){return function(e){t.container_mouseup(e)}}(this)),this.container.on("mousedown.chosen",function(t){return function(e){t.container_mousedown(e)}}(this)),this.container.on("mouseup.chosen",function(t){return function(e){t.container_mouseup(e)}}(this)),this.container.on("mouseenter.chosen",function(t){return function(e){t.mouse_enter(e)}}(this)),this.container.on("mouseleave.chosen",function(t){return function(e){t.mouse_leave(e)}}(this)),this.search_results.on("mouseup.chosen",function(t){return function(e){t.search_results_mouseup(e)}}(this)),this.search_results.on("mouseover.chosen",function(t){return function(e){t.search_results_mouseover(e)}}(this)),this.search_results.on("mouseout.chosen",function(t){return function(e){t.search_results_mouseout(e)}}(this)),this.search_results.on("mousewheel.chosen DOMMouseScroll.chosen",function(t){return function(e){t.search_results_mousewheel(e)}}(this)),this.search_results.on("touchstart.chosen",function(t){return function(e){t.search_results_touchstart(e)}}(this)),this.search_results.on("touchmove.chosen",function(t){return function(e){t.search_results_touchmove(e)}}(this)),this.search_results.on("touchend.chosen",function(t){return function(e){t.search_results_touchend(e)}}(this)),this.form_field_jq.on("chosen:updated.chosen",function(t){return function(e){t.results_update_field(e)}}(this)),this.form_field_jq.on("chosen:activate.chosen",function(t){return function(e){t.activate_field(e)}}(this)),this.form_field_jq.on("chosen:open.chosen",function(t){return function(e){t.container_mousedown(e)}}(this)),this.form_field_jq.on("chosen:close.chosen",function(t){return function(e){t.close_field(e)}}(this)),this.search_field.on("blur.chosen",function(t){return function(e){t.input_blur(e)}}(this)),this.search_field.on("keyup.chosen",function(t){return function(e){t.keyup_checker(e)}}(this)),this.search_field.on("keydown.chosen",function(t){return function(e){t.keydown_checker(e)}}(this)),this.search_field.on("focus.chosen",function(t){return function(e){t.input_focus(e)}}(this)),this.search_field.on("cut.chosen",function(t){return function(e){t.clipboard_event_checker(e)}}(this)),this.search_field.on("paste.chosen",function(t){return function(e){t.clipboard_event_checker(e)}}(this)),this.is_multiple?this.search_choices.on("click.chosen",function(t){return function(e){t.choices_click(e)}}(this)):this.container.on("click.chosen",function(t){t.preventDefault()})},n.prototype.destroy=function(){return t(this.container[0].ownerDocument).off("click.chosen",this.click_test_action),this.form_field_label.length>0&&this.form_field_label.off("click.chosen"),this.search_field[0].tabIndex&&(this.form_field_jq[0].tabIndex=this.search_field[0].tabIndex),this.container.remove(),this.form_field_jq.removeData("chosen"),this.form_field_jq.show()},n.prototype.search_field_disabled=function(){return this.is_disabled=this.form_field.disabled||this.form_field_jq.parents("fieldset").is(":disabled"),this.container.toggleClass("chosen-disabled",this.is_disabled),this.search_field[0].disabled=this.is_disabled,this.is_multiple||this.selected_item.off("focus.chosen",this.activate_field),this.is_disabled?this.close_field():this.is_multiple?void 0:this.selected_item.on("focus.chosen",this.activate_field)},n.prototype.container_mousedown=function(e){var s;if(!this.is_disabled)return!e||"mousedown"!==(s=e.type)&&"touchstart"!==s||this.results_showing||e.preventDefault(),null!=e&&t(e.target).hasClass("search-choice-close")?void 0:(this.active_field?this.is_multiple||!e||t(e.target)[0]!==this.selected_item[0]&&!t(e.target).parents("a.chosen-single").length||(e.preventDefault(),this.results_toggle()):(this.is_multiple&&this.search_field.val(""),t(this.container[0].ownerDocument).on("click.chosen",this.click_test_action),this.results_show()),this.activate_field())},n.prototype.container_mouseup=function(t){if("ABBR"===t.target.nodeName&&!this.is_disabled)return this.results_reset(t)},n.prototype.search_results_mousewheel=function(t){var e;if(t.originalEvent&&(e=t.originalEvent.deltaY||-t.originalEvent.wheelDelta||t.originalEvent.detail),null!=e)return t.preventDefault(),"DOMMouseScroll"===t.type&&(e*=40),this.search_results.scrollTop(e+this.search_results.scrollTop())},n.prototype.blur_test=function(t){if(!this.active_field&&this.container.hasClass("chosen-container-active"))return this.close_field()},n.prototype.close_field=function(){return t(this.container[0].ownerDocument).off("click.chosen",this.click_test_action),this.active_field=!1,this.results_hide(),this.container.removeClass("chosen-container-active"),this.clear_backstroke(),this.show_search_field_default(),this.search_field_scale(),this.search_field.blur()},n.prototype.activate_field=function(){if(!this.is_disabled)return this.container.addClass("chosen-container-active"),this.active_field=!0,this.search_field.val(this.search_field.val()),this.search_field.focus()},n.prototype.test_active_click=function(e){var s;return(s=t(e.target).closest(".chosen-container")).length&&this.container[0]===s[0]?this.active_field=!0:this.close_field()},n.prototype.results_build=function(){return this.parsing=!0,this.selected_option_count=null,this.results_data=i.select_to_array(this.form_field),this.is_multiple?this.search_choices.find("li.search-choice").remove():this.is_multiple||(this.single_set_selected_text(),this.disable_search||this.form_field.options.length<=this.disable_search_threshold?(this.search_field[0].readOnly=!0,this.container.addClass("chosen-container-single-nosearch")):(this.search_field[0].readOnly=!1,this.container.removeClass("chosen-container-single-nosearch"))),this.update_results_content(this.results_option_build({first:!0})),this.search_field_disabled(),this.show_search_field_default(),this.search_field_scale(),this.parsing=!1},n.prototype.result_do_highlight=function(t){var e,s,i,n,r;if(t.length){if(this.result_clear_highlight(),this.result_highlight=t,this.result_highlight.addClass("highlighted"),i=parseInt(this.search_results.css("maxHeight"),10),r=this.search_results.scrollTop(),n=i+r,s=this.result_highlight.position().top+this.search_results.scrollTop(),(e=s+this.result_highlight.outerHeight())>=n)return this.search_results.scrollTop(e-i>0?e-i:0);if(s0)return this.form_field_label.on("click.chosen",this.label_click_handler)},n.prototype.show_search_field_default=function(){return this.is_multiple&&this.choices_count()<1&&!this.active_field?(this.search_field.val(this.default_text),this.search_field.addClass("default")):(this.search_field.val(""),this.search_field.removeClass("default"))},n.prototype.search_results_mouseup=function(e){var s;if((s=t(e.target).hasClass("active-result")?t(e.target):t(e.target).parents(".active-result").first()).length)return this.result_highlight=s,this.result_select(e),this.search_field.focus()},n.prototype.search_results_mouseover=function(e){var s;if(s=t(e.target).hasClass("active-result")?t(e.target):t(e.target).parents(".active-result").first())return this.result_do_highlight(s)},n.prototype.search_results_mouseout=function(e){if(t(e.target).hasClass("active-result")||t(e.target).parents(".active-result").first())return this.result_clear_highlight()},n.prototype.choice_build=function(e){var s,i;return s=t("
          • ",{"class":"search-choice"}).html(""+this.choice_label(e)+""),e.disabled?s.addClass("search-choice-disabled"):((i=t("",{"class":"search-choice-close","data-option-array-index":e.array_index})).on("click.chosen",function(t){return function(e){return t.choice_destroy_link_click(e)}}(this)),s.append(i)),this.search_container.before(s)},n.prototype.choice_destroy_link_click=function(e){if(e.preventDefault(),e.stopPropagation(),!this.is_disabled)return this.choice_destroy(t(e.target))},n.prototype.choice_destroy=function(t){if(this.result_deselect(t[0].getAttribute("data-option-array-index")))return this.active_field?this.search_field.focus():this.show_search_field_default(),this.is_multiple&&this.choices_count()>0&&this.get_search_field_value().length<1&&this.results_hide(),t.parents("li").first().remove(),this.search_field_scale()},n.prototype.results_reset=function(){if(this.reset_single_select_options(),this.form_field.options[0].selected=!0,this.single_set_selected_text(),this.show_search_field_default(),this.results_reset_cleanup(),this.trigger_form_field_change(),this.active_field)return this.results_hide()},n.prototype.results_reset_cleanup=function(){return this.current_selectedIndex=this.form_field.selectedIndex,this.selected_item.find("abbr").remove()},n.prototype.result_select=function(t){var e,s;if(this.result_highlight)return e=this.result_highlight,this.result_clear_highlight(),this.is_multiple&&this.max_selected_options<=this.choices_count()?(this.form_field_jq.trigger("chosen:maxselected",{chosen:this}),!1):(this.is_multiple?e.removeClass("active-result"):this.reset_single_select_options(),e.addClass("result-selected"),s=this.results_data[e[0].getAttribute("data-option-array-index")],s.selected=!0,this.form_field.options[s.options_index].selected=!0,this.selected_option_count=null,this.search_field.val(""),this.is_multiple?this.choice_build(s):this.single_set_selected_text(this.choice_label(s)),this.is_multiple&&(!this.hide_results_on_select||t.metaKey||t.ctrlKey)?this.winnow_results():(this.results_hide(),this.show_search_field_default()),(this.is_multiple||this.form_field.selectedIndex!==this.current_selectedIndex)&&this.trigger_form_field_change({selected:this.form_field.options[s.options_index].value}),this.current_selectedIndex=this.form_field.selectedIndex,t.preventDefault(),this.search_field_scale())},n.prototype.single_set_selected_text=function(t){return null==t&&(t=this.default_text),t===this.default_text?this.selected_item.addClass("chosen-default"):(this.single_deselect_control_build(),this.selected_item.removeClass("chosen-default")),this.selected_item.find("span").html(t)},n.prototype.result_deselect=function(t){var e;return e=this.results_data[t],!this.form_field.options[e.options_index].disabled&&(e.selected=!1,this.form_field.options[e.options_index].selected=!1,this.selected_option_count=null,this.result_clear_highlight(),this.results_showing&&this.winnow_results(),this.trigger_form_field_change({deselected:this.form_field.options[e.options_index].value}),this.search_field_scale(),!0)},n.prototype.single_deselect_control_build=function(){if(this.allow_single_deselect)return this.selected_item.find("abbr").length||this.selected_item.find("span").first().after(''),this.selected_item.addClass("chosen-single-with-deselect")},n.prototype.get_search_field_value=function(){return this.search_field.val()},n.prototype.get_search_text=function(){return t.trim(this.get_search_field_value())},n.prototype.escape_html=function(e){return t("
            ").text(e).html()},n.prototype.winnow_results_set_highlight=function(){var t,e;if(e=this.is_multiple?[]:this.search_results.find(".result-selected.active-result"),null!=(t=e.length?e.first():this.search_results.find(".active-result").first()))return this.result_do_highlight(t)},n.prototype.no_results=function(t){var e;return e=this.get_no_results_html(t),this.search_results.append(e),this.form_field_jq.trigger("chosen:no_results",{chosen:this})},n.prototype.no_results_clear=function(){return this.search_results.find(".no-results").remove()},n.prototype.keydown_arrow=function(){var t;return this.results_showing&&this.result_highlight?(t=this.result_highlight.nextAll("li.active-result").first())?this.result_do_highlight(t):void 0:this.results_show()},n.prototype.keyup_arrow=function(){var t;return this.results_showing||this.is_multiple?this.result_highlight?(t=this.result_highlight.prevAll("li.active-result")).length?this.result_do_highlight(t.first()):(this.choices_count()>0&&this.results_hide(),this.result_clear_highlight()):void 0:this.results_show()},n.prototype.keydown_backstroke=function(){var t;return this.pending_backstroke?(this.choice_destroy(this.pending_backstroke.find("a").first()),this.clear_backstroke()):(t=this.search_container.siblings("li.search-choice").last()).length&&!t.hasClass("search-choice-disabled")?(this.pending_backstroke=t,this.single_backstroke_delete?this.keydown_backstroke():this.pending_backstroke.addClass("search-choice-focus")):void 0},n.prototype.clear_backstroke=function(){return this.pending_backstroke&&this.pending_backstroke.removeClass("search-choice-focus"),this.pending_backstroke=null},n.prototype.search_field_scale=function(){var e,s,i,n,r,o,h;if(this.is_multiple){for(r={position:"absolute",left:"-1000px",top:"-1000px",display:"none",whiteSpace:"pre"},s=0,i=(o=["fontSize","fontStyle","fontWeight","fontFamily","lineHeight","textTransform","letterSpacing"]).length;s").css(r)).text(this.get_search_field_value()),t("body").append(e),h=e.width()+25,e.remove(),this.container.is(":visible")&&(h=Math.min(this.container.outerWidth()-10,h)),this.search_field.width(h)}},n.prototype.trigger_form_field_change=function(t){return this.form_field_jq.trigger("input",t),this.form_field_jq.trigger("change",t)},n}()}).call(this); \ No newline at end of file diff --git a/csf/ui/images/chosen.min.css b/csf/ui/images/chosen.min.css new file mode 100644 index 0000000..779d83d --- /dev/null +++ b/csf/ui/images/chosen.min.css @@ -0,0 +1,11 @@ +/*! +Chosen, a Select Box Enhancer for jQuery and Prototype +by Patrick Filler for Harvest, http://getharvest.com + +Version 1.8.2 +Full source at https://github.com/harvesthq/chosen +Copyright (c) 2011-2017 Harvest http://getharvest.com + +MIT License, https://github.com/harvesthq/chosen/blob/master/LICENSE.md +This file is generated by `grunt build`, do not edit it by hand. +*/.chosen-container{position:relative;display:inline-block;vertical-align:middle;font-size:13px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none}.chosen-container *{-webkit-box-sizing:border-box;box-sizing:border-box}.chosen-container .chosen-drop{position:absolute;top:100%;z-index:1010;width:100%;border:1px solid #aaa;border-top:0;background:#fff;-webkit-box-shadow:0 4px 5px rgba(0,0,0,.15);box-shadow:0 4px 5px rgba(0,0,0,.15);clip:rect(0,0,0,0)}.chosen-container.chosen-with-drop .chosen-drop{clip:auto}.chosen-container a{cursor:pointer}.chosen-container .chosen-single .group-name,.chosen-container .search-choice .group-name{margin-right:4px;overflow:hidden;white-space:nowrap;text-overflow:ellipsis;font-weight:400;color:#999}.chosen-container .chosen-single .group-name:after,.chosen-container .search-choice .group-name:after{content:":";padding-left:2px;vertical-align:top}.chosen-container-single .chosen-single{position:relative;display:block;overflow:hidden;padding:0 0 0 8px;height:25px;border:1px solid #aaa;border-radius:5px;background-color:#fff;background:-webkit-gradient(linear,left top,left bottom,color-stop(20%,#fff),color-stop(50%,#f6f6f6),color-stop(52%,#eee),to(#f4f4f4));background:linear-gradient(#fff 20%,#f6f6f6 50%,#eee 52%,#f4f4f4 100%);background-clip:padding-box;-webkit-box-shadow:0 0 3px #fff inset,0 1px 1px rgba(0,0,0,.1);box-shadow:0 0 3px #fff inset,0 1px 1px rgba(0,0,0,.1);color:#444;text-decoration:none;white-space:nowrap;line-height:24px}.chosen-container-single .chosen-default{color:#999}.chosen-container-single .chosen-single span{display:block;overflow:hidden;margin-right:26px;text-overflow:ellipsis;white-space:nowrap}.chosen-container-single .chosen-single-with-deselect span{margin-right:38px}.chosen-container-single .chosen-single abbr{position:absolute;top:6px;right:26px;display:block;width:12px;height:12px;background:url(chosen-sprite.png) -42px 1px no-repeat;font-size:1px}.chosen-container-single .chosen-single abbr:hover{background-position:-42px -10px}.chosen-container-single.chosen-disabled .chosen-single abbr:hover{background-position:-42px -10px}.chosen-container-single .chosen-single div{position:absolute;top:0;right:0;display:block;width:18px;height:100%}.chosen-container-single .chosen-single div b{display:block;width:100%;height:100%;background:url(chosen-sprite.png) no-repeat 0 2px}.chosen-container-single .chosen-search{position:relative;z-index:1010;margin:0;padding:3px 4px;white-space:nowrap}.chosen-container-single .chosen-search input[type=text]{margin:1px 0;padding:4px 20px 4px 5px;width:100%;height:auto;outline:0;border:1px solid #aaa;background:url(chosen-sprite.png) no-repeat 100% -20px;font-size:1em;font-family:sans-serif;line-height:normal;border-radius:0}.chosen-container-single .chosen-drop{margin-top:-1px;border-radius:0 0 4px 4px;background-clip:padding-box}.chosen-container-single.chosen-container-single-nosearch .chosen-search{position:absolute;clip:rect(0,0,0,0)}.chosen-container .chosen-results{color:#444;position:relative;overflow-x:hidden;overflow-y:auto;margin:0 4px 4px 0;padding:0 0 0 4px;max-height:240px;-webkit-overflow-scrolling:touch}.chosen-container .chosen-results li{display:none;margin:0;padding:5px 6px;list-style:none;line-height:15px;word-wrap:break-word;-webkit-touch-callout:none}.chosen-container .chosen-results li.active-result{display:list-item;cursor:pointer}.chosen-container .chosen-results li.disabled-result{display:list-item;color:#ccc;cursor:default}.chosen-container .chosen-results li.highlighted{background-color:#3875d7;background-image:-webkit-gradient(linear,left top,left bottom,color-stop(20%,#3875d7),color-stop(90%,#2a62bc));background-image:linear-gradient(#3875d7 20%,#2a62bc 90%);color:#fff}.chosen-container .chosen-results li.no-results{color:#777;display:list-item;background:#f4f4f4}.chosen-container .chosen-results li.group-result{display:list-item;font-weight:700;cursor:default}.chosen-container .chosen-results li.group-option{padding-left:15px}.chosen-container .chosen-results li em{font-style:normal;text-decoration:underline}.chosen-container-multi .chosen-choices{position:relative;overflow:hidden;margin:0;padding:0 5px;width:100%;height:auto;border:1px solid #aaa;background-color:#fff;background-image:-webkit-gradient(linear,left top,left bottom,color-stop(1%,#eee),color-stop(15%,#fff));background-image:linear-gradient(#eee 1%,#fff 15%);cursor:text}.chosen-container-multi .chosen-choices li{float:left;list-style:none}.chosen-container-multi .chosen-choices li.search-field{margin:0;padding:0;white-space:nowrap}.chosen-container-multi .chosen-choices li.search-field input[type=text]{margin:1px 0;padding:0;height:25px;outline:0;border:0!important;background:0 0!important;-webkit-box-shadow:none;box-shadow:none;color:#999;font-size:100%;font-family:sans-serif;line-height:normal;border-radius:0;width:25px}.chosen-container-multi .chosen-choices li.search-choice{position:relative;margin:3px 5px 3px 0;padding:3px 20px 3px 5px;border:1px solid #aaa;max-width:100%;border-radius:3px;background-color:#eee;background-image:-webkit-gradient(linear,left top,left bottom,color-stop(20%,#f4f4f4),color-stop(50%,#f0f0f0),color-stop(52%,#e8e8e8),to(#eee));background-image:linear-gradient(#f4f4f4 20%,#f0f0f0 50%,#e8e8e8 52%,#eee 100%);background-size:100% 19px;background-repeat:repeat-x;background-clip:padding-box;-webkit-box-shadow:0 0 2px #fff inset,0 1px 0 rgba(0,0,0,.05);box-shadow:0 0 2px #fff inset,0 1px 0 rgba(0,0,0,.05);color:#333;line-height:13px;cursor:default}.chosen-container-multi .chosen-choices li.search-choice span{word-wrap:break-word}.chosen-container-multi .chosen-choices li.search-choice .search-choice-close{position:absolute;top:4px;right:3px;display:block;width:12px;height:12px;background:url(chosen-sprite.png) -42px 1px no-repeat;font-size:1px}.chosen-container-multi .chosen-choices li.search-choice .search-choice-close:hover{background-position:-42px -10px}.chosen-container-multi .chosen-choices li.search-choice-disabled{padding-right:5px;border:1px solid #ccc;background-color:#e4e4e4;background-image:-webkit-gradient(linear,left top,left bottom,color-stop(20%,#f4f4f4),color-stop(50%,#f0f0f0),color-stop(52%,#e8e8e8),to(#eee));background-image:linear-gradient(#f4f4f4 20%,#f0f0f0 50%,#e8e8e8 52%,#eee 100%);color:#666}.chosen-container-multi .chosen-choices li.search-choice-focus{background:#d4d4d4}.chosen-container-multi .chosen-choices li.search-choice-focus .search-choice-close{background-position:-42px -10px}.chosen-container-multi .chosen-results{margin:0;padding:0}.chosen-container-multi .chosen-drop .result-selected{display:list-item;color:#ccc;cursor:default}.chosen-container-active .chosen-single{border:1px solid #5897fb;-webkit-box-shadow:0 0 5px rgba(0,0,0,.3);box-shadow:0 0 5px rgba(0,0,0,.3)}.chosen-container-active.chosen-with-drop .chosen-single{border:1px solid #aaa;border-bottom-right-radius:0;border-bottom-left-radius:0;background-image:-webkit-gradient(linear,left top,left bottom,color-stop(20%,#eee),color-stop(80%,#fff));background-image:linear-gradient(#eee 20%,#fff 80%);-webkit-box-shadow:0 1px 0 #fff inset;box-shadow:0 1px 0 #fff inset}.chosen-container-active.chosen-with-drop .chosen-single div{border-left:none;background:0 0}.chosen-container-active.chosen-with-drop .chosen-single div b{background-position:-18px 2px}.chosen-container-active .chosen-choices{border:1px solid #5897fb;-webkit-box-shadow:0 0 5px rgba(0,0,0,.3);box-shadow:0 0 5px rgba(0,0,0,.3)}.chosen-container-active .chosen-choices li.search-field input[type=text]{color:#222!important}.chosen-disabled{opacity:.5!important;cursor:default}.chosen-disabled .chosen-single{cursor:default}.chosen-disabled .chosen-choices .search-choice .search-choice-close{cursor:default}.chosen-rtl{text-align:right}.chosen-rtl .chosen-single{overflow:visible;padding:0 8px 0 0}.chosen-rtl .chosen-single span{margin-right:0;margin-left:26px;direction:rtl}.chosen-rtl .chosen-single-with-deselect span{margin-left:38px}.chosen-rtl .chosen-single div{right:auto;left:3px}.chosen-rtl .chosen-single abbr{right:auto;left:26px}.chosen-rtl .chosen-choices li{float:right}.chosen-rtl .chosen-choices li.search-field input[type=text]{direction:rtl}.chosen-rtl .chosen-choices li.search-choice{margin:3px 5px 3px 0;padding:3px 5px 3px 19px}.chosen-rtl .chosen-choices li.search-choice .search-choice-close{right:auto;left:4px}.chosen-rtl.chosen-container-single .chosen-results{margin:0 0 4px 4px;padding:0 4px 0 0}.chosen-rtl .chosen-results li.group-option{padding-right:15px;padding-left:0}.chosen-rtl.chosen-container-active.chosen-with-drop .chosen-single div{border-right:none}.chosen-rtl .chosen-search input[type=text]{padding:4px 5px 4px 20px;background:url(chosen-sprite.png) no-repeat -30px -20px;direction:rtl}.chosen-rtl.chosen-container-single .chosen-single div b{background-position:6px 2px}.chosen-rtl.chosen-container-single.chosen-with-drop .chosen-single div b{background-position:-12px 2px}@media only screen and (-webkit-min-device-pixel-ratio:1.5),only screen and (min-resolution:144dpi),only screen and (min-resolution:1.5dppx){.chosen-container .chosen-results-scroll-down span,.chosen-container .chosen-results-scroll-up span,.chosen-container-multi .chosen-choices .search-choice .search-choice-close,.chosen-container-single .chosen-search input[type=text],.chosen-container-single .chosen-single abbr,.chosen-container-single .chosen-single div b,.chosen-rtl .chosen-search input[type=text]{background-image:url(chosen-sprite@2x.png)!important;background-size:52px 37px!important;background-repeat:no-repeat!important}} \ No newline at end of file diff --git a/csf/ui/images/chosen.min.js b/csf/ui/images/chosen.min.js new file mode 100644 index 0000000..d67677f --- /dev/null +++ b/csf/ui/images/chosen.min.js @@ -0,0 +1,3 @@ +/* Chosen v1.8.2 | (c) 2011-2017 by Harvest | MIT License, https://github.com/harvesthq/chosen/blob/master/LICENSE.md */ + +(function(){var t,e,s,i,n=function(t,e){return function(){return t.apply(e,arguments)}},r=function(t,e){function s(){this.constructor=t}for(var i in e)o.call(e,i)&&(t[i]=e[i]);return s.prototype=e.prototype,t.prototype=new s,t.__super__=e.prototype,t},o={}.hasOwnProperty;(i=function(){function t(){this.options_index=0,this.parsed=[]}return t.prototype.add_node=function(t){return"OPTGROUP"===t.nodeName.toUpperCase()?this.add_group(t):this.add_option(t)},t.prototype.add_group=function(t){var e,s,i,n,r,o;for(e=this.parsed.length,this.parsed.push({array_index:e,group:!0,label:t.label,title:t.title?t.title:void 0,children:0,disabled:t.disabled,classes:t.className}),o=[],s=0,i=(r=t.childNodes).length;s"+t.group_label+""+t.html:t.html},t.prototype.mouse_enter=function(){return this.mouse_on_container=!0},t.prototype.mouse_leave=function(){return this.mouse_on_container=!1},t.prototype.input_focus=function(t){if(this.is_multiple){if(!this.active_field)return setTimeout(function(t){return function(){return t.container_mousedown()}}(this),50)}else if(!this.active_field)return this.activate_field()},t.prototype.input_blur=function(t){if(!this.mouse_on_container)return this.active_field=!1,setTimeout(function(t){return function(){return t.blur_test()}}(this),100)},t.prototype.label_click_handler=function(t){return this.is_multiple?this.container_mousedown(t):this.activate_field()},t.prototype.results_option_build=function(t){var e,s,i,n,r,o,h;for(e="",h=0,n=0,r=(o=this.results_data).length;n=this.max_shown_results));n++);return e},t.prototype.result_add_option=function(t){var e,s;return t.search_match&&this.include_option_in_results(t)?(e=[],t.disabled||t.selected&&this.is_multiple||e.push("active-result"),!t.disabled||t.selected&&this.is_multiple||e.push("disabled-result"),t.selected&&e.push("result-selected"),null!=t.group_array_index&&e.push("group-option"),""!==t.classes&&e.push(t.classes),s=document.createElement("li"),s.className=e.join(" "),s.style.cssText=t.style,s.setAttribute("data-option-array-index",t.array_index),s.innerHTML=t.highlighted_html||t.html,t.title&&(s.title=t.title),this.outerHTML(s)):""},t.prototype.result_add_group=function(t){var e,s;return(t.search_match||t.group_match)&&t.active_options>0?((e=[]).push("group-result"),t.classes&&e.push(t.classes),s=document.createElement("li"),s.className=e.join(" "),s.innerHTML=t.highlighted_html||this.escape_html(t.label),t.title&&(s.title=t.title),this.outerHTML(s)):""},t.prototype.results_update_field=function(){if(this.set_default_text(),this.is_multiple||this.results_reset_cleanup(),this.result_clear_highlight(),this.results_build(),this.results_showing)return this.winnow_results()},t.prototype.reset_single_select_options=function(){var t,e,s,i,n;for(n=[],t=0,e=(s=this.results_data).length;t"+this.escape_html(e)+""+this.escape_html(d)),null!=_&&(_.group_match=!0)):null!=n.group_array_index&&this.results_data[n.group_array_index].search_match&&(n.search_match=!0)));return this.result_clear_highlight(),c<1&&o.length?(this.update_results_content(""),this.no_results(o)):(this.update_results_content(this.results_option_build()),this.winnow_results_set_highlight())},t.prototype.get_search_regex=function(t){var e,s;return s=this.search_contains?t:"(^|\\s|\\b)"+t+"[^\\s]*",this.enable_split_word_search||this.search_contains||(s="^"+s),e=this.case_sensitive_search?"":"i",new RegExp(s,e)},t.prototype.search_string_match=function(t,e){var s;return s=e.exec(t),!this.search_contains&&(null!=s?s[1]:void 0)&&(s.index+=1),s},t.prototype.choices_count=function(){var t,e,s;if(null!=this.selected_option_count)return this.selected_option_count;for(this.selected_option_count=0,t=0,e=(s=this.form_field.options).length;t0?this.keydown_backstroke():this.pending_backstroke||(this.result_clear_highlight(),this.results_search());break;case 13:t.preventDefault(),this.results_showing&&this.result_select(t);break;case 27:this.results_showing&&this.results_hide();break;case 9:case 16:case 17:case 18:case 38:case 40:case 91:break;default:this.results_search()}},t.prototype.clipboard_event_checker=function(t){if(!this.is_disabled)return setTimeout(function(t){return function(){return t.results_search()}}(this),50)},t.prototype.container_width=function(){return null!=this.options.width?this.options.width:this.form_field.offsetWidth+"px"},t.prototype.include_option_in_results=function(t){return!(this.is_multiple&&!this.display_selected_options&&t.selected)&&(!(!this.display_disabled_options&&t.disabled)&&!t.empty)},t.prototype.search_results_touchstart=function(t){return this.touch_started=!0,this.search_results_mouseover(t)},t.prototype.search_results_touchmove=function(t){return this.touch_started=!1,this.search_results_mouseout(t)},t.prototype.search_results_touchend=function(t){if(this.touch_started)return this.search_results_mouseup(t)},t.prototype.outerHTML=function(t){var e;return t.outerHTML?t.outerHTML:((e=document.createElement("div")).appendChild(t),e.innerHTML)},t.prototype.get_single_html=function(){return'\n '+this.default_text+'\n
            \n            \n
            \n
            \n \n
            \n
              \n
              '},t.prototype.get_multi_html=function(){return'
                \n
              • \n \n
                • \n
              \n
              \n
                \n
                '},t.prototype.get_no_results_html=function(t){return'
              • \n '+this.results_none_found+" "+this.escape_html(t)+"\n
                • "},t.browser_is_supported=function(){return"Microsoft Internet Explorer"===window.navigator.appName?document.documentMode>=8:!(/iP(od|hone)/i.test(window.navigator.userAgent)||/IEMobile/i.test(window.navigator.userAgent)||/Windows Phone/i.test(window.navigator.userAgent)||/BlackBerry/i.test(window.navigator.userAgent)||/BB10/i.test(window.navigator.userAgent)||/Android.*Mobile/i.test(window.navigator.userAgent))},t.default_multiple_text="Select Some Options",t.default_single_text="Select an Option",t.default_no_result_text="No results match",t}(),(t=jQuery).fn.extend({chosen:function(i){return e.browser_is_supported()?this.each(function(e){var n,r;r=(n=t(this)).data("chosen"),"destroy"!==i?r instanceof s||n.data("chosen",new s(this,i)):r instanceof s&&r.destroy()}):this}}),s=function(s){function n(){return n.__super__.constructor.apply(this,arguments)}return r(n,e),n.prototype.setup=function(){return this.form_field_jq=t(this.form_field),this.current_selectedIndex=this.form_field.selectedIndex},n.prototype.set_up_html=function(){var e,s;return(e=["chosen-container"]).push("chosen-container-"+(this.is_multiple?"multi":"single")),this.inherit_select_classes&&this.form_field.className&&e.push(this.form_field.className),this.is_rtl&&e.push("chosen-rtl"),s={"class":e.join(" "),title:this.form_field.title},this.form_field.id.length&&(s.id=this.form_field.id.replace(/[^\w]/g,"_")+"_chosen"),this.container=t("
                ",s),this.container.width(this.container_width()),this.is_multiple?this.container.html(this.get_multi_html()):this.container.html(this.get_single_html()),this.form_field_jq.hide().after(this.container),this.dropdown=this.container.find("div.chosen-drop").first(),this.search_field=this.container.find("input").first(),this.search_results=this.container.find("ul.chosen-results").first(),this.search_field_scale(),this.search_no_results=this.container.find("li.no-results").first(),this.is_multiple?(this.search_choices=this.container.find("ul.chosen-choices").first(),this.search_container=this.container.find("li.search-field").first()):(this.search_container=this.container.find("div.chosen-search").first(),this.selected_item=this.container.find(".chosen-single").first()),this.results_build(),this.set_tab_index(),this.set_label_behavior()},n.prototype.on_ready=function(){return this.form_field_jq.trigger("chosen:ready",{chosen:this})},n.prototype.register_observers=function(){return this.container.on("touchstart.chosen",function(t){return function(e){t.container_mousedown(e)}}(this)),this.container.on("touchend.chosen",function(t){return function(e){t.container_mouseup(e)}}(this)),this.container.on("mousedown.chosen",function(t){return function(e){t.container_mousedown(e)}}(this)),this.container.on("mouseup.chosen",function(t){return function(e){t.container_mouseup(e)}}(this)),this.container.on("mouseenter.chosen",function(t){return function(e){t.mouse_enter(e)}}(this)),this.container.on("mouseleave.chosen",function(t){return function(e){t.mouse_leave(e)}}(this)),this.search_results.on("mouseup.chosen",function(t){return function(e){t.search_results_mouseup(e)}}(this)),this.search_results.on("mouseover.chosen",function(t){return function(e){t.search_results_mouseover(e)}}(this)),this.search_results.on("mouseout.chosen",function(t){return function(e){t.search_results_mouseout(e)}}(this)),this.search_results.on("mousewheel.chosen DOMMouseScroll.chosen",function(t){return function(e){t.search_results_mousewheel(e)}}(this)),this.search_results.on("touchstart.chosen",function(t){return function(e){t.search_results_touchstart(e)}}(this)),this.search_results.on("touchmove.chosen",function(t){return function(e){t.search_results_touchmove(e)}}(this)),this.search_results.on("touchend.chosen",function(t){return function(e){t.search_results_touchend(e)}}(this)),this.form_field_jq.on("chosen:updated.chosen",function(t){return function(e){t.results_update_field(e)}}(this)),this.form_field_jq.on("chosen:activate.chosen",function(t){return function(e){t.activate_field(e)}}(this)),this.form_field_jq.on("chosen:open.chosen",function(t){return function(e){t.container_mousedown(e)}}(this)),this.form_field_jq.on("chosen:close.chosen",function(t){return function(e){t.close_field(e)}}(this)),this.search_field.on("blur.chosen",function(t){return function(e){t.input_blur(e)}}(this)),this.search_field.on("keyup.chosen",function(t){return function(e){t.keyup_checker(e)}}(this)),this.search_field.on("keydown.chosen",function(t){return function(e){t.keydown_checker(e)}}(this)),this.search_field.on("focus.chosen",function(t){return function(e){t.input_focus(e)}}(this)),this.search_field.on("cut.chosen",function(t){return function(e){t.clipboard_event_checker(e)}}(this)),this.search_field.on("paste.chosen",function(t){return function(e){t.clipboard_event_checker(e)}}(this)),this.is_multiple?this.search_choices.on("click.chosen",function(t){return function(e){t.choices_click(e)}}(this)):this.container.on("click.chosen",function(t){t.preventDefault()})},n.prototype.destroy=function(){return t(this.container[0].ownerDocument).off("click.chosen",this.click_test_action),this.form_field_label.length>0&&this.form_field_label.off("click.chosen"),this.search_field[0].tabIndex&&(this.form_field_jq[0].tabIndex=this.search_field[0].tabIndex),this.container.remove(),this.form_field_jq.removeData("chosen"),this.form_field_jq.show()},n.prototype.search_field_disabled=function(){return this.is_disabled=this.form_field.disabled||this.form_field_jq.parents("fieldset").is(":disabled"),this.container.toggleClass("chosen-disabled",this.is_disabled),this.search_field[0].disabled=this.is_disabled,this.is_multiple||this.selected_item.off("focus.chosen",this.activate_field),this.is_disabled?this.close_field():this.is_multiple?void 0:this.selected_item.on("focus.chosen",this.activate_field)},n.prototype.container_mousedown=function(e){var s;if(!this.is_disabled)return!e||"mousedown"!==(s=e.type)&&"touchstart"!==s||this.results_showing||e.preventDefault(),null!=e&&t(e.target).hasClass("search-choice-close")?void 0:(this.active_field?this.is_multiple||!e||t(e.target)[0]!==this.selected_item[0]&&!t(e.target).parents("a.chosen-single").length||(e.preventDefault(),this.results_toggle()):(this.is_multiple&&this.search_field.val(""),t(this.container[0].ownerDocument).on("click.chosen",this.click_test_action),this.results_show()),this.activate_field())},n.prototype.container_mouseup=function(t){if("ABBR"===t.target.nodeName&&!this.is_disabled)return this.results_reset(t)},n.prototype.search_results_mousewheel=function(t){var e;if(t.originalEvent&&(e=t.originalEvent.deltaY||-t.originalEvent.wheelDelta||t.originalEvent.detail),null!=e)return t.preventDefault(),"DOMMouseScroll"===t.type&&(e*=40),this.search_results.scrollTop(e+this.search_results.scrollTop())},n.prototype.blur_test=function(t){if(!this.active_field&&this.container.hasClass("chosen-container-active"))return this.close_field()},n.prototype.close_field=function(){return t(this.container[0].ownerDocument).off("click.chosen",this.click_test_action),this.active_field=!1,this.results_hide(),this.container.removeClass("chosen-container-active"),this.clear_backstroke(),this.show_search_field_default(),this.search_field_scale(),this.search_field.blur()},n.prototype.activate_field=function(){if(!this.is_disabled)return this.container.addClass("chosen-container-active"),this.active_field=!0,this.search_field.val(this.search_field.val()),this.search_field.focus()},n.prototype.test_active_click=function(e){var s;return(s=t(e.target).closest(".chosen-container")).length&&this.container[0]===s[0]?this.active_field=!0:this.close_field()},n.prototype.results_build=function(){return this.parsing=!0,this.selected_option_count=null,this.results_data=i.select_to_array(this.form_field),this.is_multiple?this.search_choices.find("li.search-choice").remove():this.is_multiple||(this.single_set_selected_text(),this.disable_search||this.form_field.options.length<=this.disable_search_threshold?(this.search_field[0].readOnly=!0,this.container.addClass("chosen-container-single-nosearch")):(this.search_field[0].readOnly=!1,this.container.removeClass("chosen-container-single-nosearch"))),this.update_results_content(this.results_option_build({first:!0})),this.search_field_disabled(),this.show_search_field_default(),this.search_field_scale(),this.parsing=!1},n.prototype.result_do_highlight=function(t){var e,s,i,n,r;if(t.length){if(this.result_clear_highlight(),this.result_highlight=t,this.result_highlight.addClass("highlighted"),i=parseInt(this.search_results.css("maxHeight"),10),r=this.search_results.scrollTop(),n=i+r,s=this.result_highlight.position().top+this.search_results.scrollTop(),(e=s+this.result_highlight.outerHeight())>=n)return this.search_results.scrollTop(e-i>0?e-i:0);if(s0)return this.form_field_label.on("click.chosen",this.label_click_handler)},n.prototype.show_search_field_default=function(){return this.is_multiple&&this.choices_count()<1&&!this.active_field?(this.search_field.val(this.default_text),this.search_field.addClass("default")):(this.search_field.val(""),this.search_field.removeClass("default"))},n.prototype.search_results_mouseup=function(e){var s;if((s=t(e.target).hasClass("active-result")?t(e.target):t(e.target).parents(".active-result").first()).length)return this.result_highlight=s,this.result_select(e),this.search_field.focus()},n.prototype.search_results_mouseover=function(e){var s;if(s=t(e.target).hasClass("active-result")?t(e.target):t(e.target).parents(".active-result").first())return this.result_do_highlight(s)},n.prototype.search_results_mouseout=function(e){if(t(e.target).hasClass("active-result")||t(e.target).parents(".active-result").first())return this.result_clear_highlight()},n.prototype.choice_build=function(e){var s,i;return s=t("
              • ",{"class":"search-choice"}).html(""+this.choice_label(e)+""),e.disabled?s.addClass("search-choice-disabled"):((i=t("",{"class":"search-choice-close","data-option-array-index":e.array_index})).on("click.chosen",function(t){return function(e){return t.choice_destroy_link_click(e)}}(this)),s.append(i)),this.search_container.before(s)},n.prototype.choice_destroy_link_click=function(e){if(e.preventDefault(),e.stopPropagation(),!this.is_disabled)return this.choice_destroy(t(e.target))},n.prototype.choice_destroy=function(t){if(this.result_deselect(t[0].getAttribute("data-option-array-index")))return this.active_field?this.search_field.focus():this.show_search_field_default(),this.is_multiple&&this.choices_count()>0&&this.get_search_field_value().length<1&&this.results_hide(),t.parents("li").first().remove(),this.search_field_scale()},n.prototype.results_reset=function(){if(this.reset_single_select_options(),this.form_field.options[0].selected=!0,this.single_set_selected_text(),this.show_search_field_default(),this.results_reset_cleanup(),this.trigger_form_field_change(),this.active_field)return this.results_hide()},n.prototype.results_reset_cleanup=function(){return this.current_selectedIndex=this.form_field.selectedIndex,this.selected_item.find("abbr").remove()},n.prototype.result_select=function(t){var e,s;if(this.result_highlight)return e=this.result_highlight,this.result_clear_highlight(),this.is_multiple&&this.max_selected_options<=this.choices_count()?(this.form_field_jq.trigger("chosen:maxselected",{chosen:this}),!1):(this.is_multiple?e.removeClass("active-result"):this.reset_single_select_options(),e.addClass("result-selected"),s=this.results_data[e[0].getAttribute("data-option-array-index")],s.selected=!0,this.form_field.options[s.options_index].selected=!0,this.selected_option_count=null,this.search_field.val(""),this.is_multiple?this.choice_build(s):this.single_set_selected_text(this.choice_label(s)),this.is_multiple&&(!this.hide_results_on_select||t.metaKey||t.ctrlKey)?this.winnow_results():(this.results_hide(),this.show_search_field_default()),(this.is_multiple||this.form_field.selectedIndex!==this.current_selectedIndex)&&this.trigger_form_field_change({selected:this.form_field.options[s.options_index].value}),this.current_selectedIndex=this.form_field.selectedIndex,t.preventDefault(),this.search_field_scale())},n.prototype.single_set_selected_text=function(t){return null==t&&(t=this.default_text),t===this.default_text?this.selected_item.addClass("chosen-default"):(this.single_deselect_control_build(),this.selected_item.removeClass("chosen-default")),this.selected_item.find("span").html(t)},n.prototype.result_deselect=function(t){var e;return e=this.results_data[t],!this.form_field.options[e.options_index].disabled&&(e.selected=!1,this.form_field.options[e.options_index].selected=!1,this.selected_option_count=null,this.result_clear_highlight(),this.results_showing&&this.winnow_results(),this.trigger_form_field_change({deselected:this.form_field.options[e.options_index].value}),this.search_field_scale(),!0)},n.prototype.single_deselect_control_build=function(){if(this.allow_single_deselect)return this.selected_item.find("abbr").length||this.selected_item.find("span").first().after(''),this.selected_item.addClass("chosen-single-with-deselect")},n.prototype.get_search_field_value=function(){return this.search_field.val()},n.prototype.get_search_text=function(){return t.trim(this.get_search_field_value())},n.prototype.escape_html=function(e){return t("
                ").text(e).html()},n.prototype.winnow_results_set_highlight=function(){var t,e;if(e=this.is_multiple?[]:this.search_results.find(".result-selected.active-result"),null!=(t=e.length?e.first():this.search_results.find(".active-result").first()))return this.result_do_highlight(t)},n.prototype.no_results=function(t){var e;return e=this.get_no_results_html(t),this.search_results.append(e),this.form_field_jq.trigger("chosen:no_results",{chosen:this})},n.prototype.no_results_clear=function(){return this.search_results.find(".no-results").remove()},n.prototype.keydown_arrow=function(){var t;return this.results_showing&&this.result_highlight?(t=this.result_highlight.nextAll("li.active-result").first())?this.result_do_highlight(t):void 0:this.results_show()},n.prototype.keyup_arrow=function(){var t;return this.results_showing||this.is_multiple?this.result_highlight?(t=this.result_highlight.prevAll("li.active-result")).length?this.result_do_highlight(t.first()):(this.choices_count()>0&&this.results_hide(),this.result_clear_highlight()):void 0:this.results_show()},n.prototype.keydown_backstroke=function(){var t;return this.pending_backstroke?(this.choice_destroy(this.pending_backstroke.find("a").first()),this.clear_backstroke()):(t=this.search_container.siblings("li.search-choice").last()).length&&!t.hasClass("search-choice-disabled")?(this.pending_backstroke=t,this.single_backstroke_delete?this.keydown_backstroke():this.pending_backstroke.addClass("search-choice-focus")):void 0},n.prototype.clear_backstroke=function(){return this.pending_backstroke&&this.pending_backstroke.removeClass("search-choice-focus"),this.pending_backstroke=null},n.prototype.search_field_scale=function(){var e,s,i,n,r,o,h;if(this.is_multiple){for(r={position:"absolute",left:"-1000px",top:"-1000px",display:"none",whiteSpace:"pre"},s=0,i=(o=["fontSize","fontStyle","fontWeight","fontFamily","lineHeight","textTransform","letterSpacing"]).length;s").css(r)).text(this.get_search_field_value()),t("body").append(e),h=e.width()+25,e.remove(),this.container.is(":visible")&&(h=Math.min(this.container.outerWidth()-10,h)),this.search_field.width(h)}},n.prototype.trigger_form_field_change=function(t){return this.form_field_jq.trigger("input",t),this.form_field_jq.trigger("change",t)},n}()}).call(this); \ No newline at end of file diff --git a/csf/ui/images/configserver.css b/csf/ui/images/configserver.css new file mode 100644 index 0000000..8b02267 --- /dev/null +++ b/csf/ui/images/configserver.css @@ -0,0 +1,193 @@ +.icon-configserver { + color: #990000; +} +.btn-default:active, +.btn-default:visited, +.btn-default:focus, +.btn-default { + background:#FFFFFF; + border-radius:3px; + border:1px solid #A6C150; + color:#990000 !important; +} +.btn-default:hover { + border:1px solid #A6C150; + background: #F5F5F5; +} +.btn-csf-config:focus, +.btn-csf-config:hover, +.btn-csf-config:active, +.btn-csf-config.active { + background-color:#BDECB6 !important; + -webkit-transition: all 0.30s ease-in-out; + -moz-transition: all 0.30s ease-in-out; + -ms-transition: all 0.30s ease-in-out; + -o-transition: all 0.30s ease-in-out; + transition: all 0.30s ease-in-out; +} +input[type=text], select { + -webkit-transition: all 0.30s ease-in-out; + -moz-transition: all 0.30s ease-in-out; + -ms-transition: all 0.30s ease-in-out; + -o-transition: all 0.30s ease-in-out; + transition: all 0.30s ease-in-out; + border-radius:3px; + outline: none; + padding: 3px 0px 3px 3px; + margin: 5px 1px 3px 0px; + border: 1px solid #990000; +} +input[type=text]:focus, select:focus { + box-shadow: 0 0 5px #CC0000; + padding: 3px 0px 3px 3px; + margin: 5px 1px 3px 0px; + border: 1px solid #990000; +} +.td-btn { + width: 200px; +} +.td-text { +} +th { + background: #F4F4EA; +} +.table tbody>tr>td { + vertical-align: middle; +} +.panel-default > .panel-heading-cxs { + font-weight: bold; + background: #F4F4EA; +} +.panel-default > .panel-footer-cxs { + font-weight: bold; + background: #F4F4EA; +} +#loader { + position: absolute; + left: 50%; + top: 50%; + z-index: 1; + margin: -75px 0 0 -75px; + border: 16px solid #F4F4EA; + border-radius: 50%; + border-top: 16px solid #990000; + border-bottom: 16px solid #990000; + width: 120px; + height: 120px; + -webkit-animation: spin 2s linear infinite; + animation: spin 2s linear infinite; +} +@-webkit-keyframes spin { + 0% { -webkit-transform: rotate(0deg); } + 100% { -webkit-transform: rotate(360deg); } +} +@keyframes spin { + 0% { transform: rotate(0deg); } + 100% { transform: rotate(360deg); } +} +.bs-callout { + padding: 20px; + margin: 20px 0; + border: 1px solid #eee; + border-left-width: 5px; + border-radius: 3px; +} +.bs-callout h4 { + margin-top: 0; + margin-bottom: 5px; +} +.bs-callout p:last-child { + margin-bottom: 0; +} +.bs-callout code { + border-radius: 3px; +} +.bs-callout+.bs-callout { + margin-top: -5px; +} +.bs-callout-success { + border-left-color: #5cb85c; + background-color: #edf7ed; +} +.bs-callout-success h4 { + color: #5cb85c; +}.bs-callout-info { + border-left-color: #5bc0de; + background-color: #eaf7fb; +} +.bs-callout-info h4 { + color: #5bc0de; +} +.bs-callout-warning { + border-left-color: #f0ad4e; + background-color: #fdf4e8; +} +.bs-callout-warning h4 { + color: #f0ad4e; +} +.bs-callout-danger { + border-left-color: #d9534f; + background-color: #faebea; +} +.bs-callout-danger h4 { + color: #d9534f; +} +.label-pill { + padding-right: .6em; + padding-left: .6em; + border-radius: 10rem; +} +.comment { + border-radius:5px; + border: 1px solid #DDDDDD; + padding: 10px; + font-family: Courier New, Courier; + font-size: 14px; +} +.value-default { + background:#F5F5F5; + padding:2px; + border-radius:5px; +} +.value-other { + background:#F4F4EA; + padding:2px; + border-radius:5px; +} +.value-disabled { + background:#F5F5F5; + padding:2px; + border-radius:5px; +} +.value-warning { + background:#FFC0CB; + padding:2px; + border-radius:5px; +} +.section { + border-radius:5px; + border: 2px solid #990000; + padding: 10px; + font-size:16px; + font-weight:bold; +} +.toplink { + cursor: pointer; + position: fixed; + top: 20px; + right: 20px; + z-index: 9999 !important; + font-size: 36px; + opacity: 0.5; + display:none; +} +.botlink { + cursor: pointer; + position:fixed; + bottom:20px; + right:20px; + z-index: 9999 !important; + font-size: 36px; + opacity: 0.5; + display:none; +} diff --git a/csf/ui/images/csf-loader.gif b/csf/ui/images/csf-loader.gif new file mode 100644 index 0000000..dd1828f Binary files /dev/null and b/csf/ui/images/csf-loader.gif differ diff --git a/csf/ui/images/csf.svg b/csf/ui/images/csf.svg new file mode 100644 index 0000000..8a9afa9 --- /dev/null +++ b/csf/ui/images/csf.svg @@ -0,0 +1,25 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/csf/ui/images/csf_small.png b/csf/ui/images/csf_small.png new file mode 100644 index 0000000..82b9642 Binary files /dev/null and b/csf/ui/images/csf_small.png differ diff --git a/csf/ui/images/jquery.min.js b/csf/ui/images/jquery.min.js new file mode 100644 index 0000000..e836475 --- /dev/null +++ b/csf/ui/images/jquery.min.js @@ -0,0 +1,5 @@ +/*! jQuery v1.12.4 | (c) jQuery Foundation | jquery.org/license */ +!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="1.12.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(e.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor()},push:g,sort:c.sort,splice:c.splice},n.extend=n.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||n.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(n.isPlainObject(c)||(b=n.isArray(c)))?(b?(b=!1,f=a&&n.isArray(a)?a:[]):f=a&&n.isPlainObject(a)?a:{},g[d]=n.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},n.extend({expando:"jQuery"+(m+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===n.type(a)},isArray:Array.isArray||function(a){return"array"===n.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){var b=a&&a.toString();return!n.isArray(a)&&b-parseFloat(b)+1>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==n.type(a)||a.nodeType||n.isWindow(a))return!1;try{if(a.constructor&&!k.call(a,"constructor")&&!k.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(!l.ownFirst)for(b in a)return k.call(a,b);for(b in a);return void 0===b||k.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?i[j.call(a)]||"object":typeof a},globalEval:function(b){b&&n.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(p,"ms-").replace(q,r)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b){var c,d=0;if(s(a)){for(c=a.length;c>d;d++)if(b.call(a[d],d,a[d])===!1)break}else for(d in a)if(b.call(a[d],d,a[d])===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(o,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(s(Object(a))?n.merge(c,"string"==typeof a?[a]:a):g.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(h)return h.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,e,g=0,h=[];if(s(a))for(d=a.length;d>g;g++)e=b(a[g],g,c),null!=e&&h.push(e);else for(g in a)e=b(a[g],g,c),null!=e&&h.push(e);return f.apply([],h)},guid:1,proxy:function(a,b){var c,d,f;return"string"==typeof b&&(f=a[b],b=a,a=f),n.isFunction(a)?(c=e.call(arguments,2),d=function(){return a.apply(b||this,c.concat(e.call(arguments)))},d.guid=a.guid=a.guid||n.guid++,d):void 0},now:function(){return+new Date},support:l}),"function"==typeof Symbol&&(n.fn[Symbol.iterator]=c[Symbol.iterator]),n.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(a,b){i["[object "+b+"]"]=b.toLowerCase()});function s(a){var b=!!a&&"length"in a&&a.length,c=n.type(a);return"function"===c||n.isWindow(a)?!1:"array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a}var t=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+1*new Date,v=a.document,w=0,x=0,y=ga(),z=ga(),A=ga(),B=function(a,b){return a===b&&(l=!0),0},C=1<<31,D={}.hasOwnProperty,E=[],F=E.pop,G=E.push,H=E.push,I=E.slice,J=function(a,b){for(var c=0,d=a.length;d>c;c++)if(a[c]===b)return c;return-1},K="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",L="[\\x20\\t\\r\\n\\f]",M="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",N="\\["+L+"*("+M+")(?:"+L+"*([*^$|!~]?=)"+L+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+M+"))|)"+L+"*\\]",O=":("+M+")(?:\\((('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+N+")*)|.*)\\)|)",P=new RegExp(L+"+","g"),Q=new RegExp("^"+L+"+|((?:^|[^\\\\])(?:\\\\.)*)"+L+"+$","g"),R=new RegExp("^"+L+"*,"+L+"*"),S=new RegExp("^"+L+"*([>+~]|"+L+")"+L+"*"),T=new RegExp("="+L+"*([^\\]'\"]*?)"+L+"*\\]","g"),U=new RegExp(O),V=new RegExp("^"+M+"$"),W={ID:new RegExp("^#("+M+")"),CLASS:new RegExp("^\\.("+M+")"),TAG:new RegExp("^("+M+"|[*])"),ATTR:new RegExp("^"+N),PSEUDO:new RegExp("^"+O),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+L+"*(even|odd|(([+-]|)(\\d*)n|)"+L+"*(?:([+-]|)"+L+"*(\\d+)|))"+L+"*\\)|)","i"),bool:new RegExp("^(?:"+K+")$","i"),needsContext:new RegExp("^"+L+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+L+"*((?:-\\d)?\\d*)"+L+"*\\)|)(?=[^-]|$)","i")},X=/^(?:input|select|textarea|button)$/i,Y=/^h\d$/i,Z=/^[^{]+\{\s*\[native \w/,$=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,_=/[+~]/,aa=/'|\\/g,ba=new RegExp("\\\\([\\da-f]{1,6}"+L+"?|("+L+")|.)","ig"),ca=function(a,b,c){var d="0x"+b-65536;return d!==d||c?b:0>d?String.fromCharCode(d+65536):String.fromCharCode(d>>10|55296,1023&d|56320)},da=function(){m()};try{H.apply(E=I.call(v.childNodes),v.childNodes),E[v.childNodes.length].nodeType}catch(ea){H={apply:E.length?function(a,b){G.apply(a,I.call(b))}:function(a,b){var c=a.length,d=0;while(a[c++]=b[d++]);a.length=c-1}}}function fa(a,b,d,e){var f,h,j,k,l,o,r,s,w=b&&b.ownerDocument,x=b?b.nodeType:9;if(d=d||[],"string"!=typeof a||!a||1!==x&&9!==x&&11!==x)return d;if(!e&&((b?b.ownerDocument||b:v)!==n&&m(b),b=b||n,p)){if(11!==x&&(o=$.exec(a)))if(f=o[1]){if(9===x){if(!(j=b.getElementById(f)))return d;if(j.id===f)return d.push(j),d}else if(w&&(j=w.getElementById(f))&&t(b,j)&&j.id===f)return d.push(j),d}else{if(o[2])return H.apply(d,b.getElementsByTagName(a)),d;if((f=o[3])&&c.getElementsByClassName&&b.getElementsByClassName)return H.apply(d,b.getElementsByClassName(f)),d}if(c.qsa&&!A[a+" "]&&(!q||!q.test(a))){if(1!==x)w=b,s=a;else if("object"!==b.nodeName.toLowerCase()){(k=b.getAttribute("id"))?k=k.replace(aa,"\\$&"):b.setAttribute("id",k=u),r=g(a),h=r.length,l=V.test(k)?"#"+k:"[id='"+k+"']";while(h--)r[h]=l+" "+qa(r[h]);s=r.join(","),w=_.test(a)&&oa(b.parentNode)||b}if(s)try{return H.apply(d,w.querySelectorAll(s)),d}catch(y){}finally{k===u&&b.removeAttribute("id")}}}return i(a.replace(Q,"$1"),b,d,e)}function ga(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLength&&delete b[a.shift()],b[c+" "]=e}return b}function ha(a){return a[u]=!0,a}function ia(a){var b=n.createElement("div");try{return!!a(b)}catch(c){return!1}finally{b.parentNode&&b.parentNode.removeChild(b),b=null}}function ja(a,b){var c=a.split("|"),e=c.length;while(e--)d.attrHandle[c[e]]=b}function ka(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&(~b.sourceIndex||C)-(~a.sourceIndex||C);if(d)return d;if(c)while(c=c.nextSibling)if(c===b)return-1;return a?1:-1}function la(a){return function(b){var c=b.nodeName.toLowerCase();return"input"===c&&b.type===a}}function ma(a){return function(b){var c=b.nodeName.toLowerCase();return("input"===c||"button"===c)&&b.type===a}}function na(a){return ha(function(b){return b=+b,ha(function(c,d){var e,f=a([],c.length,b),g=f.length;while(g--)c[e=f[g]]&&(c[e]=!(d[e]=c[e]))})})}function oa(a){return a&&"undefined"!=typeof a.getElementsByTagName&&a}c=fa.support={},f=fa.isXML=function(a){var b=a&&(a.ownerDocument||a).documentElement;return b?"HTML"!==b.nodeName:!1},m=fa.setDocument=function(a){var b,e,g=a?a.ownerDocument||a:v;return g!==n&&9===g.nodeType&&g.documentElement?(n=g,o=n.documentElement,p=!f(n),(e=n.defaultView)&&e.top!==e&&(e.addEventListener?e.addEventListener("unload",da,!1):e.attachEvent&&e.attachEvent("onunload",da)),c.attributes=ia(function(a){return a.className="i",!a.getAttribute("className")}),c.getElementsByTagName=ia(function(a){return a.appendChild(n.createComment("")),!a.getElementsByTagName("*").length}),c.getElementsByClassName=Z.test(n.getElementsByClassName),c.getById=ia(function(a){return o.appendChild(a).id=u,!n.getElementsByName||!n.getElementsByName(u).length}),c.getById?(d.find.ID=function(a,b){if("undefined"!=typeof b.getElementById&&p){var c=b.getElementById(a);return c?[c]:[]}},d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){return a.getAttribute("id")===b}}):(delete d.find.ID,d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){var c="undefined"!=typeof a.getAttributeNode&&a.getAttributeNode("id");return c&&c.value===b}}),d.find.TAG=c.getElementsByTagName?function(a,b){return"undefined"!=typeof b.getElementsByTagName?b.getElementsByTagName(a):c.qsa?b.querySelectorAll(a):void 0}:function(a,b){var c,d=[],e=0,f=b.getElementsByTagName(a);if("*"===a){while(c=f[e++])1===c.nodeType&&d.push(c);return d}return f},d.find.CLASS=c.getElementsByClassName&&function(a,b){return"undefined"!=typeof b.getElementsByClassName&&p?b.getElementsByClassName(a):void 0},r=[],q=[],(c.qsa=Z.test(n.querySelectorAll))&&(ia(function(a){o.appendChild(a).innerHTML="",a.querySelectorAll("[msallowcapture^='']").length&&q.push("[*^$]="+L+"*(?:''|\"\")"),a.querySelectorAll("[selected]").length||q.push("\\["+L+"*(?:value|"+K+")"),a.querySelectorAll("[id~="+u+"-]").length||q.push("~="),a.querySelectorAll(":checked").length||q.push(":checked"),a.querySelectorAll("a#"+u+"+*").length||q.push(".#.+[+~]")}),ia(function(a){var b=n.createElement("input");b.setAttribute("type","hidden"),a.appendChild(b).setAttribute("name","D"),a.querySelectorAll("[name=d]").length&&q.push("name"+L+"*[*^$|!~]?="),a.querySelectorAll(":enabled").length||q.push(":enabled",":disabled"),a.querySelectorAll("*,:x"),q.push(",.*:")})),(c.matchesSelector=Z.test(s=o.matches||o.webkitMatchesSelector||o.mozMatchesSelector||o.oMatchesSelector||o.msMatchesSelector))&&ia(function(a){c.disconnectedMatch=s.call(a,"div"),s.call(a,"[s!='']:x"),r.push("!=",O)}),q=q.length&&new RegExp(q.join("|")),r=r.length&&new RegExp(r.join("|")),b=Z.test(o.compareDocumentPosition),t=b||Z.test(o.contains)?function(a,b){var c=9===a.nodeType?a.documentElement:a,d=b&&b.parentNode;return a===d||!(!d||1!==d.nodeType||!(c.contains?c.contains(d):a.compareDocumentPosition&&16&a.compareDocumentPosition(d)))}:function(a,b){if(b)while(b=b.parentNode)if(b===a)return!0;return!1},B=b?function(a,b){if(a===b)return l=!0,0;var d=!a.compareDocumentPosition-!b.compareDocumentPosition;return d?d:(d=(a.ownerDocument||a)===(b.ownerDocument||b)?a.compareDocumentPosition(b):1,1&d||!c.sortDetached&&b.compareDocumentPosition(a)===d?a===n||a.ownerDocument===v&&t(v,a)?-1:b===n||b.ownerDocument===v&&t(v,b)?1:k?J(k,a)-J(k,b):0:4&d?-1:1)}:function(a,b){if(a===b)return l=!0,0;var c,d=0,e=a.parentNode,f=b.parentNode,g=[a],h=[b];if(!e||!f)return a===n?-1:b===n?1:e?-1:f?1:k?J(k,a)-J(k,b):0;if(e===f)return ka(a,b);c=a;while(c=c.parentNode)g.unshift(c);c=b;while(c=c.parentNode)h.unshift(c);while(g[d]===h[d])d++;return d?ka(g[d],h[d]):g[d]===v?-1:h[d]===v?1:0},n):n},fa.matches=function(a,b){return fa(a,null,null,b)},fa.matchesSelector=function(a,b){if((a.ownerDocument||a)!==n&&m(a),b=b.replace(T,"='$1']"),c.matchesSelector&&p&&!A[b+" "]&&(!r||!r.test(b))&&(!q||!q.test(b)))try{var d=s.call(a,b);if(d||c.disconnectedMatch||a.document&&11!==a.document.nodeType)return d}catch(e){}return fa(b,n,null,[a]).length>0},fa.contains=function(a,b){return(a.ownerDocument||a)!==n&&m(a),t(a,b)},fa.attr=function(a,b){(a.ownerDocument||a)!==n&&m(a);var e=d.attrHandle[b.toLowerCase()],f=e&&D.call(d.attrHandle,b.toLowerCase())?e(a,b,!p):void 0;return void 0!==f?f:c.attributes||!p?a.getAttribute(b):(f=a.getAttributeNode(b))&&f.specified?f.value:null},fa.error=function(a){throw new Error("Syntax error, unrecognized expression: "+a)},fa.uniqueSort=function(a){var b,d=[],e=0,f=0;if(l=!c.detectDuplicates,k=!c.sortStable&&a.slice(0),a.sort(B),l){while(b=a[f++])b===a[f]&&(e=d.push(f));while(e--)a.splice(d[e],1)}return k=null,a},e=fa.getText=function(a){var b,c="",d=0,f=a.nodeType;if(f){if(1===f||9===f||11===f){if("string"==typeof a.textContent)return a.textContent;for(a=a.firstChild;a;a=a.nextSibling)c+=e(a)}else if(3===f||4===f)return a.nodeValue}else while(b=a[d++])c+=e(b);return c},d=fa.selectors={cacheLength:50,createPseudo:ha,match:W,attrHandle:{},find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(a){return a[1]=a[1].replace(ba,ca),a[3]=(a[3]||a[4]||a[5]||"").replace(ba,ca),"~="===a[2]&&(a[3]=" "+a[3]+" "),a.slice(0,4)},CHILD:function(a){return a[1]=a[1].toLowerCase(),"nth"===a[1].slice(0,3)?(a[3]||fa.error(a[0]),a[4]=+(a[4]?a[5]+(a[6]||1):2*("even"===a[3]||"odd"===a[3])),a[5]=+(a[7]+a[8]||"odd"===a[3])):a[3]&&fa.error(a[0]),a},PSEUDO:function(a){var b,c=!a[6]&&a[2];return W.CHILD.test(a[0])?null:(a[3]?a[2]=a[4]||a[5]||"":c&&U.test(c)&&(b=g(c,!0))&&(b=c.indexOf(")",c.length-b)-c.length)&&(a[0]=a[0].slice(0,b),a[2]=c.slice(0,b)),a.slice(0,3))}},filter:{TAG:function(a){var b=a.replace(ba,ca).toLowerCase();return"*"===a?function(){return!0}:function(a){return a.nodeName&&a.nodeName.toLowerCase()===b}},CLASS:function(a){var b=y[a+" "];return b||(b=new RegExp("(^|"+L+")"+a+"("+L+"|$)"))&&y(a,function(a){return b.test("string"==typeof a.className&&a.className||"undefined"!=typeof a.getAttribute&&a.getAttribute("class")||"")})},ATTR:function(a,b,c){return function(d){var e=fa.attr(d,a);return null==e?"!="===b:b?(e+="","="===b?e===c:"!="===b?e!==c:"^="===b?c&&0===e.indexOf(c):"*="===b?c&&e.indexOf(c)>-1:"$="===b?c&&e.slice(-c.length)===c:"~="===b?(" "+e.replace(P," ")+" ").indexOf(c)>-1:"|="===b?e===c||e.slice(0,c.length+1)===c+"-":!1):!0}},CHILD:function(a,b,c,d,e){var f="nth"!==a.slice(0,3),g="last"!==a.slice(-4),h="of-type"===b;return 1===d&&0===e?function(a){return!!a.parentNode}:function(b,c,i){var j,k,l,m,n,o,p=f!==g?"nextSibling":"previousSibling",q=b.parentNode,r=h&&b.nodeName.toLowerCase(),s=!i&&!h,t=!1;if(q){if(f){while(p){m=b;while(m=m[p])if(h?m.nodeName.toLowerCase()===r:1===m.nodeType)return!1;o=p="only"===a&&!o&&"nextSibling"}return!0}if(o=[g?q.firstChild:q.lastChild],g&&s){m=q,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n&&j[2],m=n&&q.childNodes[n];while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if(1===m.nodeType&&++t&&m===b){k[a]=[w,n,t];break}}else if(s&&(m=b,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n),t===!1)while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if((h?m.nodeName.toLowerCase()===r:1===m.nodeType)&&++t&&(s&&(l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),k[a]=[w,t]),m===b))break;return t-=e,t===d||t%d===0&&t/d>=0}}},PSEUDO:function(a,b){var c,e=d.pseudos[a]||d.setFilters[a.toLowerCase()]||fa.error("unsupported pseudo: "+a);return e[u]?e(b):e.length>1?(c=[a,a,"",b],d.setFilters.hasOwnProperty(a.toLowerCase())?ha(function(a,c){var d,f=e(a,b),g=f.length;while(g--)d=J(a,f[g]),a[d]=!(c[d]=f[g])}):function(a){return e(a,0,c)}):e}},pseudos:{not:ha(function(a){var b=[],c=[],d=h(a.replace(Q,"$1"));return d[u]?ha(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),b[0]=null,!c.pop()}}),has:ha(function(a){return function(b){return fa(a,b).length>0}}),contains:ha(function(a){return a=a.replace(ba,ca),function(b){return(b.textContent||b.innerText||e(b)).indexOf(a)>-1}}),lang:ha(function(a){return V.test(a||"")||fa.error("unsupported lang: "+a),a=a.replace(ba,ca).toLowerCase(),function(b){var c;do if(c=p?b.lang:b.getAttribute("xml:lang")||b.getAttribute("lang"))return c=c.toLowerCase(),c===a||0===c.indexOf(a+"-");while((b=b.parentNode)&&1===b.nodeType);return!1}}),target:function(b){var c=a.location&&a.location.hash;return c&&c.slice(1)===b.id},root:function(a){return a===o},focus:function(a){return a===n.activeElement&&(!n.hasFocus||n.hasFocus())&&!!(a.type||a.href||~a.tabIndex)},enabled:function(a){return a.disabled===!1},disabled:function(a){return a.disabled===!0},checked:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&!!a.checked||"option"===b&&!!a.selected},selected:function(a){return a.parentNode&&a.parentNode.selectedIndex,a.selected===!0},empty:function(a){for(a=a.firstChild;a;a=a.nextSibling)if(a.nodeType<6)return!1;return!0},parent:function(a){return!d.pseudos.empty(a)},header:function(a){return Y.test(a.nodeName)},input:function(a){return X.test(a.nodeName)},button:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&"button"===a.type||"button"===b},text:function(a){var b;return"input"===a.nodeName.toLowerCase()&&"text"===a.type&&(null==(b=a.getAttribute("type"))||"text"===b.toLowerCase())},first:na(function(){return[0]}),last:na(function(a,b){return[b-1]}),eq:na(function(a,b,c){return[0>c?c+b:c]}),even:na(function(a,b){for(var c=0;b>c;c+=2)a.push(c);return a}),odd:na(function(a,b){for(var c=1;b>c;c+=2)a.push(c);return a}),lt:na(function(a,b,c){for(var d=0>c?c+b:c;--d>=0;)a.push(d);return a}),gt:na(function(a,b,c){for(var d=0>c?c+b:c;++db;b++)d+=a[b].value;return d}function ra(a,b,c){var d=b.dir,e=c&&"parentNode"===d,f=x++;return b.first?function(b,c,f){while(b=b[d])if(1===b.nodeType||e)return a(b,c,f)}:function(b,c,g){var h,i,j,k=[w,f];if(g){while(b=b[d])if((1===b.nodeType||e)&&a(b,c,g))return!0}else while(b=b[d])if(1===b.nodeType||e){if(j=b[u]||(b[u]={}),i=j[b.uniqueID]||(j[b.uniqueID]={}),(h=i[d])&&h[0]===w&&h[1]===f)return k[2]=h[2];if(i[d]=k,k[2]=a(b,c,g))return!0}}}function sa(a){return a.length>1?function(b,c,d){var e=a.length;while(e--)if(!a[e](b,c,d))return!1;return!0}:a[0]}function ta(a,b,c){for(var d=0,e=b.length;e>d;d++)fa(a,b[d],c);return c}function ua(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;i>h;h++)(f=a[h])&&(c&&!c(f,d,e)||(g.push(f),j&&b.push(h)));return g}function va(a,b,c,d,e,f){return d&&!d[u]&&(d=va(d)),e&&!e[u]&&(e=va(e,f)),ha(function(f,g,h,i){var j,k,l,m=[],n=[],o=g.length,p=f||ta(b||"*",h.nodeType?[h]:h,[]),q=!a||!f&&b?p:ua(p,m,a,h,i),r=c?e||(f?a:o||d)?[]:g:q;if(c&&c(q,r,h,i),d){j=ua(r,n),d(j,[],h,i),k=j.length;while(k--)(l=j[k])&&(r[n[k]]=!(q[n[k]]=l))}if(f){if(e||a){if(e){j=[],k=r.length;while(k--)(l=r[k])&&j.push(q[k]=l);e(null,r=[],j,i)}k=r.length;while(k--)(l=r[k])&&(j=e?J(f,l):m[k])>-1&&(f[j]=!(g[j]=l))}}else r=ua(r===g?r.splice(o,r.length):r),e?e(null,g,r,i):H.apply(g,r)})}function wa(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.relative[" "],i=g?1:0,k=ra(function(a){return a===b},h,!0),l=ra(function(a){return J(b,a)>-1},h,!0),m=[function(a,c,d){var e=!g&&(d||c!==j)||((b=c).nodeType?k(a,c,d):l(a,c,d));return b=null,e}];f>i;i++)if(c=d.relative[a[i].type])m=[ra(sa(m),c)];else{if(c=d.filter[a[i].type].apply(null,a[i].matches),c[u]){for(e=++i;f>e;e++)if(d.relative[a[e].type])break;return va(i>1&&sa(m),i>1&&qa(a.slice(0,i-1).concat({value:" "===a[i-2].type?"*":""})).replace(Q,"$1"),c,e>i&&wa(a.slice(i,e)),f>e&&wa(a=a.slice(e)),f>e&&qa(a))}m.push(c)}return sa(m)}function xa(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var l,o,q,r=0,s="0",t=f&&[],u=[],v=j,x=f||e&&d.find.TAG("*",k),y=w+=null==v?1:Math.random()||.1,z=x.length;for(k&&(j=g===n||g||k);s!==z&&null!=(l=x[s]);s++){if(e&&l){o=0,g||l.ownerDocument===n||(m(l),h=!p);while(q=a[o++])if(q(l,g||n,h)){i.push(l);break}k&&(w=y)}c&&((l=!q&&l)&&r--,f&&t.push(l))}if(r+=s,c&&s!==r){o=0;while(q=b[o++])q(t,u,g,h);if(f){if(r>0)while(s--)t[s]||u[s]||(u[s]=F.call(i));u=ua(u)}H.apply(i,u),k&&!f&&u.length>0&&r+b.length>1&&fa.uniqueSort(i)}return k&&(w=y,j=v),t};return c?ha(f):f}return h=fa.compile=function(a,b){var c,d=[],e=[],f=A[a+" "];if(!f){b||(b=g(a)),c=b.length;while(c--)f=wa(b[c]),f[u]?d.push(f):e.push(f);f=A(a,xa(e,d)),f.selector=a}return f},i=fa.select=function(a,b,e,f){var i,j,k,l,m,n="function"==typeof a&&a,o=!f&&g(a=n.selector||a);if(e=e||[],1===o.length){if(j=o[0]=o[0].slice(0),j.length>2&&"ID"===(k=j[0]).type&&c.getById&&9===b.nodeType&&p&&d.relative[j[1].type]){if(b=(d.find.ID(k.matches[0].replace(ba,ca),b)||[])[0],!b)return e;n&&(b=b.parentNode),a=a.slice(j.shift().value.length)}i=W.needsContext.test(a)?0:j.length;while(i--){if(k=j[i],d.relative[l=k.type])break;if((m=d.find[l])&&(f=m(k.matches[0].replace(ba,ca),_.test(j[0].type)&&oa(b.parentNode)||b))){if(j.splice(i,1),a=f.length&&qa(j),!a)return H.apply(e,f),e;break}}}return(n||h(a,o))(f,b,!p,e,!b||_.test(a)&&oa(b.parentNode)||b),e},c.sortStable=u.split("").sort(B).join("")===u,c.detectDuplicates=!!l,m(),c.sortDetached=ia(function(a){return 1&a.compareDocumentPosition(n.createElement("div"))}),ia(function(a){return a.innerHTML="","#"===a.firstChild.getAttribute("href")})||ja("type|href|height|width",function(a,b,c){return c?void 0:a.getAttribute(b,"type"===b.toLowerCase()?1:2)}),c.attributes&&ia(function(a){return a.innerHTML="",a.firstChild.setAttribute("value",""),""===a.firstChild.getAttribute("value")})||ja("value",function(a,b,c){return c||"input"!==a.nodeName.toLowerCase()?void 0:a.defaultValue}),ia(function(a){return null==a.getAttribute("disabled")})||ja(K,function(a,b,c){var d;return c?void 0:a[b]===!0?b.toLowerCase():(d=a.getAttributeNode(b))&&d.specified?d.value:null}),fa}(a);n.find=t,n.expr=t.selectors,n.expr[":"]=n.expr.pseudos,n.uniqueSort=n.unique=t.uniqueSort,n.text=t.getText,n.isXMLDoc=t.isXML,n.contains=t.contains;var u=function(a,b,c){var d=[],e=void 0!==c;while((a=a[b])&&9!==a.nodeType)if(1===a.nodeType){if(e&&n(a).is(c))break;d.push(a)}return d},v=function(a,b){for(var c=[];a;a=a.nextSibling)1===a.nodeType&&a!==b&&c.push(a);return c},w=n.expr.match.needsContext,x=/^<([\w-]+)\s*\/?>(?:<\/\1>|)$/,y=/^.[^:#\[\.,]*$/;function z(a,b,c){if(n.isFunction(b))return n.grep(a,function(a,d){return!!b.call(a,d,a)!==c});if(b.nodeType)return n.grep(a,function(a){return a===b!==c});if("string"==typeof b){if(y.test(b))return n.filter(b,a,c);b=n.filter(b,a)}return n.grep(a,function(a){return n.inArray(a,b)>-1!==c})}n.filter=function(a,b,c){var d=b[0];return c&&(a=":not("+a+")"),1===b.length&&1===d.nodeType?n.find.matchesSelector(d,a)?[d]:[]:n.find.matches(a,n.grep(b,function(a){return 1===a.nodeType}))},n.fn.extend({find:function(a){var b,c=[],d=this,e=d.length;if("string"!=typeof a)return this.pushStack(n(a).filter(function(){for(b=0;e>b;b++)if(n.contains(d[b],this))return!0}));for(b=0;e>b;b++)n.find(a,d[b],c);return c=this.pushStack(e>1?n.unique(c):c),c.selector=this.selector?this.selector+" "+a:a,c},filter:function(a){return this.pushStack(z(this,a||[],!1))},not:function(a){return this.pushStack(z(this,a||[],!0))},is:function(a){return!!z(this,"string"==typeof a&&w.test(a)?n(a):a||[],!1).length}});var A,B=/^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,C=n.fn.init=function(a,b,c){var e,f;if(!a)return this;if(c=c||A,"string"==typeof a){if(e="<"===a.charAt(0)&&">"===a.charAt(a.length-1)&&a.length>=3?[null,a,null]:B.exec(a),!e||!e[1]&&b)return!b||b.jquery?(b||c).find(a):this.constructor(b).find(a);if(e[1]){if(b=b instanceof n?b[0]:b,n.merge(this,n.parseHTML(e[1],b&&b.nodeType?b.ownerDocument||b:d,!0)),x.test(e[1])&&n.isPlainObject(b))for(e in b)n.isFunction(this[e])?this[e](b[e]):this.attr(e,b[e]);return this}if(f=d.getElementById(e[2]),f&&f.parentNode){if(f.id!==e[2])return A.find(a);this.length=1,this[0]=f}return this.context=d,this.selector=a,this}return a.nodeType?(this.context=this[0]=a,this.length=1,this):n.isFunction(a)?"undefined"!=typeof c.ready?c.ready(a):a(n):(void 0!==a.selector&&(this.selector=a.selector,this.context=a.context),n.makeArray(a,this))};C.prototype=n.fn,A=n(d);var D=/^(?:parents|prev(?:Until|All))/,E={children:!0,contents:!0,next:!0,prev:!0};n.fn.extend({has:function(a){var b,c=n(a,this),d=c.length;return this.filter(function(){for(b=0;d>b;b++)if(n.contains(this,c[b]))return!0})},closest:function(a,b){for(var c,d=0,e=this.length,f=[],g=w.test(a)||"string"!=typeof a?n(a,b||this.context):0;e>d;d++)for(c=this[d];c&&c!==b;c=c.parentNode)if(c.nodeType<11&&(g?g.index(c)>-1:1===c.nodeType&&n.find.matchesSelector(c,a))){f.push(c);break}return this.pushStack(f.length>1?n.uniqueSort(f):f)},index:function(a){return a?"string"==typeof a?n.inArray(this[0],n(a)):n.inArray(a.jquery?a[0]:a,this):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(a,b){return this.pushStack(n.uniqueSort(n.merge(this.get(),n(a,b))))},addBack:function(a){return this.add(null==a?this.prevObject:this.prevObject.filter(a))}});function F(a,b){do a=a[b];while(a&&1!==a.nodeType);return a}n.each({parent:function(a){var b=a.parentNode;return b&&11!==b.nodeType?b:null},parents:function(a){return u(a,"parentNode")},parentsUntil:function(a,b,c){return u(a,"parentNode",c)},next:function(a){return F(a,"nextSibling")},prev:function(a){return F(a,"previousSibling")},nextAll:function(a){return u(a,"nextSibling")},prevAll:function(a){return u(a,"previousSibling")},nextUntil:function(a,b,c){return u(a,"nextSibling",c)},prevUntil:function(a,b,c){return u(a,"previousSibling",c)},siblings:function(a){return v((a.parentNode||{}).firstChild,a)},children:function(a){return v(a.firstChild)},contents:function(a){return n.nodeName(a,"iframe")?a.contentDocument||a.contentWindow.document:n.merge([],a.childNodes)}},function(a,b){n.fn[a]=function(c,d){var e=n.map(this,b,c);return"Until"!==a.slice(-5)&&(d=c),d&&"string"==typeof d&&(e=n.filter(d,e)),this.length>1&&(E[a]||(e=n.uniqueSort(e)),D.test(a)&&(e=e.reverse())),this.pushStack(e)}});var G=/\S+/g;function H(a){var b={};return n.each(a.match(G)||[],function(a,c){b[c]=!0}),b}n.Callbacks=function(a){a="string"==typeof a?H(a):n.extend({},a);var b,c,d,e,f=[],g=[],h=-1,i=function(){for(e=a.once,d=b=!0;g.length;h=-1){c=g.shift();while(++h-1)f.splice(c,1),h>=c&&h--}),this},has:function(a){return a?n.inArray(a,f)>-1:f.length>0},empty:function(){return f&&(f=[]),this},disable:function(){return e=g=[],f=c="",this},disabled:function(){return!f},lock:function(){return e=!0,c||j.disable(),this},locked:function(){return!!e},fireWith:function(a,c){return e||(c=c||[],c=[a,c.slice?c.slice():c],g.push(c),b||i()),this},fire:function(){return j.fireWith(this,arguments),this},fired:function(){return!!d}};return j},n.extend({Deferred:function(a){var b=[["resolve","done",n.Callbacks("once memory"),"resolved"],["reject","fail",n.Callbacks("once memory"),"rejected"],["notify","progress",n.Callbacks("memory")]],c="pending",d={state:function(){return c},always:function(){return e.done(arguments).fail(arguments),this},then:function(){var a=arguments;return n.Deferred(function(c){n.each(b,function(b,f){var g=n.isFunction(a[b])&&a[b];e[f[1]](function(){var a=g&&g.apply(this,arguments);a&&n.isFunction(a.promise)?a.promise().progress(c.notify).done(c.resolve).fail(c.reject):c[f[0]+"With"](this===d?c.promise():this,g?[a]:arguments)})}),a=null}).promise()},promise:function(a){return null!=a?n.extend(a,d):d}},e={};return d.pipe=d.then,n.each(b,function(a,f){var g=f[2],h=f[3];d[f[1]]=g.add,h&&g.add(function(){c=h},b[1^a][2].disable,b[2][2].lock),e[f[0]]=function(){return e[f[0]+"With"](this===e?d:this,arguments),this},e[f[0]+"With"]=g.fireWith}),d.promise(e),a&&a.call(e,e),e},when:function(a){var b=0,c=e.call(arguments),d=c.length,f=1!==d||a&&n.isFunction(a.promise)?d:0,g=1===f?a:n.Deferred(),h=function(a,b,c){return function(d){b[a]=this,c[a]=arguments.length>1?e.call(arguments):d,c===i?g.notifyWith(b,c):--f||g.resolveWith(b,c)}},i,j,k;if(d>1)for(i=new Array(d),j=new Array(d),k=new Array(d);d>b;b++)c[b]&&n.isFunction(c[b].promise)?c[b].promise().progress(h(b,j,i)).done(h(b,k,c)).fail(g.reject):--f;return f||g.resolveWith(k,c),g.promise()}});var I;n.fn.ready=function(a){return n.ready.promise().done(a),this},n.extend({isReady:!1,readyWait:1,holdReady:function(a){a?n.readyWait++:n.ready(!0)},ready:function(a){(a===!0?--n.readyWait:n.isReady)||(n.isReady=!0,a!==!0&&--n.readyWait>0||(I.resolveWith(d,[n]),n.fn.triggerHandler&&(n(d).triggerHandler("ready"),n(d).off("ready"))))}});function J(){d.addEventListener?(d.removeEventListener("DOMContentLoaded",K),a.removeEventListener("load",K)):(d.detachEvent("onreadystatechange",K),a.detachEvent("onload",K))}function K(){(d.addEventListener||"load"===a.event.type||"complete"===d.readyState)&&(J(),n.ready())}n.ready.promise=function(b){if(!I)if(I=n.Deferred(),"complete"===d.readyState||"loading"!==d.readyState&&!d.documentElement.doScroll)a.setTimeout(n.ready);else if(d.addEventListener)d.addEventListener("DOMContentLoaded",K),a.addEventListener("load",K);else{d.attachEvent("onreadystatechange",K),a.attachEvent("onload",K);var c=!1;try{c=null==a.frameElement&&d.documentElement}catch(e){}c&&c.doScroll&&!function f(){if(!n.isReady){try{c.doScroll("left")}catch(b){return a.setTimeout(f,50)}J(),n.ready()}}()}return I.promise(b)},n.ready.promise();var L;for(L in n(l))break;l.ownFirst="0"===L,l.inlineBlockNeedsLayout=!1,n(function(){var a,b,c,e;c=d.getElementsByTagName("body")[0],c&&c.style&&(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="display:inline;margin:0;border:0;padding:1px;width:1px;zoom:1",l.inlineBlockNeedsLayout=a=3===b.offsetWidth,a&&(c.style.zoom=1)),c.removeChild(e))}),function(){var a=d.createElement("div");l.deleteExpando=!0;try{delete a.test}catch(b){l.deleteExpando=!1}a=null}();var M=function(a){var b=n.noData[(a.nodeName+" ").toLowerCase()],c=+a.nodeType||1;return 1!==c&&9!==c?!1:!b||b!==!0&&a.getAttribute("classid")===b},N=/^(?:\{[\w\W]*\}|\[[\w\W]*\])$/,O=/([A-Z])/g;function P(a,b,c){if(void 0===c&&1===a.nodeType){var d="data-"+b.replace(O,"-$1").toLowerCase();if(c=a.getAttribute(d),"string"==typeof c){try{c="true"===c?!0:"false"===c?!1:"null"===c?null:+c+""===c?+c:N.test(c)?n.parseJSON(c):c}catch(e){}n.data(a,b,c)}else c=void 0; +}return c}function Q(a){var b;for(b in a)if(("data"!==b||!n.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function R(a,b,d,e){if(M(a)){var f,g,h=n.expando,i=a.nodeType,j=i?n.cache:a,k=i?a[h]:a[h]&&h;if(k&&j[k]&&(e||j[k].data)||void 0!==d||"string"!=typeof b)return k||(k=i?a[h]=c.pop()||n.guid++:h),j[k]||(j[k]=i?{}:{toJSON:n.noop}),"object"!=typeof b&&"function"!=typeof b||(e?j[k]=n.extend(j[k],b):j[k].data=n.extend(j[k].data,b)),g=j[k],e||(g.data||(g.data={}),g=g.data),void 0!==d&&(g[n.camelCase(b)]=d),"string"==typeof b?(f=g[b],null==f&&(f=g[n.camelCase(b)])):f=g,f}}function S(a,b,c){if(M(a)){var d,e,f=a.nodeType,g=f?n.cache:a,h=f?a[n.expando]:n.expando;if(g[h]){if(b&&(d=c?g[h]:g[h].data)){n.isArray(b)?b=b.concat(n.map(b,n.camelCase)):b in d?b=[b]:(b=n.camelCase(b),b=b in d?[b]:b.split(" ")),e=b.length;while(e--)delete d[b[e]];if(c?!Q(d):!n.isEmptyObject(d))return}(c||(delete g[h].data,Q(g[h])))&&(f?n.cleanData([a],!0):l.deleteExpando||g!=g.window?delete g[h]:g[h]=void 0)}}}n.extend({cache:{},noData:{"applet ":!0,"embed ":!0,"object ":"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"},hasData:function(a){return a=a.nodeType?n.cache[a[n.expando]]:a[n.expando],!!a&&!Q(a)},data:function(a,b,c){return R(a,b,c)},removeData:function(a,b){return S(a,b)},_data:function(a,b,c){return R(a,b,c,!0)},_removeData:function(a,b){return S(a,b,!0)}}),n.fn.extend({data:function(a,b){var c,d,e,f=this[0],g=f&&f.attributes;if(void 0===a){if(this.length&&(e=n.data(f),1===f.nodeType&&!n._data(f,"parsedAttrs"))){c=g.length;while(c--)g[c]&&(d=g[c].name,0===d.indexOf("data-")&&(d=n.camelCase(d.slice(5)),P(f,d,e[d])));n._data(f,"parsedAttrs",!0)}return e}return"object"==typeof a?this.each(function(){n.data(this,a)}):arguments.length>1?this.each(function(){n.data(this,a,b)}):f?P(f,a,n.data(f,a)):void 0},removeData:function(a){return this.each(function(){n.removeData(this,a)})}}),n.extend({queue:function(a,b,c){var d;return a?(b=(b||"fx")+"queue",d=n._data(a,b),c&&(!d||n.isArray(c)?d=n._data(a,b,n.makeArray(c)):d.push(c)),d||[]):void 0},dequeue:function(a,b){b=b||"fx";var c=n.queue(a,b),d=c.length,e=c.shift(),f=n._queueHooks(a,b),g=function(){n.dequeue(a,b)};"inprogress"===e&&(e=c.shift(),d--),e&&("fx"===b&&c.unshift("inprogress"),delete f.stop,e.call(a,g,f)),!d&&f&&f.empty.fire()},_queueHooks:function(a,b){var c=b+"queueHooks";return n._data(a,c)||n._data(a,c,{empty:n.Callbacks("once memory").add(function(){n._removeData(a,b+"queue"),n._removeData(a,c)})})}}),n.fn.extend({queue:function(a,b){var c=2;return"string"!=typeof a&&(b=a,a="fx",c--),arguments.lengthh;h++)b(a[h],c,g?d:d.call(a[h],h,b(a[h],c)));return e?a:j?b.call(a):i?b(a[0],c):f},Z=/^(?:checkbox|radio)$/i,$=/<([\w:-]+)/,_=/^$|\/(?:java|ecma)script/i,aa=/^\s+/,ba="abbr|article|aside|audio|bdi|canvas|data|datalist|details|dialog|figcaption|figure|footer|header|hgroup|main|mark|meter|nav|output|picture|progress|section|summary|template|time|video";function ca(a){var b=ba.split("|"),c=a.createDocumentFragment();if(c.createElement)while(b.length)c.createElement(b.pop());return c}!function(){var a=d.createElement("div"),b=d.createDocumentFragment(),c=d.createElement("input");a.innerHTML="
                a",l.leadingWhitespace=3===a.firstChild.nodeType,l.tbody=!a.getElementsByTagName("tbody").length,l.htmlSerialize=!!a.getElementsByTagName("link").length,l.html5Clone="<:nav>"!==d.createElement("nav").cloneNode(!0).outerHTML,c.type="checkbox",c.checked=!0,b.appendChild(c),l.appendChecked=c.checked,a.innerHTML="",l.noCloneChecked=!!a.cloneNode(!0).lastChild.defaultValue,b.appendChild(a),c=d.createElement("input"),c.setAttribute("type","radio"),c.setAttribute("checked","checked"),c.setAttribute("name","t"),a.appendChild(c),l.checkClone=a.cloneNode(!0).cloneNode(!0).lastChild.checked,l.noCloneEvent=!!a.addEventListener,a[n.expando]=1,l.attributes=!a.getAttribute(n.expando)}();var da={option:[1,""],legend:[1,"
                ","
                "],area:[1,"",""],param:[1,"",""],thead:[1,"","
                "],tr:[2,"","
                "],col:[2,"","
                "],td:[3,"","
                "],_default:l.htmlSerialize?[0,"",""]:[1,"X
                ","
                "]};da.optgroup=da.option,da.tbody=da.tfoot=da.colgroup=da.caption=da.thead,da.th=da.td;function ea(a,b){var c,d,e=0,f="undefined"!=typeof a.getElementsByTagName?a.getElementsByTagName(b||"*"):"undefined"!=typeof a.querySelectorAll?a.querySelectorAll(b||"*"):void 0;if(!f)for(f=[],c=a.childNodes||a;null!=(d=c[e]);e++)!b||n.nodeName(d,b)?f.push(d):n.merge(f,ea(d,b));return void 0===b||b&&n.nodeName(a,b)?n.merge([a],f):f}function fa(a,b){for(var c,d=0;null!=(c=a[d]);d++)n._data(c,"globalEval",!b||n._data(b[d],"globalEval"))}var ga=/<|&#?\w+;/,ha=/r;r++)if(g=a[r],g||0===g)if("object"===n.type(g))n.merge(q,g.nodeType?[g]:g);else if(ga.test(g)){i=i||p.appendChild(b.createElement("div")),j=($.exec(g)||["",""])[1].toLowerCase(),m=da[j]||da._default,i.innerHTML=m[1]+n.htmlPrefilter(g)+m[2],f=m[0];while(f--)i=i.lastChild;if(!l.leadingWhitespace&&aa.test(g)&&q.push(b.createTextNode(aa.exec(g)[0])),!l.tbody){g="table"!==j||ha.test(g)?""!==m[1]||ha.test(g)?0:i:i.firstChild,f=g&&g.childNodes.length;while(f--)n.nodeName(k=g.childNodes[f],"tbody")&&!k.childNodes.length&&g.removeChild(k)}n.merge(q,i.childNodes),i.textContent="";while(i.firstChild)i.removeChild(i.firstChild);i=p.lastChild}else q.push(b.createTextNode(g));i&&p.removeChild(i),l.appendChecked||n.grep(ea(q,"input"),ia),r=0;while(g=q[r++])if(d&&n.inArray(g,d)>-1)e&&e.push(g);else if(h=n.contains(g.ownerDocument,g),i=ea(p.appendChild(g),"script"),h&&fa(i),c){f=0;while(g=i[f++])_.test(g.type||"")&&c.push(g)}return i=null,p}!function(){var b,c,e=d.createElement("div");for(b in{submit:!0,change:!0,focusin:!0})c="on"+b,(l[b]=c in a)||(e.setAttribute(c,"t"),l[b]=e.attributes[c].expando===!1);e=null}();var ka=/^(?:input|select|textarea)$/i,la=/^key/,ma=/^(?:mouse|pointer|contextmenu|drag|drop)|click/,na=/^(?:focusinfocus|focusoutblur)$/,oa=/^([^.]*)(?:\.(.+)|)/;function pa(){return!0}function qa(){return!1}function ra(){try{return d.activeElement}catch(a){}}function sa(a,b,c,d,e,f){var g,h;if("object"==typeof b){"string"!=typeof c&&(d=d||c,c=void 0);for(h in b)sa(a,h,c,d,b[h],f);return a}if(null==d&&null==e?(e=c,d=c=void 0):null==e&&("string"==typeof c?(e=d,d=void 0):(e=d,d=c,c=void 0)),e===!1)e=qa;else if(!e)return a;return 1===f&&(g=e,e=function(a){return n().off(a),g.apply(this,arguments)},e.guid=g.guid||(g.guid=n.guid++)),a.each(function(){n.event.add(this,b,e,d,c)})}n.event={global:{},add:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n._data(a);if(r){c.handler&&(i=c,c=i.handler,e=i.selector),c.guid||(c.guid=n.guid++),(g=r.events)||(g=r.events={}),(k=r.handle)||(k=r.handle=function(a){return"undefined"==typeof n||a&&n.event.triggered===a.type?void 0:n.event.dispatch.apply(k.elem,arguments)},k.elem=a),b=(b||"").match(G)||[""],h=b.length;while(h--)f=oa.exec(b[h])||[],o=q=f[1],p=(f[2]||"").split(".").sort(),o&&(j=n.event.special[o]||{},o=(e?j.delegateType:j.bindType)||o,j=n.event.special[o]||{},l=n.extend({type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:e&&n.expr.match.needsContext.test(e),namespace:p.join(".")},i),(m=g[o])||(m=g[o]=[],m.delegateCount=0,j.setup&&j.setup.call(a,d,p,k)!==!1||(a.addEventListener?a.addEventListener(o,k,!1):a.attachEvent&&a.attachEvent("on"+o,k))),j.add&&(j.add.call(a,l),l.handler.guid||(l.handler.guid=c.guid)),e?m.splice(m.delegateCount++,0,l):m.push(l),n.event.global[o]=!0);a=null}},remove:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n.hasData(a)&&n._data(a);if(r&&(k=r.events)){b=(b||"").match(G)||[""],j=b.length;while(j--)if(h=oa.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o){l=n.event.special[o]||{},o=(d?l.delegateType:l.bindType)||o,m=k[o]||[],h=h[2]&&new RegExp("(^|\\.)"+p.join("\\.(?:.*\\.|)")+"(\\.|$)"),i=f=m.length;while(f--)g=m[f],!e&&q!==g.origType||c&&c.guid!==g.guid||h&&!h.test(g.namespace)||d&&d!==g.selector&&("**"!==d||!g.selector)||(m.splice(f,1),g.selector&&m.delegateCount--,l.remove&&l.remove.call(a,g));i&&!m.length&&(l.teardown&&l.teardown.call(a,p,r.handle)!==!1||n.removeEvent(a,o,r.handle),delete k[o])}else for(o in k)n.event.remove(a,o+b[j],c,d,!0);n.isEmptyObject(k)&&(delete r.handle,n._removeData(a,"events"))}},trigger:function(b,c,e,f){var g,h,i,j,l,m,o,p=[e||d],q=k.call(b,"type")?b.type:b,r=k.call(b,"namespace")?b.namespace.split("."):[];if(i=m=e=e||d,3!==e.nodeType&&8!==e.nodeType&&!na.test(q+n.event.triggered)&&(q.indexOf(".")>-1&&(r=q.split("."),q=r.shift(),r.sort()),h=q.indexOf(":")<0&&"on"+q,b=b[n.expando]?b:new n.Event(q,"object"==typeof b&&b),b.isTrigger=f?2:3,b.namespace=r.join("."),b.rnamespace=b.namespace?new RegExp("(^|\\.)"+r.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,b.result=void 0,b.target||(b.target=e),c=null==c?[b]:n.makeArray(c,[b]),l=n.event.special[q]||{},f||!l.trigger||l.trigger.apply(e,c)!==!1)){if(!f&&!l.noBubble&&!n.isWindow(e)){for(j=l.delegateType||q,na.test(j+q)||(i=i.parentNode);i;i=i.parentNode)p.push(i),m=i;m===(e.ownerDocument||d)&&p.push(m.defaultView||m.parentWindow||a)}o=0;while((i=p[o++])&&!b.isPropagationStopped())b.type=o>1?j:l.bindType||q,g=(n._data(i,"events")||{})[b.type]&&n._data(i,"handle"),g&&g.apply(i,c),g=h&&i[h],g&&g.apply&&M(i)&&(b.result=g.apply(i,c),b.result===!1&&b.preventDefault());if(b.type=q,!f&&!b.isDefaultPrevented()&&(!l._default||l._default.apply(p.pop(),c)===!1)&&M(e)&&h&&e[q]&&!n.isWindow(e)){m=e[h],m&&(e[h]=null),n.event.triggered=q;try{e[q]()}catch(s){}n.event.triggered=void 0,m&&(e[h]=m)}return b.result}},dispatch:function(a){a=n.event.fix(a);var b,c,d,f,g,h=[],i=e.call(arguments),j=(n._data(this,"events")||{})[a.type]||[],k=n.event.special[a.type]||{};if(i[0]=a,a.delegateTarget=this,!k.preDispatch||k.preDispatch.call(this,a)!==!1){h=n.event.handlers.call(this,a,j),b=0;while((f=h[b++])&&!a.isPropagationStopped()){a.currentTarget=f.elem,c=0;while((g=f.handlers[c++])&&!a.isImmediatePropagationStopped())a.rnamespace&&!a.rnamespace.test(g.namespace)||(a.handleObj=g,a.data=g.data,d=((n.event.special[g.origType]||{}).handle||g.handler).apply(f.elem,i),void 0!==d&&(a.result=d)===!1&&(a.preventDefault(),a.stopPropagation()))}return k.postDispatch&&k.postDispatch.call(this,a),a.result}},handlers:function(a,b){var c,d,e,f,g=[],h=b.delegateCount,i=a.target;if(h&&i.nodeType&&("click"!==a.type||isNaN(a.button)||a.button<1))for(;i!=this;i=i.parentNode||this)if(1===i.nodeType&&(i.disabled!==!0||"click"!==a.type)){for(d=[],c=0;h>c;c++)f=b[c],e=f.selector+" ",void 0===d[e]&&(d[e]=f.needsContext?n(e,this).index(i)>-1:n.find(e,this,null,[i]).length),d[e]&&d.push(f);d.length&&g.push({elem:i,handlers:d})}return h]","i"),va=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi,wa=/\s*$/g,Aa=ca(d),Ba=Aa.appendChild(d.createElement("div"));function Ca(a,b){return n.nodeName(a,"table")&&n.nodeName(11!==b.nodeType?b:b.firstChild,"tr")?a.getElementsByTagName("tbody")[0]||a.appendChild(a.ownerDocument.createElement("tbody")):a}function Da(a){return a.type=(null!==n.find.attr(a,"type"))+"/"+a.type,a}function Ea(a){var b=ya.exec(a.type);return b?a.type=b[1]:a.removeAttribute("type"),a}function Fa(a,b){if(1===b.nodeType&&n.hasData(a)){var c,d,e,f=n._data(a),g=n._data(b,f),h=f.events;if(h){delete g.handle,g.events={};for(c in h)for(d=0,e=h[c].length;e>d;d++)n.event.add(b,c,h[c][d])}g.data&&(g.data=n.extend({},g.data))}}function Ga(a,b){var c,d,e;if(1===b.nodeType){if(c=b.nodeName.toLowerCase(),!l.noCloneEvent&&b[n.expando]){e=n._data(b);for(d in e.events)n.removeEvent(b,d,e.handle);b.removeAttribute(n.expando)}"script"===c&&b.text!==a.text?(Da(b).text=a.text,Ea(b)):"object"===c?(b.parentNode&&(b.outerHTML=a.outerHTML),l.html5Clone&&a.innerHTML&&!n.trim(b.innerHTML)&&(b.innerHTML=a.innerHTML)):"input"===c&&Z.test(a.type)?(b.defaultChecked=b.checked=a.checked,b.value!==a.value&&(b.value=a.value)):"option"===c?b.defaultSelected=b.selected=a.defaultSelected:"input"!==c&&"textarea"!==c||(b.defaultValue=a.defaultValue)}}function Ha(a,b,c,d){b=f.apply([],b);var e,g,h,i,j,k,m=0,o=a.length,p=o-1,q=b[0],r=n.isFunction(q);if(r||o>1&&"string"==typeof q&&!l.checkClone&&xa.test(q))return a.each(function(e){var f=a.eq(e);r&&(b[0]=q.call(this,e,f.html())),Ha(f,b,c,d)});if(o&&(k=ja(b,a[0].ownerDocument,!1,a,d),e=k.firstChild,1===k.childNodes.length&&(k=e),e||d)){for(i=n.map(ea(k,"script"),Da),h=i.length;o>m;m++)g=k,m!==p&&(g=n.clone(g,!0,!0),h&&n.merge(i,ea(g,"script"))),c.call(a[m],g,m);if(h)for(j=i[i.length-1].ownerDocument,n.map(i,Ea),m=0;h>m;m++)g=i[m],_.test(g.type||"")&&!n._data(g,"globalEval")&&n.contains(j,g)&&(g.src?n._evalUrl&&n._evalUrl(g.src):n.globalEval((g.text||g.textContent||g.innerHTML||"").replace(za,"")));k=e=null}return a}function Ia(a,b,c){for(var d,e=b?n.filter(b,a):a,f=0;null!=(d=e[f]);f++)c||1!==d.nodeType||n.cleanData(ea(d)),d.parentNode&&(c&&n.contains(d.ownerDocument,d)&&fa(ea(d,"script")),d.parentNode.removeChild(d));return a}n.extend({htmlPrefilter:function(a){return a.replace(va,"<$1>")},clone:function(a,b,c){var d,e,f,g,h,i=n.contains(a.ownerDocument,a);if(l.html5Clone||n.isXMLDoc(a)||!ua.test("<"+a.nodeName+">")?f=a.cloneNode(!0):(Ba.innerHTML=a.outerHTML,Ba.removeChild(f=Ba.firstChild)),!(l.noCloneEvent&&l.noCloneChecked||1!==a.nodeType&&11!==a.nodeType||n.isXMLDoc(a)))for(d=ea(f),h=ea(a),g=0;null!=(e=h[g]);++g)d[g]&&Ga(e,d[g]);if(b)if(c)for(h=h||ea(a),d=d||ea(f),g=0;null!=(e=h[g]);g++)Fa(e,d[g]);else Fa(a,f);return d=ea(f,"script"),d.length>0&&fa(d,!i&&ea(a,"script")),d=h=e=null,f},cleanData:function(a,b){for(var d,e,f,g,h=0,i=n.expando,j=n.cache,k=l.attributes,m=n.event.special;null!=(d=a[h]);h++)if((b||M(d))&&(f=d[i],g=f&&j[f])){if(g.events)for(e in g.events)m[e]?n.event.remove(d,e):n.removeEvent(d,e,g.handle);j[f]&&(delete j[f],k||"undefined"==typeof d.removeAttribute?d[i]=void 0:d.removeAttribute(i),c.push(f))}}}),n.fn.extend({domManip:Ha,detach:function(a){return Ia(this,a,!0)},remove:function(a){return Ia(this,a)},text:function(a){return Y(this,function(a){return void 0===a?n.text(this):this.empty().append((this[0]&&this[0].ownerDocument||d).createTextNode(a))},null,a,arguments.length)},append:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.appendChild(a)}})},prepend:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.insertBefore(a,b.firstChild)}})},before:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this)})},after:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this.nextSibling)})},empty:function(){for(var a,b=0;null!=(a=this[b]);b++){1===a.nodeType&&n.cleanData(ea(a,!1));while(a.firstChild)a.removeChild(a.firstChild);a.options&&n.nodeName(a,"select")&&(a.options.length=0)}return this},clone:function(a,b){return a=null==a?!1:a,b=null==b?a:b,this.map(function(){return n.clone(this,a,b)})},html:function(a){return Y(this,function(a){var b=this[0]||{},c=0,d=this.length;if(void 0===a)return 1===b.nodeType?b.innerHTML.replace(ta,""):void 0;if("string"==typeof a&&!wa.test(a)&&(l.htmlSerialize||!ua.test(a))&&(l.leadingWhitespace||!aa.test(a))&&!da[($.exec(a)||["",""])[1].toLowerCase()]){a=n.htmlPrefilter(a);try{for(;d>c;c++)b=this[c]||{},1===b.nodeType&&(n.cleanData(ea(b,!1)),b.innerHTML=a);b=0}catch(e){}}b&&this.empty().append(a)},null,a,arguments.length)},replaceWith:function(){var a=[];return Ha(this,arguments,function(b){var c=this.parentNode;n.inArray(this,a)<0&&(n.cleanData(ea(this)),c&&c.replaceChild(b,this))},a)}}),n.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){n.fn[a]=function(a){for(var c,d=0,e=[],f=n(a),h=f.length-1;h>=d;d++)c=d===h?this:this.clone(!0),n(f[d])[b](c),g.apply(e,c.get());return this.pushStack(e)}});var Ja,Ka={HTML:"block",BODY:"block"};function La(a,b){var c=n(b.createElement(a)).appendTo(b.body),d=n.css(c[0],"display");return c.detach(),d}function Ma(a){var b=d,c=Ka[a];return c||(c=La(a,b),"none"!==c&&c||(Ja=(Ja||n("|22 29 3b 7d|"; classtype:bad-unknown; sid:2011978; rev:2; metadata:created_at 2010_11_24, updated_at 2010_11_24;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix-style Exploit Kit Java Request with semicolon in URI"; flow:established,to_server; content:"/?"; http_uri; content:"|3b| 1|3b| "; http_uri; content:"|29| Java/1."; http_header; pcre:"/\/\?[a-z0-9]{65,}\x3b \d\x3b \d/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2011988; rev:5; metadata:created_at 2010_12_01, updated_at 2017_04_13;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neosploit Toolkit download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/GNH11.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=piadraspgdw.com; reference:url,labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit; classtype:trojan-activity; sid:2012333; rev:2; metadata:created_at 2011_02_22, updated_at 2011_02_22;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"|45 57 73 09|"; distance:0; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:4; metadata:created_at 2011_03_15, updated_at 2011_03_15;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel with Embedded .emf object downloaded"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"| 50 4B 03 04 |"; content:"|2F 6D 65 64 69 61 2F 69 6D 61 67 65 |"; within:64; content:"| 2E 65 6D 66 |"; within:15; classtype:bad-unknown; sid:2012504; rev:7; metadata:created_at 2011_03_15, updated_at 2011_03_15;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RetroGuard Obfuscated JAR likely part of hostile exploit kit"; flow:established,from_server; content:"classPK"; content:"|20|by|20|RetroGuard|20|Lite|20|"; reference:url,www.retrologic.com; classtype:trojan-activity; sid:2012518; rev:1; metadata:created_at 2011_03_17, updated_at 2011_03_17;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsft Office File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; distance:0; classtype:trojan-activity; sid:2012525; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsoft Office File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; http_header; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; distance:0; classtype:trojan-activity; sid:2012526; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; file_data; content:"%PDF-"; distance:0; classtype:trojan-activity; sid:2012527; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; http_header; file_data; content:"%PDF-"; distance:0; classtype:trojan-activity; sid:2012528; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site WindowsLive.png"; flow:established,to_server; content:"/images/WindowsLive.png"; http_uri; depth:23; classtype:bad-unknown; sid:2012529; rev:2; metadata:created_at 2011_03_21, updated_at 2011_03_21;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Landing Page"; flow:established,from_server; file_data; content:"MWL"; within:300; classtype:bad-unknown; sid:2012530; rev:2; metadata:created_at 2011_03_21, updated_at 2011_03_21;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site blt .png"; flow:established,to_server; content:"/images/blt"; http_uri; depth:11; content:".png"; http_uri; within:6; classtype:bad-unknown; sid:2012531; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Payload Download"; flow:established,to_server; content:"/MRT/update/"; http_uri; depth:12; content:".exe"; http_uri; classtype:bad-unknown; sid:2012532; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix Java Exploit Attempt Request for .class from octal host"; flow:established,to_server; content:".class|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012609; rev:5; metadata:created_at 2011_03_30, updated_at 2011_03_30;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit io.exe download served"; flow:established,from_server; content:"|3b 20|filename=io.exe|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2012610; rev:1; metadata:created_at 2011_03_30, updated_at 2011_03_30;) + +#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks"; flow:established,from_server; content:""; within:100; reference:url,malwaresurvival.net/tag/lizamoon-com/; classtype:web-application-attack; sid:2012614; rev:4; metadata:created_at 2011_03_31, updated_at 2011_03_31;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash SWF File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"SWF"; fast_pattern:only; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012621; rev:4; metadata:created_at 2011_03_31, updated_at 2011_03_31;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in Office File Caution - Could be Hostile"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; content:"S|00|W|00|F|00|"; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; reference:cve,2011-0611; classtype:attempted-user; sid:2012622; rev:4; metadata:created_at 2011_03_31, updated_at 2011_03_31;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client"; flow:established,from_server; content:""; within:100; classtype:attempted-user; sid:2012624; rev:4; metadata:created_at 2011_04_02, updated_at 2011_04_02;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential Lizamoon Client Request /ur.php"; flow:established,to_server; content:"GET"; http_method; content:"/ur.php"; http_uri; content:"GET /ur.php "; depth:12; classtype:trojan-activity; sid:2012625; rev:2; metadata:created_at 2011_04_04, updated_at 2011_04_04;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for .id from octal host"; flow:established,to_server; content:".id|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012628; rev:4; metadata:created_at 2011_04_04, updated_at 2011_04_04;) + +#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Potential Paypal Phishing Form Attachment"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"Restore Your Account"; distance:0; nocase; content:"paypal"; distance:0; nocase; content:"form.php|22| method=|22|post|22|"; nocase; distance:0; classtype:bad-unknown; sid:2012632; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2011_04_05, updated_at 2016_07_01;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Paypal Phishing victim POSTing data"; flow:established,to_server; content:"POST"; http_method; content:"usr="; content:"&pwd="; content:"&name-on="; content:"&cu-on="; content:"&how2-on="; fast_pattern; classtype:bad-unknown; sid:2012630; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2011_04_05, updated_at 2016_07_01;) + +#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Potential ACH Transaction Phishing Attachment"; flow:established,to_server; content:"ACH transaction"; nocase; content:".pdf.exe"; nocase; classtype:bad-unknown; sid:2012635; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2011_04_05, updated_at 2016_07_01;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for hostile binary"; flow:established,to_server; content:"&|20|HTTP/1.1|0d 0a|User-A"; fast_pattern:only; content:".php?height="; http_uri; content:"|20|Java/"; http_header; pcre:"/\/[a-z0-9]{30,}\.php\?height=\d+&sid=\d+&width=[a-z0-9]+&/U"; classtype:trojan-activity; sid:2012644; rev:2; metadata:created_at 2011_04_06, updated_at 2011_04_06;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious JAR olig"; flow:established,from_server; content:"|00 00|META-INF/PK|0a|"; fast_pattern:only; content:"|00|olig/"; classtype:trojan-activity; sid:2012646; rev:2; metadata:created_at 2011_04_06, updated_at 2011_04_06;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?sex="; nocase; http_uri; content:"&children="; nocase; http_uri; content:"&userid="; nocase; http_uri; pcre:"/\.php\?sex=\d+&children=\d+&userid=/U"; classtype:trojan-activity; sid:2012687; rev:1; metadata:created_at 2011_04_13, updated_at 2011_04_13;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Redirector to Exploit Page /in/rdrct/rckt/?"; flow:established,to_server; content:"/in/rdrct/rckt/?"; http_uri; classtype:attempted-user; sid:2012731; rev:1; metadata:created_at 2011_04_28, updated_at 2011_04_28;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown .ru Exploit Redirect Page"; flow:established,to_server; content:"people/?"; http_uri; content:"&top="; http_uri; content:".ru|0d 0a|"; http_header; classtype:bad-unknown; sid:2012732; rev:1; metadata:created_at 2011_04_28, updated_at 2011_04_28;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI param"; flow:established,from_server; content:"applet"; nocase; content:"file|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012884; rev:2; metadata:created_at 2011_05_27, updated_at 2011_05_27;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Eleonore Exploit Pack exemple.com Request"; flow:established,to_server; content:"/exemple.com/"; nocase; http_uri; classtype:trojan-activity; sid:2012940; rev:2; metadata:created_at 2011_06_07, updated_at 2011_06_07;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit Newplayer.pdf"; flow:established,to_server; content:"/newplayer.pdf"; fast_pattern:only; http_uri; metadata: former_category CURRENT_EVENTS; reference:cve,2009-4324; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012941; rev:6; metadata:created_at 2011_06_07, updated_at 2017_04_10;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit Printf.pdf"; flow:established,to_server; content:"/printf.pdf"; fast_pattern:only; http_uri; reference:cve,2008-2992; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012942; rev:6; metadata:created_at 2011_06_07, updated_at 2011_06_07;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit Geticon.pdf"; flow:established,to_server; content:"/geticon.pdf"; fast_pattern:only; http_uri; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012943; rev:6; metadata:created_at 2011_06_07, updated_at 2011_06_07;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit All.pdf"; flow:established,to_server; content:"/tmp/all.pdf"; fast_pattern:only; http_uri; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012944; rev:6; metadata:created_at 2011_06_07, updated_at 2011_06_07;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to malicious info.php drive-by landing"; flow:established,to_server; content:"/info.php?n="; http_uri; fast_pattern:only; content:!"&"; http_uri; content:!"|0d 0a|Referer|3a|"; pcre:"/\/info.php\?n=\d/U"; classtype:trojan-activity; sid:2013010; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious PHP 302 redirect response with avtor URI and cookie"; flow:established,from_server; content:"302"; http_stat_code; content:".php?avtor="; http_header; fast_pattern:only; content:"Set-Cookie|3a| "; http_header; content:"avtor="; http_header; within:40; classtype:trojan-activity; sid:2013011; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Exploit kit mario.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/mario.jar"; http_uri; classtype:trojan-activity; sid:2013024; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java/PDF Exploit kit from /Home/games/ initial landing"; flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri; classtype:trojan-activity; sid:2013025; rev:1; metadata:created_at 2011_06_13, updated_at 2011_06_13;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java/PDF Exploit kit initial landing"; flow:established,to_server; content:"/2fdp.php?f="; http_uri; classtype:trojan-activity; sid:2013027; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable"; flow:established,to_server; content:"/invoice"; nocase; http_uri; content:".JPG.exe"; nocase; fast_pattern; classtype:trojan-activity; sid:2013048; rev:4; metadata:created_at 2011_06_16, updated_at 2011_06_16;) + +#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sidename.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"/sidename.js\">"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013061; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt"; flow:established,to_server; content:"GET /"; depth:5; content:".swf?info=02"; http_uri; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617; classtype:trojan-activity; sid:2013065; rev:4; metadata:created_at 2011_06_17, updated_at 2011_06_17;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI setAttribute"; flow:established,from_server; content:"setAttribute("; content:"C|3a 5c 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013066; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Clickfraud Framework Request"; flow:to_server,established; content:"/go.php?uid="; http_uri; fast_pattern; content:"&data="; http_uri; urilen:>500; classtype:bad-unknown; sid:2013093; rev:3; metadata:created_at 2011_06_22, updated_at 2011_06_22;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; pcre:"/\/\?[0-9a-f]{60,66}[\;\d\x2c]*$/U"; classtype:bad-unknown; sid:2013094; rev:10; metadata:created_at 2011_06_22, updated_at 2011_06_22;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded"; flow:established,to_server; content:"/?"; http_uri; content:!" Java/"; http_header; pcre:"/\/\?[a-f0-9]{64}\;\d\;\d/U"; classtype:trojan-activity; sid:2013098; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt Embedded in Web Page"; flow:established,to_client; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:trojan-activity; sid:2013175; rev:4; metadata:created_at 2011_07_04, updated_at 2011_07_04;) + +#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS cssminibar.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"cssminibar.js|22|>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013192; rev:1; metadata:created_at 2011_07_05, updated_at 2011_07_05;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript Often Used in Drivebys"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|
                \d{16}/R"; classtype:trojan-activity; sid:2013237; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_07_08, updated_at 2016_07_01;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Injected Credit Card Fraud Malvertisement Script"; flow:established,to_client; content:"|3C|script|3E|ba|28 27|Windows.class|27 2C 27|Windows.jar|27 29 3B 3C 2F|script|3E|"; nocase; reference:url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-credit-cards-site-injected-with-malware/; classtype:misc-activity; sid:2013244; rev:1; metadata:created_at 2011_07_11, updated_at 2011_07_11;) + +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query for Known Hostile Domain gooqlepics com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|gooqlepics|03|com|00|"; fast_pattern:only; reference:url,blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html; classtype:bad-unknown; sid:2013328; rev:3; metadata:created_at 2011_07_27, updated_at 2011_07_27;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - flickr.com.* "; content:"|05|flickr|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013353; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - picasa.com.* "; content:"|06|picasa|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013354; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - blogger.com.* "; content:"|07|blogger|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013355; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013357; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - img.youtube.com.* "; content:"|03|img|07|youtube|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013358; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.* "; content:"|06|upload|09|wikimedia|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013359; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - photobucket.com.* "; content:"|0b|photobucket|03|com"; nocase; content:!"|00|"; within:1; content:!"|09|footprint|03|net|00|"; nocase; distance:0; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013360; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious 1px iframe related to Mass Wordpress Injections"; flow:established,from_server; content:"/?go=1|22 20|width=|22|1|22 20|height=|22|1|22|>"; fast_pattern; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY ACH - Redirection"; flow:from_server,established; file_data; content:"NACHA"; distance:0; classtype:bad-unknown; sid:2013474; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_08_26, updated_at 2016_07_01;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received By Vulnerable Client"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient.vulnerable; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; distance:0; classtype:bad-unknown; sid:2013484; rev:2; metadata:created_at 2011_08_29, updated_at 2011_08_29;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; distance:0; classtype:bad-unknown; sid:2013485; rev:2; metadata:created_at 2011_08_29, updated_at 2011_08_29;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix landing page JAVASMB"; flow:established,to_client; file_data; content:"JAVASMB()"; distance:0; classtype:bad-unknown; sid:2013486; rev:1; metadata:created_at 2011_08_30, updated_at 2011_08_30;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Generic Java Exploit Attempt Request for Java to decimal host"; flow:established,to_server; content:" Java/1"; http_header; pcre:"/Host\x3a \d{8,10}(\x0d\x0a|\x3a\d{1,5}\x0d\x0a)/H"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013487; rev:4; metadata:created_at 2011_08_30, updated_at 2011_08_30;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com"; flow:established,from_server; content:"|0C 76 DA 9C 91 0C 4E 2C 9E FE 15 D0 58 93 3C 4C|"; content:"google.com"; within:250; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; classtype:misc-activity; sid:2013500; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2011_08_30, updated_at 2016_07_01;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013551; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_09_09, updated_at 2016_07_01;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt 2"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files (x86)|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013552; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_09_09, updated_at 2016_07_01;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Response Malicious JavaScript"; flow:established,from_server; content:""; distance:1; within:10; classtype:attempted-user; sid:2014607; rev:5; metadata:created_at 2012_04_17, updated_at 2012_04_17;) + +#alert tcp $HOME_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nikjju Mass Injection Internal WebServer Compromised"; flow:established,from_server; file_data; content:""; distance:1; within:10; classtype:attempted-user; sid:2014608; rev:5; metadata:created_at 2012_04_17, updated_at 2012_04_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit Java request to images.php?t="; flow:established,to_server; content:"/images.php?t="; http_uri; content:"|29 20|Java/"; http_header; pcre:"/^\/images\.php\?t=\d+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014609; rev:1; metadata:created_at 2012_04_17, updated_at 2012_04_17;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - cookie set RULEZ"; flow:established,from_server; content:"sutraRULEZcookies"; fast_pattern:only; content:"sutraRULEZcookiessupport"; http_cookie; classtype:trojan-activity; sid:2014611; rev:1; metadata:created_at 2012_04_17, updated_at 2012_04_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TDS Sutra - cookie is set RULEZ"; flow:established,to_server; content:"sutraRULEZcookies"; fast_pattern:only; content:"sutraRULEZcookiessupport"; http_cookie; classtype:trojan-activity; sid:2014612; rev:1; metadata:created_at 2012_04_17, updated_at 2012_04_17;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (file upload)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; nocase; content:"jembot"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014613; rev:2; metadata:created_at 2012_04_17, updated_at 2012_04_17;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (system command)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; nocase; content:"empix="; http_uri; fast_pattern:only; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014614; rev:2; metadata:created_at 2012_04_17, updated_at 2012_04_17;) + +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (hell.php)"; flow:established,to_server; content:"/hell.php"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014615; rev:6; metadata:created_at 2012_04_17, updated_at 2012_04_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit PDF request to images.php?t=81118"; flow:established,to_server; content:"/images.php?t=81118"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014639; rev:3; metadata:created_at 2012_04_26, updated_at 2012_04_26;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit payload request to images.php?t=N"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:15; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014640; rev:2; metadata:created_at 2012_04_26, updated_at 2012_04_26;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:22; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014641; rev:3; metadata:created_at 2012_04_26, updated_at 2012_04_26;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unkown exploit kit pdf download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".pdf"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014657; rev:2; metadata:created_at 2012_04_30, updated_at 2012_04_30;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unkown exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014658; rev:2; metadata:created_at 2012_04_30, updated_at 2012_04_30;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit"; flow:established,from_server; file_data; content:"var stopit = BrowserDetect.browser"; classtype:trojan-activity; sid:2014665; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_05_02, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack exploit request"; flow:to_server,established; content:"/load_module.php?e="; http_uri; classtype:trojan-activity; sid:2014705; rev:3; metadata:created_at 2012_05_03, updated_at 2012_05_03;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload request (exploit successful!)"; flow:established,to_server; content:"/download_file.php?e="; http_uri; classtype:trojan-activity; sid:2014706; rev:2; metadata:created_at 2012_05_03, updated_at 2012_05_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload download"; flow:established,from_server; content:"filename=payload.exe.exe|0d 0a|"; http_header; classtype:trojan-activity; sid:2014707; rev:3; metadata:created_at 2012_05_03, updated_at 2012_05_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeAV Landing Page - Viruses were found"; flow:established,from_server; file_data; content:">Viruses were found on your computer! $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Java Exploit request to /24842.jar"; flow:established,to_server; content:"/24842.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014749; rev:2; metadata:created_at 2012_05_14, updated_at 2012_05_14;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito/RedKit Exploit Kit vulnerable Java payload request to /1digit.html"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; urilen:7; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]\.html$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014750; rev:3; metadata:created_at 2012_05_14, updated_at 2012_05_14;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear/Safe/CritX/FlashPack - Java Request - 32char hex-ascii"; flow:to_server,established; content:".jar"; offset:32; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/\/[a-z0-9]{32}\.jar$/U"; classtype:bad-unknown; sid:2014751; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2012_05_17, malware_family Nuclear, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fragus Exploit jar Download"; flow:established,to_server; content:"_.jar?"; http_uri; pcre:"/\w_\.jar\?[a-f0-9]{8}$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014802; rev:2; metadata:created_at 2012_05_23, updated_at 2017_03_08;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown java_ara Bin Download"; flow:established,to_server; content:"java_ara&name="; http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014805; rev:1; metadata:created_at 2012_05_23, updated_at 2012_05_23;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Wordpress timthumb look-alike domain list RFI"; flow:to_server,established; content:"/timthumb.php?"; http_uri; content:!"webshot=1"; http_uri; distance:0; content:"src="; http_uri; distance:0; content:"http"; http_uri; distance:0; pcre:"/src\s*=\s*https?\x3A\x2f+[^\x2f]*?(?:(?:(?:(?:static)?flick|blogge)r|p(?:hotobucket|icasa)|wordpress|tinypic)\.com|im(?:g(?:\.youtube|ur)\.com|ageshack\.us)|upload\.wikimedia\.org)[^\x2f]/Ui"; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:web-application-attack; sid:2014846; rev:10; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_05_29, updated_at 2016_07_01;) + +#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS FedEX Spam Inbound"; flow:established,to_server; content:"name=|22|FEDEX"; nocase; content:".zip|22|"; within:47; nocase; pcre:"/name=\x22FEDEX(\s|_|\-)?[a-z0-9\-_\.\s]{0,42}\.zip\x22/i"; classtype:trojan-activity; sid:2014827; rev:2; metadata:created_at 2012_05_30, updated_at 2012_05_30;) + +#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"name=|22|"; nocase; content:"UPS"; nocase; within:11; content:".zip|22|"; within:74; nocase; pcre:"/name=\x22([a-z_]{0,8})?UPS(\s|_|\-)?[a-z0-9\-_\.\s]{0,69}\.zip\x22/i"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014828; rev:2; metadata:created_at 2012_05_30, updated_at 2017_12_11;) + +#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Post Express Spam Inbound"; flow:established,to_server; content:"name=|22|Post_Express_Label_"; nocase; content:".zip|22|"; within:15; nocase; pcre:"/name=\x22Post_Express_Label_[a-z0-9\-_\.\s]{0,10}\.zip\x22/i"; classtype:trojan-activity; sid:2014829; rev:1; metadata:created_at 2012_05_30, updated_at 2012_05_30;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS php with eval/gzinflate/base64_decode possible webshell"; flow:to_client,established; file_data; content:" $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS webshell used In timthumb attacks GIF98a 16129xX with PHP"; flow:to_client,established; file_data; content:"GIF89a|01 3f|"; within:8; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Archive Request"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; pcre:"/\x2Fgetfile\x2Ephp\x3Fi\x3D[0-9]\x26key\x3D[a-f0-9]{32}$/Ui"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014851; rev:1; metadata:created_at 2012_06_04, updated_at 2012_06_04;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Exploit Kit Version 1.1 document.write Fake 404 - Landing Page"; flow:established,to_client; content:"document.write(|22|404|22 3B|"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014852; rev:2; metadata:created_at 2012_06_04, updated_at 2012_06_04;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; file_data; content:"value=|22|lxxt>33"; fast_pattern:only; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014853; rev:3; metadata:created_at 2012_06_04, updated_at 2012_06_04;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely TDS redirecting to exploit kit"; flow:established,to_server; content:".php?go="; http_uri; pcre:"/\.php\?go=\d$/U"; classtype:bad-unknown; sid:2014854; rev:3; metadata:created_at 2012_06_04, updated_at 2012_06_04;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redirect to driveby sid=mix"; flow:to_server,established; content:"/go.php?sid=mix"; http_uri; classtype:bad-unknown; sid:2014866; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_06_07, updated_at 2016_07_01;) + +alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SN and CN From MS TS Revoked Cert Chain Seen"; flow:established,from_server; content:"|c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40|"; content:"Microsoft Root Authority"; distance:105; within:24; content:"Microsoft Enforced Licensing Intermediate PCA"; distance:0; content:"|61 1a 02 b7 00 02 00 00 00 12|"; distance:0; content:"Microsoft Enforced Licensing Registration Authority CA"; distance:378; within:54; reference:url,blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/; reference:url,rmhrisk.wpengine.com/?p=52; reference:url,msdn.microsoft.com/en-us/library/aa448396.aspx; reference:md5,1f61d280067e2564999cac20e386041c; classtype:bad-unknown; sid:2014870; rev:3; metadata:created_at 2012_06_08, updated_at 2012_06_08;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to malicious SutraTDS - lonly= in cookie"; flow:established,to_server; content:" lonly="; fast_pattern:only; content:" lonly="; http_cookie; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014884; rev:1; metadata:created_at 2012_06_08, updated_at 2017_03_08;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Java Exploit Requested - 5 digit jar"; flow:established,to_server; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; classtype:trojan-activity; sid:2014891; rev:2; metadata:created_at 2012_06_14, updated_at 2012_06_14;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition: inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; content:"|0D 0A 0D 0A|PK"; pcre:"/=[0-9a-f]{8}\.jar/H"; classtype:trojan-activity; sid:2014892; rev:3; metadata:created_at 2012_06_14, updated_at 2012_06_14;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page Received - applet and code"; flow:established,to_client; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii"; flow:established,to_server; urilen:>60; content:" Java/1."; http_header; fast_pattern; content:"User-Agent|3A| Mozilla"; http_header; pcre:"/[\/\?][a-z0-9]{60,66}[\;0-9]/Ui"; classtype:trojan-activity; sid:2014912; rev:6; metadata:created_at 2012_06_15, updated_at 2012_06_15;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; pcre:"/=[.\"]\w{8}\.jar/Hi"; content:"|0D 0A 0D 0A|PK"; fast_pattern; classtype:trojan-activity; sid:2014913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2012_06_15, malware_family Nuclear, updated_at 2016_07_01;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - PDF Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".pdf"; http_header; pcre:"/=\w{8}\.pdf/Hi"; content:"|0D 0A 0D 0A|%PDF"; fast_pattern; content:"/Filter/FlateDecode"; classtype:trojan-activity; sid:2014914; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2012_06_15, malware_family Nuclear, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet archive=32CharHex"; flow:established,to_client; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Requested .php?showtopic=6digit"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.http.driveby.incognito.uri; urilen:25<>45; content:".php?showtopic="; http_uri; pcre:"/\.php\?showtopic=[0-9]{6}$/U"; classtype:trojan-activity; sid:2014922; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_06_19, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Received applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.incognito.uri; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Payload Requested /getfile.php by Java Client"; flow:established,to_server; content:"/getfile.php?"; http_uri; content:"Java/1"; http_header; classtype:attempted-user; sid:2014924; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_06_19, updated_at 2016_07_01;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Malicious Jar /eeltff.jar"; flow:to_server,established; content:"/eeltff.jar"; nocase; http_uri; classtype:trojan-activity; sid:2014927; rev:1; metadata:created_at 2012_06_20, updated_at 2012_06_20;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com"; flow:established,to_server; content:"dl.dropbox.com|0D 0A|"; http_header; content:" Java/1"; http_header; content:".jar"; http_uri; classtype:bad-unknown; sid:2014928; rev:2; metadata:created_at 2012_06_20, updated_at 2012_06_20;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:2; metadata:created_at 2012_06_21, updated_at 2017_12_11;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness 21 June 2012"; flow:established,from_server; file_data; content:"javascript'>var wow="; content:"Date&&"; distance:12; within:60; classtype:bad-unknown; sid:2014930; rev:1; metadata:created_at 2012_06_21, updated_at 2012_06_21;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page"; flow:established,to_client; content:"eval(function(p,a,c,"; content:"|7C|zzz|7C|"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014934; rev:3; metadata:created_at 2012_06_22, updated_at 2017_04_28;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - foxxysoftware"; flow:established,to_client; content:"|7C|foxxysoftware|7C|"; classtype:trojan-activity; sid:2014935; rev:3; metadata:created_at 2012_06_22, updated_at 2012_06_22;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - applet and 0px"; flow:established,to_client; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Base64 - Java Exploit Requested - /1Digit"; flow:established,to_server; urilen:2; content:" Java/1"; http_header; pcre:"/^\/[0-9]$/U"; classtype:trojan-activity; sid:2014959; rev:1; metadata:created_at 2012_06_25, updated_at 2012_06_25;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Base64 - Landing Page Received - base64encode(GetOs()"; flow:established,to_client; content:"base64encode(GetOs()"; classtype:trojan-activity; sid:2014960; rev:1; metadata:created_at 2012_06_25, updated_at 2012_06_25;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic - PDF with NEW PDF EXPLOIT"; flow:established,to_client; file_data; content:"%PDF"; within:4; fast_pattern; content:"NEW PDF EXPLOIT"; classtype:trojan-activity; sid:2014966; rev:2; metadata:created_at 2012_06_26, updated_at 2012_06_26;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - Landing Page Requested - 15Alpha1Digit.php"; flow:established,to_server; urilen:21; content:"GET"; http_method; content:".php"; http_uri; pcre:"/^\/[a-z]{15}[0-9]\.php$/U"; classtype:trojan-activity; sid:2014967; rev:2; metadata:created_at 2012_06_26, updated_at 2012_06_26;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Exploit Requested - 13-14Alpha.jar"; flow:established,to_server; urilen:16<>19; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-z]{13,14}\.jar$/U"; classtype:trojan-activity; sid:2014969; rev:1; metadata:created_at 2012_06_26, updated_at 2012_06_26;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website"; flow:established,to_client; content:"setAttribute|28 22|src|22|, |22|http|3A|//|22| + "; nocase; content:"+ |22|/runforestrun?sid="; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014970; rev:2; metadata:created_at 2012_06_26, updated_at 2012_06_26;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JS.Runfore Malware Campaign Request"; flow:established,to_server; content:"/runforestrun?"; http_uri; fast_pattern:only; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014971; rev:2; metadata:created_at 2012_06_26, updated_at 2012_06_26;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HeapLib JS Library"; flow:established,to_client; file_data; content:"heapLib.ie|28|"; nocase; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:bad-unknown; sid:2014972; rev:1; metadata:created_at 2012_06_26, updated_at 2012_06_26;) + +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Googlebot UA POST to /uploadify.php"; flow:established,to_server; content:"POST"; http_method; content:"/uploadify.php"; http_uri; nocase; fast_pattern; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b|"; http_header; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2014982; rev:1; metadata:created_at 2012_06_29, updated_at 2012_06_29;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established; file_data; content:"PK"; within:2; content:"C1.class"; fast_pattern; distance:0; content:"C2.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014983; rev:2; metadata:created_at 2012_06_29, updated_at 2012_06_29;) + +alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*km0ae9gr6m*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014984; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;) + +alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*qhk6sa6g1c*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014985; rev:4; metadata:created_at 2012_06_29, updated_at 2012_06_29;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA"; flow:established,to_client; file_data; content:"*/window.eval(String.fromCharCode("; distance:0; isdataat:80,relative; content:!")"; within:80; pcre:"/\x2A[a-z0-9]{10}\x2A\x2Fwindow\x2Eeval\x28String\x2EfromCharCode\x28[0-9]{1,3}\x2C[0-9]{1,3}\x2C/sm"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014998; rev:1; metadata:created_at 2012_07_02, updated_at 2012_07_02;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NuclearPack Java exploit binary get request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern:only; http_header; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:trojan-activity; sid:2015000; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2012_07_02, malware_family Nuclear, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ Java exploit"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015010; rev:2; metadata:created_at 2012_07_03, updated_at 2012_07_03;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito - Malicious PDF Requested - /getfile.php"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; content:!" Java/1"; http_header; classtype:trojan-activity; sid:2015024; rev:2; metadata:created_at 2012_07_04, updated_at 2012_07_04;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ payload"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".php"; http_uri; content:"fid="; http_uri; content:"quote="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015011; rev:1; metadata:created_at 2012_07_04, updated_at 2012_07_04;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito - Java Exploit Requested - /gotit.php by Java Client"; flow:established,to_server; content:"/gotit.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015030; rev:2; metadata:created_at 2012_07_06, updated_at 2012_07_06;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito - Payload Request - /load.php by Java Client"; flow:established,to_server; content:"/load.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015031; rev:2; metadata:created_at 2012_07_06, updated_at 2012_07_06;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack - 32Char.php by Java Client"; flow:established,to_server; urilen:52<>130; content:".php?"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z]{1,10}\/[a-z0-9]{32}\.php\?/U"; classtype:trojan-activity; sid:2015042; rev:1; metadata:created_at 2012_07_06, updated_at 2012_07_06;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 1)"; flow:established,to_client; file_data; content:"#c3284d#"; distance:0; content:"#/c3284d#"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015051; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 2)"; flow:established,to_client; file_data; content:""; distance:0; content:""; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015052; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 10HexChar Title and applet"; flow:established,to_client; file_data; content:"[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2015053; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_s=1 - Payload Requested - 32AlphaNum?s=1 Java Request"; flow:established,to_server; urilen:37; content:"?s=1"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z0-9]{32}\?s=1$/Ui"; classtype:trojan-activity; sid:2015055; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d malware network iframe"; flow:established,to_client; file_data; content:"|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|>"; distance:0; classtype:trojan-activity; sid:2015057; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Unknown TDS /top2.html"; flow:established,to_server; urilen:10; content:"/top2.html"; http_uri; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015478; rev:2; metadata:created_at 2012_07_16, updated_at 2012_07_16;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Unknown TDS /rem2.html"; flow:established,to_server; urilen:10; content:"/rem2.html"; http_uri; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015479; rev:2; metadata:created_at 2012_07_16, updated_at 2012_07_16;) + +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Compromised WordPress Server pulling Malicious JS"; flow:established,to_server; content:"/net/?u="; http_uri; fast_pattern:only; content:"Host|3a| net"; http_header; content:"net.net"; http_header; distance:2; within:7; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.0)"; http_header; pcre:"/^Host\x3a\snet[0-4]{2}net\.net\r?\n$/Hmi"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015480; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_07_16, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compromised Wordpress Install Serving Malicious JS"; flow:established,to_client; file_data; content:"var wow"; fast_pattern; content:"Date"; distance:0; within:200; pcre:"/var wow\s*=\s*\x22[^\x22\n]+?\x22\x3b[^\x3b\n]*?Date[^\x3b\n]*?\x3b/"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015481; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_07_16, updated_at 2016_07_01;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon"; flow:established,from_server; content:"var Saigon={version|3a 22|"; fast_pattern:only; classtype:trojan-activity; sid:2015516; rev:1; metadata:created_at 2012_07_23, updated_at 2012_07_23;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS .HTM being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".htm"; nocase; distance:0; http_uri; classtype:bad-unknown; sid:2015517; rev:2; metadata:created_at 2012_07_23, updated_at 2012_07_23;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS .PHP being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".php"; distance:0; http_uri; classtype:bad-unknown; sid:2015518; rev:3; metadata:created_at 2012_07_23, updated_at 2012_07_23;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 3)"; flow:established,from_server; file_data; content:"/*c3284d*/"; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2015524; rev:2; metadata:created_at 2012_07_25, updated_at 2012_07_25;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake-AV Conditional Redirect (Blackmuscats)"; flow:established,to_server; content:"/blackmuscats?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/07/blackmuscats-conditional-redirections-to-faveav.html/; classtype:trojan-activity; sid:2015553; rev:2; metadata:created_at 2012_07_31, updated_at 2012_07_31;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cridex Self Signed SSL Certificate (TR Some-State Internet Widgits)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 06 13 02|TR"; content:"|55 04 08 13 0a|Some-State"; distance:0; content:"|13 18|Internet Widgits Pty"; within:35; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015559; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_08_01, updated_at 2017_05_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yszz JS/Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"|2f 2a|Yszz 0.7 vip|2a 2f|"; fast_pattern:only; nocase; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015573; rev:1; metadata:created_at 2012_08_03, updated_at 2012_08_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; within:3; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness August 6 2012"; flow:established,from_server; content:"text/javascript'>var wow="; content:"document.cookie.indexOf"; distance:0; within:70; classtype:bad-unknown; sid:2015578; rev:1; metadata:created_at 2012_08_06, updated_at 2012_08_06;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments"; flow:established,to_client; file_data; content:"FoxxySF Website Copier"; distance:0; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015583; rev:3; metadata:created_at 2012_08_07, updated_at 2012_08_07;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments(2)"; flow:established,to_client; content:"Added By FoxxySF"; fast_pattern:only; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015584; rev:3; metadata:created_at 2012_08_07, updated_at 2012_08_07;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access"; flow:to_server,established; content:"/wtf/callback=getip"; fast_pattern:only; http_uri; nocase; content:".php?username="; nocase; http_uri; content:"&website="; nocase; http_uri; content:"foxxysoftware.org"; http_header; nocase; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015585; rev:1; metadata:created_at 2012_08_07, updated_at 2012_08_07;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sutra TDS /simmetry"; flow:to_server,established; content:"/simmetry?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/08/very-good-malware-redirection.html; classtype:trojan-activity; sid:2015593; rev:1; metadata:created_at 2012_08_08, updated_at 2012_08_08;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested - /spl_data/"; flow:established,to_server; content:"/spl_data/"; http_uri; fast_pattern:only; content:" Java/"; http_header; classtype:trojan-activity; sid:2015603; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested .jar Naming Pattern"; flow:established,to_server; content:"-a."; http_uri; content:".jar"; http_uri; fast_pattern:only; content:" Java/"; http_header; pcre:"/\/[a-z]{4,20}-a\.[a-z]{4,20}\.jar$/U"; classtype:trojan-activity; sid:2015604; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|0|22| height=|22|0|22|>"; fast_pattern; within:100; classtype:trojan-activity; sid:2015605; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /form"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/search|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015646; rev:4; metadata:created_at 2012_08_17, updated_at 2012_08_17;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /search"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/form|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015647; rev:3; metadata:created_at 2012_08_17, updated_at 2012_08_17;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious Redirect n.php h=*&s=*"; flow:to_server,established; content:"/n.php?h="; fast_pattern:only; http_uri; content:"&s="; http_uri; content:".rr.nu|0d 0a|"; http_header; pcre:"/\/n\.php\?h=\w*?&s=\w{1,5}$/Ui"; reference:url,0xicf.wordpress.com/category/security-updates/; reference:url,support.clean-mx.de/clean-mx viruses.php?domain=rr.nu&sort=first%20desc; reference:url,urlquery.net/report.php?id=111302; classtype:attempted-user; sid:2015669; rev:9; metadata:created_at 2012_08_22, updated_at 2012_08_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_08_28, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Exploit"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"xploit.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_08_28, updated_at 2016_07_01;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; offset:75; depth:3; http_uri; content:"|2e|"; distance:1; within:1; http_uri; content:"|2e|"; distance:1; within:1; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015666; rev:3; metadata:created_at 2012_08_28, updated_at 2012_08_28;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015667; rev:1; metadata:created_at 2012_08_28, updated_at 2012_08_28;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit/Other - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:" $EXTERNAL_NET 1342 (msg:"ET CURRENT_EVENTS Unknown Exploit Kit redirect"; flow:established,to_server; content:"GET /t/"; depth:7; fast_pattern; pcre:"/^[a-f0-9]{32}\sHTTP\x2f1\./Ri"; content:"|0d 0a|Host|3a| "; distance:0; pcre:"/^[^\r\n]+\x3a1342\r\n/R"; classtype:bad-unknown; sid:2015672; rev:9; metadata:created_at 2012_08_29, updated_at 2012_08_29;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit Payload Download Request - Sep 04 2012"; flow:established,to_server; content:" Java/"; http_header; fast_pattern:only; urilen:>24; content:!".jar"; nocase; http_uri; content:"!.class"; nocase; http_uri; pcre:"/\/[A-Z]{20,}\?[A-Z]=\d$/Ui"; classtype:trojan-activity; sid:2015676; rev:2; metadata:created_at 2012_09_05, updated_at 2012_09_05;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /view.php"; flow:established,to_server; content:"/view.php?i="; http_uri; fast_pattern:only; pcre:"/\/view.php\?i=\d&key=[0-9a-f]{32}$/U"; classtype:trojan-activity; sid:2015678; rev:2; metadata:created_at 2012_09_06, updated_at 2012_09_06;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"applet"; content:"myyu?44"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015679; rev:1; metadata:created_at 2012_09_06, updated_at 2012_09_06;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior static initial landing - Sep 05 2012"; flow:established,to_server; content:"/PJeHubmUD"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015682; rev:1; metadata:created_at 2012_09_06, updated_at 2012_09_06;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior hostile java archive - Sep 05 2012"; flow:established,to_server; content:"pqvjdujfllkwl.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015683; rev:1; metadata:created_at 2012_09_06, updated_at 2012_09_06;) + +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg)"; flow:established,to_server; content:"POST"; http_method; content:".php.pjpg"; fast_pattern:only; http_uri; nocase; reference:url,exploitsdownload.com/search/Arbitrary%20File%20Upload/27; classtype:web-application-attack; sid:2015688; rev:2; metadata:created_at 2012_09_07, updated_at 2012_09_07;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY NeoSploit - Java Exploit Requested"; flow:established,to_server; urilen:>89; content:".jar"; http_uri; fast_pattern:only; content:" Java/1"; http_header; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.jar$/U"; classtype:attempted-user; sid:2015689; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_09_11, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015690; rev:1; metadata:created_at 2012_09_11, updated_at 2012_09_11;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:attempted-user; sid:2015691; rev:1; metadata:created_at 2012_09_11, updated_at 2016_09_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015693; rev:1; metadata:created_at 2012_09_11, updated_at 2012_09_11;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015694; rev:1; metadata:created_at 2012_09_11, updated_at 2012_09_11;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern:only; pcre:"/[=\"]\w{8}\.jar/Hi"; file_data; content:"PK"; within:2; classtype:attempted-user; sid:2015695; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_09_11, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption Banner"; flow:to_client,established; file_data; content:"FWS"; within:3; content:"DoSWF"; distance:0; classtype:attempted-user; sid:2015704; rev:5; metadata:created_at 2012_09_17, updated_at 2012_09_17;) + +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; content:"/x-java-archive|0d 0a|"; fast_pattern:only; content:"|0d 0a|Set-Cookie|3a 20|"; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\r\n/R"; content:"|0d 0a 0d 0a|PK"; distance:0; classtype:trojan-activity; sid:2015724; rev:11; metadata:created_at 2012_09_21, updated_at 2012_09_21;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:1; metadata:created_at 2012_09_21, updated_at 2012_09_21;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:1; metadata:created_at 2012_09_21, updated_at 2012_09_21;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /sarah.php"; flow:established,to_server; content:"/sarah.php?s="; http_uri; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015733; rev:1; metadata:created_at 2012_09_24, updated_at 2012_09_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /nano.php"; flow:established,to_server; content:"/nano.php?x="; fast_pattern:only; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015734; rev:1; metadata:created_at 2012_09_24, updated_at 2012_09_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura Java applet with obfuscated URL Sep 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"nzzv@55"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015735; rev:2; metadata:created_at 2012_09_24, updated_at 2012_09_24;) + +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript --- padding"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"d---o---c---u---m---"; within:500; classtype:bad-unknown; sid:2015738; rev:3; metadata:created_at 2012_09_25, updated_at 2012_09_25;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack Exploit Kit Landing Page (2)"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".mine.nu|0d 0a|"; http_header; nocase; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015758; rev:2; metadata:created_at 2012_10_04, updated_at 2018_03_15;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit 32-32 byte hex initial landing"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; isdataat:64,relative; content:"="; http_uri; distance:32; within:1; pcre:"/\/\?[a-f0-9]{32}=[^&]+&[a-f0-9]{32}=[^&]+$/U"; classtype:trojan-activity; sid:2015781; rev:1; metadata:created_at 2012_10_05, updated_at 2012_10_05;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Other Java Exploit Kit 32-32 byte hex hostile jar"; flow:established,to_server; content:".jar"; http_uri; fast_pattern:only; urilen:70; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/U"; classtype:trojan-activity; sid:2015782; rev:3; metadata:created_at 2012_10_05, updated_at 2012_10_05;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOp Exploit Kit Payload"; flow:established,from_server; content:"Content-Type|3a| image/"; http_header; fast_pattern:only; file_data; content:"M"; within:1; content:!"Z"; within:1; content:"Z"; distance:1; within:1; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015783; rev:6; metadata:created_at 2012_10_06, updated_at 2017_09_08;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BegOpEK - TDS - icon.php"; flow:established,to_server; content:"/icon.php"; urilen:9; classtype:trojan-activity; sid:2015789; rev:1; metadata:created_at 2012_10_09, updated_at 2012_10_09;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOpEK - Landing Page"; flow:established,to_client; file_data; content:" 209.139.208.0/23 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Scalaxy Secondary Landing Page 10/11/12"; flow:to_server,established; content:"/q"; http_uri; depth:2; pcre:"/^\/q[a-zA-Z0-9+-]{3,14}\/[a-zA-Z0-9+-]{3,16}\?[a-z]{1,6}=[a-zA-Z0-9+-\._]{7,18}$/U"; classtype:trojan-activity; sid:2015792; rev:1; metadata:created_at 2012_10_11, updated_at 2012_10_11;) + +#alert tcp $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Scalaxy Java Exploit 10/11/12"; flow:to_server,established; content:"/m"; http_uri; depth:2; pcre:"/^\/m[a-zA-Z0-9-_]{3,14}\/[a-zA-Z0-9-_]{3,17}$/U"; classtype:trojan-activity; sid:2015793; rev:1; metadata:created_at 2012_10_11, updated_at 2012_10_11;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern; distance:0; content:"Mac.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015812; rev:2; metadata:created_at 2012_10_18, updated_at 2012_10_18;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .homeip. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homeip."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015818; rev:2; metadata:created_at 2012_10_19, updated_at 2012_10_19;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .homelinux. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homelinux."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015819; rev:2; metadata:created_at 2012_10_19, updated_at 2012_10_19;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/beacon/"; http_uri; fast_pattern:only; pcre:"/\/beacon\/[a-f0-9]{8}\.htm$/U"; classtype:successful-user; sid:2015840; rev:2; metadata:created_at 2012_10_24, updated_at 2012_10_24;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/Applet.jar"; http_uri; fast_pattern:only; pcre:"/^\/Applet\.jar$/U"; classtype:successful-user; sid:2015841; rev:2; metadata:created_at 2012_10_24, updated_at 2012_10_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NeoSploit Jar with three-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(\0[a-z]{3}\.classPK.{43}){4}/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015846; rev:2; metadata:created_at 2012_10_26, updated_at 2012_10_26;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:6; metadata:created_at 2012_10_26, updated_at 2012_10_26;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Imposter USPS Domain"; flow:established,to_server; content:".usps.com."; http_header; nocase; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]\.usps\.com\./Hi"; classtype:trojan-activity; sid:2015848; rev:1; metadata:created_at 2012_10_26, updated_at 2012_10_26;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"cve1723/"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015849; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_10_30, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:").)+?\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015858; rev:2; metadata:created_at 2012_10_31, updated_at 2012_10_31;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Attacker.class (Seen in Unknown EK) 11/01/12"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Self-Singed SSL Cert Used in Conjunction with Neosploit"; flow:from_server,established; content:"|16 03 01|"; content:"|00 be d3 cf b1 fe a1 55 bf|"; distance:0; content:"webmaster@localhost"; distance:0; content:"|30 81 89 02 81 81 00 ac 12 38 fc 5c bf 7c 8c 18 e7 db 09 dc|"; distance:0; classtype:trojan-activity; sid:2015865; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_11_06, updated_at 2016_07_01;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/Length"; within:200; pcre:"/^[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))((?!>>).)+\/R\s+3[\r\n\s>]/Rs"; classtype:trojan-activity; sid:2015866; rev:3; metadata:created_at 2012_11_06, updated_at 2012_11_06;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/R 3"; within:200; pcre:"/^[\r\n\s]+((?!>>).)+?\/Length[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))/Rs"; classtype:trojan-activity; sid:2015867; rev:1; metadata:created_at 2012_11_06, updated_at 2012_11_06;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Cool Exploit Kit Requesting Payload"; flow:established,to_server; content:"/f.php?k="; http_uri; fast_pattern:only; pcre:"/^\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015873; rev:4; metadata:created_at 2012_11_08, updated_at 2012_11_08;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern:only; content:"Anony"; pcre:"/^(mous)?\.class/R"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015876; rev:2; metadata:created_at 2012_11_09, updated_at 2012_11_09;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page NOP String"; flow:established,to_client; file_data; content:" == -1 {|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0"; distance:0; reference:url,ondailybasis.com/blog/?p=1610; classtype:trojan-activity; sid:2015881; rev:2; metadata:created_at 2012_11_14, updated_at 2012_11_14;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page parseInt Javascript Replace"; flow:established,to_client; file_data; content:" = parseInt("; distance:0; content:".replace(|2F 5C 2E 7C 5C 5F 2F|g, ''))|3B|"; within:30; reference:url,ondailybasis.com/blog/?p=1610; classtype:trojan-activity; sid:2015882; rev:1; metadata:created_at 2012_11_14, updated_at 2012_11_14;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Campaign SetAttribute Java Applet"; flow:established,to_client; file_data; content:"document.createElement(|22|applet|22|)|3B|"; fast_pattern:13,20; distance:0; nocase; content:".setAttribute(|22|code"; distance:0; nocase; content:".class|22 29 3B|"; nocase; within:50; content:".setAttribute(|22|archive"; nocase; distance:0; content:"document.createElement|22|param"; nocase; distance:0; reference:url,ondailybasis.com/blog/?p=1593; classtype:trojan-activity; sid:2015883; rev:1; metadata:created_at 2012_11_14, updated_at 2012_11_14;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack Landing Page"; flow:established,to_client; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack - No Java URI - Dot.class"; flow:established,to_server; urilen:10; content:"/Dot.class"; http_uri; classtype:trojan-activity; sid:2015885; rev:1; metadata:created_at 2012_11_14, updated_at 2012_11_14;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CirtXPack - No Java URI - /a.Test"; flow:established,to_server; urilen:7; content:"/a.Test"; classtype:trojan-activity; sid:2015886; rev:1; metadata:created_at 2012_11_14, updated_at 2012_11_14;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request"; flow:established,to_server; urilen:>32; content:"Java/1."; http_header; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}\/\d+?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015888; rev:6; metadata:created_at 2012_11_15, updated_at 2012_11_15;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page - FlashExploit"; flow:established,to_client; file_data; content:"FlashExploit()"; classtype:trojan-activity; sid:2015890; rev:2; metadata:created_at 2012_11_15, updated_at 2012_11_15;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible TDS Exploit Kit /flow redirect at .ru domain"; flow:established,to_server; urilen:<12; content:"/flow"; fast_pattern; depth:5; http_uri; content:".php"; distance:1; within:5; http_uri; content:"GET"; http_method; content:".ru|0d 0a|"; http_header; pcre:"/^\/flow\d{1,2}\.php$/U"; classtype:bad-unknown; sid:2015897; rev:2; metadata:created_at 2012_11_19, updated_at 2012_11_19;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) - Landing Page - Java ClassID and 32HexChar.jar"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:".jar"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:trojan-activity; sid:2015901; rev:2; metadata:created_at 2012_11_20, updated_at 2012_11_20;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Generic Credit Card Information Phish"; flow:established,to_server; content:"POST"; http_method; content:"creditcard="; http_client_body; fast_pattern; content:"expyear="; http_client_body; content:"ccv="; http_client_body; content:"pin="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015907; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2012_11_21, updated_at 2017_08_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic PII Phish"; flow:established,to_server; content:"POST"; http_method; content:"&phone3="; http_client_body; content:"&ssn3="; http_client_body; fast_pattern; content:"&dob3="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015908; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2012_11_21, updated_at 2017_08_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Bank of America Phish M1 Oct 01 2012"; flow:established,to_server; content:"POST"; http_method; content:"reason="; nocase; depth:7; fast_pattern; http_client_body; content:"Access_ID="; nocase; distance:0; http_client_body; content:"Current_Passcode="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015909; rev:3; metadata:created_at 2012_11_21, updated_at 2017_10_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful AOL Phish Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"aoluser="; http_client_body; content:"aolpassword="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015910; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2012_11_21, updated_at 2017_08_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Yahoo Phish Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"yahoouser="; http_client_body; content:"yahoopassword="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015911; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2012_11_21, updated_at 2017_08_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Gmail Phish Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"gmailuser="; http_client_body; content:"gmailpassword="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015912; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2012_11_21, updated_at 2017_08_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Hotmail Phish Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"hotmailuser="; http_client_body; content:"hotmailpassword="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015913; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2012_11_21, updated_at 2017_08_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Phish - Other Credentials Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"otheruser="; http_client_body; content:"otherpassword="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015914; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2012_11_21, updated_at 2017_08_17;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Spam Campaign JPG CnC Link"; flow:established,to_client; file_data; content:"he1l0|3A|hxxp|3A|//"; distance:0; content:".jpg"; distance:0; reference:url,blog.fireeye.com/research/2012/11/more-phish.html; classtype:trojan-activity; sid:2015921; rev:1; metadata:created_at 2012_11_21, updated_at 2012_11_21;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Glazunov Java exploit request /9-10-/4-5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_header; urilen:14<>18; pcre:"/^\/\d{9,10}\/\d{4,5}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015922; rev:4; metadata:created_at 2012_11_23, updated_at 2012_11_23;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Glazunov Java payload request /5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_header; urilen:6; pcre:"/^\/\d{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015923; rev:1; metadata:created_at 2012_11_23, updated_at 2012_11_23;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (1)"; flow:established,to_server; content:"/332.jar"; fast_pattern:only; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015928; rev:2; metadata:created_at 2012_11_26, updated_at 2012_11_26;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (2)"; flow:established,to_server; content:"/887.jar"; fast_pattern:only; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015929; rev:2; metadata:created_at 2012_11_26, updated_at 2012_11_26;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Vulnerable Java Payload Request URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/33.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015930; rev:1; metadata:created_at 2012_11_26, updated_at 2012_11_26;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit vulnerable Java Payload Request to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/41.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015931; rev:1; metadata:created_at 2012_11_26, updated_at 2012_11_26;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear Exploit Kit HTTP Off-port Landing Page Request"; flow:established,to_server; content:"GET /t/"; depth:7; pcre:"/^[a-f0-9]{32}\s*HTTP\/1\.[0-1]\r\n/R"; classtype:trojan-activity; sid:2015936; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2012_11_26, malware_family Nuclear, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Chase/Bank of America Phishing Landing Uri Structure Nov 27 2012 "; flow:established,to_server; content:"/Logon.php?LOB=RBG"; http_uri; content:"&_pageLabel=page_"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015938; rev:2; metadata:created_at 2012_11_26, updated_at 2017_10_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .blogsite. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".blogsite."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015939; rev:2; metadata:created_at 2012_11_26, updated_at 2012_11_26;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (1)"; flow:established,to_server; content:"/amor"; http_uri; content:".jar"; http_uri; within:6; content:" Java/"; http_header; fast_pattern:only; pcre:"/amor\d{0,2}\.jar/U"; classtype:trojan-activity; sid:2015941; rev:1; metadata:created_at 2012_11_27, updated_at 2012_11_27;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (2)"; flow:established,to_server; content:"/java7.jar?r="; http_uri; content:" Java/"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015942; rev:1; metadata:created_at 2012_11_27, updated_at 2012_11_27;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Crimeboss - Java Exploit - Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"amor.class"; distance:0; classtype:trojan-activity; sid:2015943; rev:2; metadata:created_at 2012_11_27, updated_at 2012_11_27;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Access"; flow:established,to_server; content:".php?action=stats_access"; http_uri; classtype:trojan-activity; sid:2015944; rev:1; metadata:created_at 2012_11_27, updated_at 2012_11_27;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Java On"; flow:established,to_server; content:".php?action=stats_javaon"; http_uri; classtype:trojan-activity; sid:2015945; rev:1; metadata:created_at 2012_11_27, updated_at 2012_11_27;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Setup"; flow:established,to_server; content:".php?setup=d&s="; http_uri; content:"&r="; pcre:"/\.php\?setup=d&s=\d+&r=\d+$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015946; rev:2; metadata:created_at 2012_11_27, updated_at 2017_04_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Propack Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"propack/"; distance:0; classtype:trojan-activity; sid:2015949; rev:1; metadata:created_at 2012_11_27, updated_at 2012_11_27;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Propack Payload Request"; flow:established,to_server; content:".php?j=1&k="; http_uri; nocase; fast_pattern:only; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; classtype:trojan-activity; sid:2015950; rev:1; metadata:created_at 2012_11_27, updated_at 2012_11_27;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SibHost Jar Request"; flow:established,to_server; content:".jar?m="; http_uri; content:"|29 20|Java/1"; http_header; fast_pattern:only; pcre:"/\.jar\?m\=[1-2]$/U"; classtype:trojan-activity; sid:2015951; rev:15; metadata:created_at 2012_11_27, updated_at 2012_11_27;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic SSN Phish"; flow:established,to_server; content:"POST"; http_method; content:"ssn1="; http_client_body; fast_pattern; content:"ssn2="; http_client_body; content:"ssn3="; http_client_body; content:!"User-Agent|3a 20|LabTech Agent"; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015952; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2012_11_27, updated_at 2017_08_17;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF /FlateDecode and PDF version 1.1 (seen in pamdql EK)"; flow:established,from_server; file_data; content:"%PDF-1.1"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015955; rev:1; metadata:created_at 2012_11_28, updated_at 2012_11_28;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Serenity Exploit Kit Landing Page HTML Header"; flow:established,to_client; file_data; content:"Loading... Please wait<|2F|title><meta name=|22|robots|22| content=|22|noindex|22|><|2F|head>"; distance:0; classtype:trojan-activity; sid:2015956; rev:1; metadata:created_at 2012_11_28, updated_at 2012_11_28;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request"; flow:established,to_server; content:"/j.php?t=u00"; http_uri; fast_pattern:only; content:"Java/1."; http_header; classtype:trojan-activity; sid:2015960; rev:10; metadata:created_at 2012_11_28, updated_at 2012_11_28;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack PDF Request"; flow:established,to_server; content:"/p5.php?t=u00"; http_uri; fast_pattern:only; content:"&oh="; http_uri; classtype:trojan-activity; sid:2015961; rev:11; metadata:created_at 2012_11_28, updated_at 2012_11_28;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e="; http_uri; fast_pattern:only; content:"&token="; http_uri; classtype:trojan-activity; sid:2015962; rev:10; metadata:created_at 2012_11_28, updated_at 2012_11_28;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Zuponcic EK Java Exploit Jar"; flow:established,from_server; file_data; content:"PK"; within:2; content:"FlashPlayer.class"; distance:0; content:".SF"; content:".RSA"; classtype:trojan-activity; sid:2015971; rev:8; metadata:created_at 2012_11_29, updated_at 2012_11_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zuponcic EK Payload Request"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"|29 20|Java/1"; http_header; content:"/"; http_uri; content:"i=2ZI"; fast_pattern; http_client_body; depth:5; classtype:trojan-activity; sid:2015970; rev:10; metadata:created_at 2012_11_29, updated_at 2012_11_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Landing URL"; flow:established,to_server; content:".php?dentesus=208779"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015964; rev:10; metadata:created_at 2012_11_29, updated_at 2012_11_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful PayPal Phish Nov 30 2012"; flow:established,to_server; content:"POST"; http_method; content:"login_email="; http_client_body; content:"login_password="; http_client_body; content:"target_page="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015972; rev:3; metadata:created_at 2012_11_30, updated_at 2017_10_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"|29 20|Java/1"; http_header; fast_pattern:only; content:"text="; http_client_body; depth:5; pcre:"/\?(s|page|id)=\d+$/U"; classtype:trojan-activity; sid:2015974; rev:12; metadata:created_at 2012_11_30, updated_at 2012_11_30;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS probable malicious Glazunov Javascript injection"; flow:established,from_server; file_data; content:"(|22|"; distance:0; content:"|22|))|3b|"; distance:52; within:106; content:")|3b|</script></body>"; within:200; fast_pattern; pcre:"/\(\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,100}\x22\).{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015977; rev:8; metadata:created_at 2012_12_03, updated_at 2012_12_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page"; flow:established,from_server; file_data; content:"|7C|pdfver|7C|"; content:"|7C|applet|7C|"; classtype:bad-unknown; sid:2015979; rev:1; metadata:created_at 2012_12_03, updated_at 2012_12_03;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Google Account Phish Dec 04 2012"; flow:established,to_server; content:"POST"; http_method; content:"continue="; http_client_body; content:"followup="; http_client_body; content:"checkedDomains="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015980; rev:3; metadata:created_at 2012_12_03, updated_at 2017_10_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zuponcic Hostile Jar"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"Java/"; http_header; content:".jar"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; pcre:"/^\/[a-zA-Z]{7}\.jar$/U"; classtype:trojan-activity; sid:2015981; rev:1; metadata:created_at 2012_12_03, updated_at 2012_12_03;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zuponcic Hostile JavaScript"; flow:established,to_server; urilen:11; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"/js/java.js"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; classtype:trojan-activity; sid:2015982; rev:1; metadata:created_at 2012_12_03, updated_at 2012_12_03;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Bank - York - Creds Phished"; flow:established,to_server; content:"POST"; http_method; content:"/secured/private/login.php"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015983; rev:1; metadata:created_at 2012_12_04, updated_at 2017_06_08;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Load Fail"; flow:established,to_server; content:"?action=stats_loadfail"; http_uri; classtype:bad-unknown; sid:2015988; rev:1; metadata:created_at 2012_12_05, updated_at 2012_12_05;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Potential Java Exploit Requested - 3 digit jar"; flow:established,to_server; urilen:6<>9; content:".jar"; http_uri; pcre:"/^\/[0-9]{3}\.jar$/U"; classtype:bad-unknown; sid:2015989; rev:1; metadata:created_at 2012_12_05, updated_at 2012_12_05;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Potential Payload Requested - /2Digit.html"; flow:established,to_server; urilen:8; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]{2}\.html$/U"; classtype:bad-unknown; sid:2015990; rev:1; metadata:created_at 2012_12_05, updated_at 2012_12_05;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Robopak - Landing Page Received"; flow:established,to_client; file_data; content:"|22|ors.class|22|"; fast_pattern:only; content:"|22|bhjwfffiorjwe|22|"; classtype:bad-unknown; sid:2015991; rev:3; metadata:created_at 2012_12_05, updated_at 2012_12_05;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Google Chrome Update/Install"; flow:established,to_server; content:"/chrome/google_chrome_"; http_uri; content:".exe"; http_uri; distance:0; pcre:"/\/chrome\/google_chrome_(update|installer)\.exe$/U"; reference:url,www.barracudanetworks.com/blogs/labsblog?bid=3108; reference:url,www.bluecoat.com/security-blog/2012-12-05/blackhole-kit-doesnt-chrome; classtype:trojan-activity; sid:2015997; rev:2; metadata:created_at 2012_12_06, updated_at 2012_12_06;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request (2)"; flow:established,to_server; content:".php?i="; http_uri; pcre:"/\/j\d{2}\.php\?i=/U"; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016013; rev:3; metadata:created_at 2012_12_07, updated_at 2012_12_07;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack PDF Request (2)"; flow:established,to_server; content:"/lpdf.php?i="; http_uri; fast_pattern:only; pcre:"/\/lpdf\.php\?i=[a-zA-Z0-9]+&?$/U"; classtype:trojan-activity; sid:2016012; rev:3; metadata:created_at 2012_12_07, updated_at 2012_12_07;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Landing Pattern"; flow:established,to_server; content:"/i.php?token="; http_uri; nocase; fast_pattern:only; pcre:"/\/i.php?token=[a-z0-9]+$/Ui"; classtype:trojan-activity; sid:2015998; rev:2; metadata:created_at 2012_12_07, updated_at 2012_12_07;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs)"; flow:established,to_client; file_data; content:"%PDF-1."; within:7; pcre:"/^[0-4][^0-9]/R"; content:"/XFA"; distance:0; fast_pattern; pcre:"/^[\r\n\s]*[\d\x5b]/R"; classtype:trojan-activity; sid:2016001; rev:4; metadata:created_at 2012_12_07, updated_at 2012_12_07;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Embedded Open Type Font file .eot seeing at Cool Exploit Kit"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|D|00|e|00|x|00|t|00|e|00|r|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:attempted-user; sid:2016018; rev:1; metadata:created_at 2012_12_12, updated_at 2012_12_12;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING FlashPost - Redirection IFRAME"; flow:established,to_client; file_data; content:"{|22|iframe|22 3a|true,|22|url|22|"; within:20; classtype:bad-unknown; sid:2016022; rev:2; metadata:created_at 2012_12_12, updated_at 2012_12_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALVERTISING FlashPost - POST to *.stats"; flow:established,to_server; content:"POST"; http_method; content:".stats"; http_uri; content:"pageURL="; http_client_body; classtype:bad-unknown; sid:2016023; rev:2; metadata:created_at 2012_12_12, updated_at 2012_12_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet and 32HexChar.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern:only; content:".jar"; content:"param"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:bad-unknown; sid:2016026; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2012_12_12, malware_family Nuclear, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS g01pack - Landing Page Received - applet and 32AlphaNum.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern:only; content:".jar"; pcre:"/[a-z0-9]{32}\.jar/"; classtype:bad-unknown; sid:2016027; rev:4; metadata:created_at 2012_12_12, updated_at 2012_12_12;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible SibHost PDF Request"; flow:established,to_server; content:".pdf?p=1&s="; http_uri; fast_pattern:only; pcre:"/\.pdf\?p=1&s=[1-2]$/U"; classtype:trojan-activity; sid:2016035; rev:2; metadata:created_at 2012_12_14, updated_at 2012_12_14;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Payload Download Requested"; flow:established,to_server; content:"/getmyfile.exe"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016052; rev:1; metadata:created_at 2012_12_17, updated_at 2012_12_17;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Payload Download Received"; flow:established,to_client; content:".exe.crypted"; http_header; fast_pattern; content:"attachment"; http_header; classtype:trojan-activity; sid:2016053; rev:1; metadata:created_at 2012_12_17, updated_at 2012_12_17;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Server Response - Application Error"; flow:established,to_client; content:"X-Powered-By|3a| Application Error...."; http_header; classtype:trojan-activity; sid:2016054; rev:2; metadata:created_at 2012_12_17, updated_at 2012_12_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_gmf EK - pdfx.html"; flow:established,to_server; content:"/pdfx.html"; http_uri; classtype:trojan-activity; sid:2016055; rev:2; metadata:created_at 2012_12_17, updated_at 2012_12_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_gmf EK - flsh.html"; flow:established,to_server; urilen:>80; content:"/flsh.html"; http_uri; classtype:trojan-activity; sid:2016056; rev:1; metadata:created_at 2012_12_17, updated_at 2012_12_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful PayPal Phish Dec 19 2012"; flow:established,to_server; content:"login_email="; http_client_body; content:"login_password="; http_client_body; content:"browser_version="; http_client_body; content:"operating_system="; fast_pattern; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016063; rev:3; metadata:created_at 2012_12_19, updated_at 2017_10_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Embedded Open Type Font file .eot"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|a|00|b|00|c|00|d|00|e|00|f|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:attempted-user; sid:2016065; rev:3; metadata:created_at 2012_12_19, updated_at 2012_12_19;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO obfuscator string 19 Dec 12 - possible landing"; flow:from_server,established; file_data; content:"cRxmlqC14I8yhr92sovp"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016070; rev:4; metadata:created_at 2012_12_20, updated_at 2012_12_20;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO 20 Dec 12 - .jar file request"; flow:established,to_server; urilen:>44; content:".jar"; offset:38; http_uri; content:"Java/1."; http_header; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016071; rev:2; metadata:created_at 2012_12_20, updated_at 2012_12_20;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO 20 Dec 12 - .pdf file request"; flow:established,to_server; urilen:>44; content:".pdf"; offset:38; http_uri; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016072; rev:2; metadata:created_at 2012_12_20, updated_at 2012_12_20;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO - possible second stage landing page"; flow:established,to_server; urilen:>40; content:".js"; offset:38; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([tZFBeDauxR]+q){3}[tZFBeDauxR]+(_[tZFBeDauxR]+)?|O7dd)k(([tZFBeDauxR]+q){3}[tZFBeDauxR]+|O7dd)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016073; rev:6; metadata:created_at 2012_12_21, updated_at 2012_12_21;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet Orange /in.php?q="; flow:established,to_server; content:"/in.php?q="; http_uri; classtype:trojan-activity; sid:2016090; rev:2; metadata:created_at 2012_12_27, updated_at 2012_12_27;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet Orange base64"; flow:established,to_server; content:"KAhFXlx9"; http_uri; pcre:"/\.php\?[a-z]=.{2}KAhFXlx9.{2}Oj[^&]+$/U"; classtype:trojan-activity; sid:2016091; rev:1; metadata:created_at 2012_12_27, updated_at 2012_12_27;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS pamdql/Sweet Orange delivering exploit kit payload"; flow:established,to_server; content:"/command/"; http_uri; urilen:15; pcre:"/^\/command\/[a-zA-Z]{6}$/U"; classtype:trojan-activity; sid:2016093; rev:3; metadata:created_at 2012_12_27, updated_at 2012_12_27;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Drupal Mass Injection Campaign Inbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016098; rev:1; metadata:created_at 2012_12_27, updated_at 2012_12_27;) + +#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Drupal Mass Injection Campaign Outbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016099; rev:1; metadata:created_at 2012_12_27, updated_at 2012_12_27;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Page"; flow:established,from_server; file_data; content:"<applet"; content:"site.A.class"; within:300; classtype:trojan-activity; sid:2016106; rev:1; metadata:created_at 2012_12_28, updated_at 2012_12_28;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Topic EK Requesting Jar"; flow:established,to_server; content:".php?exp="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; content:" Java/1"; http_header; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016107; rev:4; metadata:created_at 2012_12_28, updated_at 2012_12_28;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Topic EK Requesting PDF"; flow:established,to_server; content:".php?exp=lib"; http_uri; content:"&b="; http_uri; content:"&k="; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016108; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sweet Orange Java payload request (1)"; flow:established,to_server; content:"Java/1"; http_header; content:"openparadise1"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016111; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|fb 67 1f 49|"; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016113; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; classtype:trojan-activity; sid:2016128; rev:1; metadata:created_at 2012_12_28, updated_at 2012_12_28;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_gmf/Styx EK - fnts.html "; flow:established,to_server; content:"/fnts.html"; http_uri; classtype:trojan-activity; sid:2016129; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Window Location CVE-2012-4792 EIP"; flow:established,from_server; file_data; content:"<form"; nocase; content:"button"; nocase; content:"CollectGarbage("; nocase; fast_pattern:only; content:".location"; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*unescape\(\s*[\x22\x27][\\%]u/Ri"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016132; rev:2; metadata:created_at 2013_12_30, updated_at 2013_12_30;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Location CVE-2012-4792 EIP (Exploit Specific replace)"; flow:established,from_server; file_data; content:"jj2Ejj6Cjj6Fjj63jj61jj74jj69jj6Fjj6Ejj20jj3Djj20jj75jj6Ejj65jj73jj63jj61jj70jj65jj28jj22jj25jj75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016133; rev:2; metadata:created_at 2013_12_30, updated_at 2013_12_30;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Location CVE-2012-4792 EIP % Hex Encode"; flow:established,from_server; file_data; content:"%2e%6c%6f%63%61%74%69%6f%6e%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016134; rev:2; metadata:created_at 2013_12_30, updated_at 2013_12_30;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS CFR DRIVEBY CVE-2012-4792 DNS Query for C2 domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|provide|08|yourtrap|03|com|00|"; fast_pattern; nocase; distance:0; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016135; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_12_30, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-4792 EIP in URI IE 8"; flow:established,to_server; content:"/%E0%AC%B0%E0%B0%8C"; fast_pattern:only; content:"/%E0%AC%B0%E0%B0%8C"; http_raw_uri; content:"MSIE 8.0|3b|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016136; rev:1; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_12_31, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (1)"; flow:established,to_server; content:"/%E0%B4%8C%E1%88%92"; fast_pattern:only; content:"/%E0%B4%8C%E1%88%92"; http_raw_uri; content:"MSIE 8.0|3b|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016137; rev:1; metadata:created_at 2013_12_31, updated_at 2013_12_31;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Exodus Intel IE HTML+TIME EIP Control Technique"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern:only; content:"CollectGarbage"; nocase; content:"try"; nocase; distance:0; content:".values"; nocase; distance:0; pcre:"/^[\r\n\s\+]*?=.+?\}[\r\n\s]*?catch/Rsi"; reference:cve,2012-4792; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:attempted-user; sid:2016138; rev:4; metadata:created_at 2013_01_03, updated_at 2013_01_03;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sweet Orange Java payload request (2)"; flow:established,to_server; content:"Java/1"; http_header; content:"&partners="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016142; rev:2; metadata:created_at 2013_01_03, updated_at 2013_01_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Injected iframe leading to Redkit Jan 02 2013"; flow:established,from_server; file_data; content:"iframe name="; pcre:"/^[\r\n\s]*[\w]+[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2 src=http|3a|//"; within:71; fast_pattern:48,20; pcre:"/^[^\r\n\s>]+\/[a-z]{4,5}\.html\>\<\/iframe\>/R"; classtype:trojan-activity; sid:2016144; rev:2; metadata:created_at 2013_01_03, updated_at 2013_01_03;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible TURKTRUST Spoofed Google Cert"; flow:established,from_server; content:"|16 03|"; depth:2; content:"*.EGO.GOV.TR"; nocase; fast_pattern:only; content:"*.google.com"; classtype:policy-violation; sid:2016154; rev:1; metadata:created_at 2013_01_04, updated_at 2013_01_04;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:"/cb.php?action="; http_uri; classtype:bad-unknown; sid:2016169; rev:2; metadata:created_at 2013_01_08, updated_at 2013_01_08;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (2)"; flow:established,to_server; content:"/%E0%B4%8C%E1%82%AB"; fast_pattern:only; content:"/%E0%B4%8C%E1%82%AB"; http_raw_uri; content:"MSIE 8.0|3b|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016170; rev:1; metadata:created_at 2013_01_08, updated_at 2013_01_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; pcre:"/\/[0-9]{3}\.jar/"; pcre:"/\/[0-9]{3}\.pdf/"; classtype:trojan-activity; sid:2016174; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_01_09, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type YAML"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a|Content-Type|3a 20|"; pcre:"/^(?:application\/(?:x-)?|text\/)xml/R"; content:" type="; http_client_body; nocase; fast_pattern; content:"yaml"; distance:0; nocase; http_client_body; pcre:"/<[^>]*\stype\s*=\s*([\x22\x27])yaml\1/Pi"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016175; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type SYMBOL"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a|Content-Type|3a 20|"; pcre:"/^(?:application\/(?:x-)?|text\/)xml/R"; content:" type="; http_client_body; nocase; fast_pattern; content:"symbol"; distance:0; nocase; http_client_body; pcre:"/<[^>]*\stype\s*=\s*([\x22\x27])symbol\1/Pi"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-activity; sid:2016176; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|000"; content:"height=|22|000"; classtype:bad-unknown; sid:2016190; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_01_11, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page Received"; flow:established,to_client; file_data; content:"<div id=|22|heap_allign|22|></div>"; classtype:bad-unknown; sid:2016191; rev:5; metadata:created_at 2013_01_11, updated_at 2013_01_11;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown - Please wait..."; flow:established,to_client; file_data; content:"<title>Please wait..."; nocase; content:"
                $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2013-0422 Landing Page"; flow:established,from_server; file_data; content:"Loading, Please Wait..."; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{8}\.jar/"; classtype:attempted-user; sid:2016227; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_01_17, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2013-0422 Jar"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"B.class"; fast_pattern:only; pcre:"/[^a-zA-Z0-9_\-.]B\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; content:!"Browser.class"; classtype:attempted-user; sid:2016228; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_01_17, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Impact Exploit Kit Class Download"; flow:established,to_server; content:"/com/sun/org/glassfish/gmbal/util/GenericConstructor.class"; fast_pattern:13,20; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016240; rev:4; metadata:created_at 2013_01_18, updated_at 2013_01_18;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,from_server; file_data; content:"|22|pdfx.ht|5C|x6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016247; rev:5; metadata:created_at 2013_01_21, updated_at 2013_01_21;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,to_server; content:"/i.html?0x"; http_uri; depth:10; urilen:>100; pcre:"/\/i\.html\?0x\d{1,2}=[a-zA-Z0-9+=]{100}/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016248; rev:5; metadata:created_at 2013_01_21, updated_at 2013_01_21;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Class Request (1)"; flow:established,to_server; content:"/Gobon.class"; http_uri; content:" Java/"; http_header; classtype:bad-unknown; sid:2016249; rev:5; metadata:created_at 2013_01_21, updated_at 2013_01_21;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Class Request (2)"; flow:established,to_server; content:"/Runs.class"; http_uri; content:" Java/1"; http_header; classtype:bad-unknown; sid:2016250; rev:5; metadata:created_at 2013_01_21, updated_at 2013_01_21;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Red Dot Exploit Kit Single Character JAR Request"; flow:established,to_server; urilen:6; content:".jar"; http_uri; pcre:"/\x2F[a-z]\x2Ejar$/U"; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016254; rev:1; metadata:created_at 2013_01_23, updated_at 2013_01_23;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Red Dot Exploit Kit Binary Payload Request"; flow:established,to_server; content:"/load.php?guid="; http_uri; content:"&thread="; http_uri; content:"&exploit="; http_uri; content:"&version="; http_uri; content:"&rnd="; http_uri; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016255; rev:1; metadata:created_at 2013_01_23, updated_at 2013_01_23;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Gondad Exploit Kit Post Exploitation Request"; flow:established,to_server; content:"/cve2012xxxx/Gondvv.class"; http_uri; classtype:trojan-activity; sid:2016256; rev:1; metadata:created_at 2013_01_23, updated_at 2013_01_23;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TDS - in.php"; flow:established,to_server; content:"/in.php?s="; http_uri; classtype:trojan-activity; sid:2016272; rev:1; metadata:created_at 2013_01_24, updated_at 2013_01_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"ConfusingClassLoader.class"; classtype:bad-unknown; sid:2016276; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_01_24, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Confuser.class"; classtype:bad-unknown; sid:2016277; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_01_24, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:").)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2"; within:59; fast_pattern:39,20; classtype:trojan-activity; sid:2016297; rev:3; metadata:created_at 2013_01_28, updated_at 2013_01_28;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:").)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|"; within:69; fast_pattern:49,20; classtype:trojan-activity; sid:2016298; rev:3; metadata:created_at 2013_01_28, updated_at 2013_01_28;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Class Request (3)"; flow:established,to_server; content:"/Vlast.class"; http_uri; content:" Java/1"; http_header; fast_pattern:only; classtype:bad-unknown; sid:2016299; rev:7; metadata:created_at 2013_01_28, updated_at 2013_01_28;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing URL structure"; flow:established,from_client; content:"/inf.php?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/inf\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016306; rev:1; metadata:created_at 2013_01_29, updated_at 2013_01_29;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"Adobe Flash must be updated to view this"; content:"/lib/adobe.php?id="; distance:0; fast_pattern; pcre:"/^[a-f0-9]{32}/R"; classtype:trojan-activity; sid:2016307; rev:3; metadata:created_at 2013_01_29, updated_at 2013_01_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible JDB Exploit Kit Class Request"; flow:established,to_server; content:"/jdb/"; http_uri; nocase; content:".class"; http_uri; nocase; pcre:"/\/jdb\/[^\/]+\.class$/Ui"; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016308; rev:5; metadata:created_at 2013_01_29, updated_at 2013_01_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JDB Exploit Kit JAR Download"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:" Java/1"; http_header; fast_pattern:only; pcre:"/\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016309; rev:4; metadata:created_at 2013_01_29, updated_at 2013_01_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JDB Exploit Kit Fake Adobe Download"; flow:established,to_server; content:"/lib/adobe.php?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/lib\/adobe\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016310; rev:4; metadata:created_at 2013_01_29, updated_at 2013_01_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Non-Standard HTML page in Joomla /com_content/ dir (Observed in Recent Pharma Spam)"; flow:established,to_server; content:"/components/com_content/"; http_uri; content:!"index.html"; nocase; within:10; http_uri; content:".html"; nocase; http_uri; distance:0; classtype:bad-unknown; sid:2016311; rev:6; metadata:created_at 2013_01_29, updated_at 2013_01_29;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Phish - Generic POST to myform.php Feb 01 2013"; flow:established,to_server; content:"POST"; http_method; content:"/myform.php"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016327; rev:2; metadata:created_at 2013_01_31, updated_at 2017_10_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible g01pack Landing Page"; flow:established,to_client; file_data; content:"[\x22\x27])((?!(?P=q)).)+?\.(gif|jpe?g|p(ng|sd))(?P=q)/Rsi"; classtype:trojan-activity; sid:2016333; rev:3; metadata:created_at 2013_01_31, updated_at 2013_01_31;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit Secondary Landing"; flow:established,to_server; content:".js"; http_uri; content:"/i.html"; http_header; fast_pattern:only; pcre:"/^[a-z]+\.js$/U"; pcre:"/^Referer\x3a[^\r\n]+\/i.html(\?[^=]{1,10}=[^&\r\n]{100,})?\r?$/Hmi"; classtype:bad-unknown; sid:2016347; rev:5; metadata:created_at 2013_02_05, updated_at 2013_02_05;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS WhiteHole Exploit Landing Page"; flow:established,from_server; file_data; content:".jar?java="; nocase; fast_pattern:only; content:").)+?\.jar\?java=\d+/R"; content:" name="; content:"http"; within:5; content:" name="; content:"ftp"; within:4; classtype:trojan-activity; sid:2016348; rev:6; metadata:created_at 2013_02_05, updated_at 2013_02_05;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WhiteHole Exploit Kit Jar Request"; flow:to_server,established; content:".jar?java="; http_uri; fast_pattern:only; nocase; content:" Java/1."; http_header; pcre:"/\.jar\?java=\d+$/Ui"; classtype:trojan-activity; sid:2016349; rev:3; metadata:created_at 2013_02_05, updated_at 2013_02_05;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WhiteHole Exploit Kit Payload Download"; flow:established,to_server; content:"/?whole="; nocase; http_uri; fast_pattern:only; content:" Java/1."; http_header; pcre:"/\/\?whole=\d+$/Ui"; classtype:trojan-activity; sid:2016350; rev:1; metadata:created_at 2013_02_05, updated_at 2013_02_05;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit Jerk.cgi TDS"; flow:established,to_server; content:"/jerk.cgi?"; fast_pattern:only; http_uri; pcre:"/\x2Fjerk\x2Ecgi\x3F[0-9]$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016352; rev:1; metadata:created_at 2013_02_05, updated_at 2013_02_05;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; file_data; content:"[\x22\x27])a(?P=q)[^\r\n]*\r\n[\r\n\s]+(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/Pi"; classtype:attempted-user; sid:2016354; rev:2; metadata:created_at 2013_02_05, updated_at 2013_02_05;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page - Received"; flow:established,to_client; file_data; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:trojan-activity; sid:2016356; rev:1; metadata:created_at 2013_02_06, updated_at 2013_02_06;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:trojan-activity; sid:2016357; rev:1; metadata:created_at 2013_02_06, updated_at 2013_02_06;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request (3)"; flow:established,to_server; content:"/j17.php?i="; http_uri; content:"|29 20|Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016365; rev:3; metadata:created_at 2013_02_06, updated_at 2013_02_06;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:" Java/1."; http_header; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016371; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM EK - Landing Page"; flow:established,to_client; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jaxws.jar"; flow:established,to_server; content:"/jaxws.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016374; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jre.jar"; flow:established,to_server; content:"/jre.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016375; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Payload Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:"stealth.exe"; within:60; classtype:trojan-activity; sid:2016377; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM EK - Java Exploit - fbyte.jar"; flow:established,to_server; content:"/fbyte.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016378; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - JAR Containing Windows Executable"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:trojan-activity; sid:2016379; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_02_08, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Encrypted Binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|25 3e fc 75 7b|"; within:5; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016380; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Zero Day LadyBoyle Infection Campaign"; flow:established,to_client; file_data; content:"FWS"; distance:0; content:"LadyBoyle"; distance:0; reference:md5,3de314089db35af9baaeefc598f09b23; reference:md5,2568615875525003688839cb8950aeae; reference:url,blog.fireeye.com/research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html; reference:url,www.adobe.com/go/apsb13-04; reference:cve,2013-0633; reference:cve,2013-0633; classtype:trojan-activity; sid:2016391; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"value"; distance:0; pcre:"/^(\s*=\s*|[\x22\x27]\s*,\s*)[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:trojan-activity; sid:2016393; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Specific Uncompressed Flash CVE-2013-0634"; flow:established,to_client; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016396; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Specific Uncompressed Flash Inside of OLE CVE-2013-0634"; flow:established,to_client; flowbits:isset,OLE.WithFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016397; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,HTTP.UncompressedFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0634; classtype:trojan-activity; sid:2016400; rev:3; metadata:created_at 2013_02_12, updated_at 2013_02_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,OLE.WithFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0364; classtype:trojan-activity; sid:2016401; rev:3; metadata:created_at 2013_02_12, updated_at 2013_02_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload - obfuscated binary base 0"; flow:established,to_client; file_data; content:"|af 9e b6 98 09 fc ee d0|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016403; rev:1; metadata:created_at 2013_02_12, updated_at 2013_02_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"SunJCE.class"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016407; rev:2; metadata:created_at 2013_02_12, updated_at 2013_02_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarhlp32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarhlp32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016409; rev:2; metadata:created_at 2013_02_14, updated_at 2013_02_14;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarext32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarext32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016410; rev:2; metadata:created_at 2013_02_14, updated_at 2013_02_14;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TDS Vdele"; flow:established,to_server; content:"GET"; nocase; http_method; urilen:>37; content:"/vd/"; http_uri; nocase; fast_pattern:only; pcre:"/\/vd\/\d+\x3b[a-f0-9]{32}/Ui"; classtype:trojan-activity; sid:2016412; rev:3; metadata:created_at 2013_02_14, updated_at 2013_02_14;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Payload Download (5)"; flow:established,to_server; content:".txt?e="; http_uri; nocase; fast_pattern:only; content:!"Referer|3a| "; http_header; pcre:"/\.txt\?e=\d+(&[fh]=\d+)?$/U"; classtype:trojan-activity; sid:2016414; rev:7; metadata:created_at 2013_02_16, updated_at 2013_02_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK landing applet plus class Feb 18 2013"; flow:established,to_client; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Possible Java Payload Download"; flow:to_server,established; content:".exe?"; http_uri; content:" Java/1"; http_header; fast_pattern:only; pcre:"/\.exe\?(e=)?\d+$/U"; classtype:trojan-activity; sid:2016427; rev:5; metadata:created_at 2013_02_18, updated_at 2013_02_18;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (1)"; flow:established,to_server; content:"/java/lang/ClassBeanInfo.class"; http_uri; fast_pattern:10,20; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2016490; rev:9; metadata:created_at 2013_02_22, updated_at 2013_02_22;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (2)"; flow:established,to_server; content:"/java/lang/ObjectBeanInfo.class"; http_uri; fast_pattern:11,20; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2016491; rev:9; metadata:created_at 2013_02_22, updated_at 2013_02_22;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ObjectCustomizer.class"; http_uri; fast_pattern:13,20; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2016492; rev:9; metadata:created_at 2013_02_22, updated_at 2013_02_22;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ClassCustomizer.class"; http_uri; fast_pattern:12,20; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2016493; rev:9; metadata:created_at 2013_02_22, updated_at 2013_02_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page (2)"; flow:established,from_server; file_data; content:"|22|pdf|5c|78.ht|5c|6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016497; rev:6; metadata:created_at 2013_02_25, updated_at 2013_02_25;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload"; flow:established,to_client; file_data; content:".exe?"; fast_pattern:only; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit Payload Download"; flow:established,to_server; content:".exe"; http_uri; nocase; fast_pattern:only; content:"&h="; http_uri; pcre:"/\.exe(?:\?[a-zA-Z0-9]+=[a-zA-Z0-9]+)?&h=\d+$/Ui"; content:!"Referer|3a|"; http_header; classtype:bad-unknown; sid:2016499; rev:13; metadata:created_at 2013_02_25, updated_at 2013_02_25;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Nicepack EK Landing (Anti-VM)"; flow:established,to_client; file_data; content:"if(document.body.onclick!=null)"; content:"if(document.styleSheets.length!=0)"; classtype:bad-unknown; sid:2016500; rev:7; metadata:created_at 2013_02_25, updated_at 2013_02_25;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Compromise svchost.jpg Beacon - Java Zeroday"; flow:established,to_server; content:"/svchost.jpg"; fast_pattern:only; http_uri; content:" Java/1."; http_header; reference:url,blog.fireeye.com/research/2013/02/yaj0-yet-another- java-zero-day-2.html; classtype:trojan-activity; sid:2016511; rev:2; metadata:created_at 2013_03_01, updated_at 2013_03_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - jhan.jar"; flow:established,to_server; content:"/jhan.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016514; rev:1; metadata:created_at 2013_03_04, updated_at 2013_03_04;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 1 2013"; flow:established,from_server; file_data; content:"<#a#p#p#l#e#t#"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016520; rev:4; metadata:created_at 2013_03_04, updated_at 2013_03_04;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java Archive Request (Java-SPLOIT.jar)"; flow:established,to_server; content:"/Java-SPLOIT.jar"; http_uri; content:" Java/1"; http_header; fast_pattern:only; classtype:bad-unknown; sid:2016521; rev:1; metadata:created_at 2013_03_04, updated_at 2013_03_04;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Payload Request"; flow:established,to_server; content:"/download.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:bad-unknown; sid:2016522; rev:1; metadata:created_at 2013_03_04, updated_at 2013_03_04;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Exploit Request"; flow:established,to_server; content:"/module.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:bad-unknown; sid:2016523; rev:1; metadata:created_at 2013_03_04, updated_at 2013_03_04;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java Download non Jar file"; flow:established,to_server; content:!".jar"; http_uri; nocase; content:!".jnlp"; http_uri; nocase; content:!".hpi"; http_uri; nocase; content:" Java/1."; http_header; fast_pattern:only; content:!"ArduinoIDE/"; http_header; flowbits:set,ET.JavaNotJar; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016539; rev:5; metadata:created_at 2013_03_05, updated_at 2018_04_19;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs"; flow:established,from_server; content:!".jar"; http_header; nocase; file_data; content:"PK"; within:2; content:".class"; distance:0; fast_pattern; flowbits:isset,ET.JavaNotJar; flowbits:unset,ET.JavaNotJar; classtype:bad-unknown; sid:2016540; rev:2; metadata:created_at 2013_03_05, updated_at 2013_03_05;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/GrandSoft landing applet plus class Mar 03 2013"; flow:established,to_client; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Portal TDS Kit GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?pprec"; nocase; fast_pattern:only; http_uri; pcre:"/\.php\?pprec$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:trojan-activity; sid:2016542; rev:2; metadata:created_at 2013_03_05, updated_at 2013_03_05;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Portal TDS Kit GET (2)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?c002"; nocase; fast_pattern:only; http_uri; pcre:"/\.php\?c002$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:trojan-activity; sid:2016543; rev:1; metadata:created_at 2013_03_05, updated_at 2013_03_05;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Base64 http argument in applet (Neutrino/Angler)"; flow:established,from_server; file_data; content:").)+?[\x22\x27]aHR0cDov/Rs"; content:"aHR0cDov"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016549; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_07, malware_family Angler, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:".php?action=jv&h="; http_uri; classtype:bad-unknown; sid:2016558; rev:3; metadata:created_at 2013_03_08, updated_at 2013_03_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GonDadEK Plugin Detect March 11 2013"; flow:to_client,established; file_data; content:"this.gondad = arrVersion"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016560; rev:9; metadata:created_at 2013_03_12, updated_at 2013_03_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SNET EK Downloading Payload"; flow:to_server,established; content:"/get?src="; http_uri; fast_pattern; content:"snet"; http_uri; distance:0; pcre:"/\/get\?src=[a-z]+snet$/U"; content:" WinHttp.WinHttpRequest"; http_header; classtype:trojan-activity; sid:2016566; rev:1; metadata:created_at 2013_03_13, updated_at 2013_03_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DynDNS Pro Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:i(?:s(?:-(?:a(?:-(?:(?:(?:h(?:ard-work|unt)e|financialadviso)r|d(?:e(?:mocrat|signer)|octor)|t(?:e(?:acher|chie)|herapist)|r(?:epublican|ockstar)|n(?:ascarfan|urse)|anarchist|musician)\.com|c(?:(?:(?:ubicle-sla|onservati)ve|pa)\.com|a(?:ndidate\.org|terer\.com)|hef\.(?:com|net|org)|elticsfan\.org)|l(?:i(?:ber(?:tarian|al)\.com|nux-user\.org)|(?:a(?:ndscap|wy)er|lama)\.com)|p(?:(?:ersonaltrain|hotograph|lay)er\.com|a(?:inter\.com|tsfan\.org))|b(?:(?:(?:ookkeep|logg)er|ulls-fan)\.com|ruinsfan\.org)|s(?:o(?:cialist\.com|xfan\.org)|tudent\.com)|g(?:eek\.(?:com|net|org)|(?:reen|uru)\.com)|knight\.org)|n-(?:a(?:c(?:t(?:ress|or)|countant)|(?:narch|rt)ist)|en(?:tertain|gine)er)\.com)|(?:into-(?:(?:car(?:toon)?|game)s|anime)|(?:(?:not-)?certifie|with-theban)d|uberleet|gone)\.com|(?:very-(?:(?:goo|ba)d|sweet|evil|nice)|found)\.org|s(?:aved\.org|lick\.com)|l(?:eet\.com|ost\.org)|by\.us)|a-(?:geek\.(?:com|net|org)|hockeynut\.com)|t(?:eingeek|mein)\.de|smarterthanyou\.com)|n-the-band\.net|amallama\.com)|f(?:rom-(?:(?:i[adln]|w[aivy]|o[hkr]|[hr]i|d[ce]|k[sy]|p[ar]|s[cd]|t[nx]|v[at]|fl|ga|ut)\.com|m(?:[adinost]\.com|e\.org)|n(?:[cdehjmv]\.com|y\.net)|a(?:[klr]\.com|z\.net)|c(?:[at]\.com|o\.net)|la\.net)|or(?:-(?:(?:(?:mor|som|th)e|better)\.biz|our\.info)|got\.h(?:er|is)\.name)|uettertdasnetz\.de|tpaccess\.cc)|s(?:e(?:l(?:ls(?:-(?:for-(?:less|u)\.com|it\.net)|yourhome\.org)|fip\.(?:info|biz|com|net|org))|rve(?:bbs\.(?:com|net|org)|ftp\.(?:net|org)|game\.org))|(?:aves-the-whales|pace-to-rent|imple-url)\.com|crapp(?:er-site\.net|ing\.cc)|tuff-4-sale\.(?:org|us)|hacknet\.nu)|d(?:o(?:es(?:ntexist\.(?:com|org)|-it\.net)|ntexist\.(?:com|net|org)|omdns\.(?:com|org))|yn(?:a(?:lias\.(?:com|net|org)|thome\.net)|-o-saur\.com|dns\.ws)|ns(?:alias\.(?:com|net|org)|dojo\.(?:com|net|org))|vrdns\.org)|h(?:o(?:me(?:linux\.(?:com|net|org)|unix\.(?:com|net|org)|(?:\.dyn)?dns\.org|ftp\.(?:net|org)|ip\.net)|bby-site\.(?:com|org))|ere-for-more\.info|am-radio-op\.net)|b(?:log(?:dns\.(?:com|net|org)|site\.org)|(?:uyshouses|roke-it)\.net|arrel?l-of-knowledge\.info|oldlygoingnowhere\.org|etter-than\.tv)|g(?:o(?:tdns\.(?:com|org)|\.dyndns\.org)|ame-(?:server\.cc|host\.org)|et(?:myip\.com|s-it\.net)|roks-th(?:is|e)\.info)|e(?:st-(?:(?:a-la-ma(?:is|si)|le-patr)on|mon-blogueur)\.com|ndof(?:internet\.(?:net|org)|theinternet\.org))|l(?:e(?:btimnetz|itungsen)\.de|ikes(?:candy|-pie)\.com|and-4-sale\.us)|m(?:i(?:sconfused\.org|ne\.nu)|yp(?:hotos\.cc|ets\.ws)|erseine\.nu)|w(?:ebhop\.(?:info|biz|net|org)|ritesthisblog\.com|orse-than\.tv)|t(?:eaches-yoga\.com|raeumtgerade\.de|hruhere\.net)|k(?:icks-ass\.(?:net|org)|nowsitall\.info)|o(?:ffice-on-the\.net|n-the-web\.tv)|(?:neat-url|cechire)\.com|podzone\.(?:net|org)|at-band-camp\.net|readmyblog\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016580; rev:1; metadata:created_at 2013_03_15, updated_at 2013_03_15;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to ChangeIP Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016581; rev:2; metadata:created_at 2013_03_15, updated_at 2013_03_15;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp)\.com|m(?:inecraft\.net|p3\.com)|b(?:eer\.com|log\.net))|curity(?:exploit|tactic)s\.com)|tufftoread\.com|ytes\.net)|m(?:y(?:(?:(?:dissen|effec)t|mediapc|psx)\.net|securitycamera\.(?:com|net|org)|(?:activedirectory|vnc)\.com|ftp\.(?:biz|org))|lbfan\.org|mafan\.biz)|d(?:(?:itchyourip|amnserver|ynns)\.com|dns(?:\.(?:net|me)|king\.com)|ns(?:iskinky\.com|for\.me)|vrcam\.info)|n(?:o(?:-ip\.(?:c(?:o\.uk|a)|info|biz|net|org)|ip\.(?:me|us))|et-freaks\.com|flfan\.org|hlfan\.net)|h(?:o(?:mesecurity(?:ma|p)c\.com|pto\.(?:org|me))|ealth-carereform\.com)|p(?:(?:rivatizehealthinsurance|gafan)\.net|oint(?:2this\.com|to\.us))|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem)\.org|iscofreak\.com)|g(?:o(?:lffan\.us|tdns\.ch)|eekgalaxy\.com)|b(?:logsyte\.com|ounceme\.net|rasilia\.me)|re(?:ad-books\.org|directme\.net)|u(?:nusualperson\.com|fcfan\.org)|w(?:orkisboring\.com|ebhop\.me)|(?:3utiliti|quicksyt)es\.com|eating-organic\.net|ilovecollege\.info|fantasyleague\.cc|loginto\.me|zapto\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016582; rev:3; metadata:created_at 2013_03_15, updated_at 2013_03_15;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DNSDynamic Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:d(?:ns(?:d(?:ynamic\.(?:com|net)|\.(?:info|me))|api\.info|get\.org|53\.biz)|dns01\.com)|(?:f(?:lashserv|e100|tp21)|adultdns|mysq1|wow64)\.net|(?:(?:ima|voi)p01|(?:user|ole)32|kadm5)\.com|t(?:tl60\.(?:com|org)|empors\.com|ftpd\.net)|s(?:sh(?:01\.com|22\.net)|ql01\.com)|http(?:(?:s443|01)\.com|80\.info)|n(?:s360\.info|tdll\.net)|x(?:ns01\.com|64\.me)|craftx\.biz)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016583; rev:1; metadata:created_at 2013_03_15, updated_at 2013_03_15;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DtDNS Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:(?:b(?:bsindex|0ne)|chatnook|gotgeeks|3d-game|4irc)\.com|s(?:(?:cieron|uroot)\.com|lyip\.(?:com|net))|d(?:arktech\.org|eaftone\.com|tdns\.net)|e(?:towns\.(?:net|org)|ffers\.com)|flnet\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016584; rev:1; metadata:created_at 2013_03_15, updated_at 2013_03_15;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; content:"103sdj115sdj115sdj111sdj57sdj46sdj46sdj"; fast_pattern; within:250; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016585; rev:8; metadata:created_at 2013_03_15, updated_at 2013_03_15;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Query to a *.opengw.net Open VPN Relay Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|opengw|03|net|00|"; nocase; fast_pattern:only; reference:url,www.vpngate.net; classtype:bad-unknown; sid:2016586; rev:5; metadata:created_at 2013_03_15, updated_at 2013_03_15;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit Landing Page URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"u33&299"; within:200; content:"u3v7"; within:50; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016587; rev:5; metadata:created_at 2013_03_15, updated_at 2013_03_15;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedDotv2 Java Check-in"; flow:established,to_server; content:"/search/"; http_uri; content:" Java/1."; http_header; fast_pattern:only; pcre:"/^\/search\/[0-9]{64}/U"; classtype:trojan-activity; sid:2016593; rev:5; metadata:created_at 2013_03_18, updated_at 2013_03_18;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedDotv2 Jar March 18 2013"; flow:established,to_server; content:"/sexy.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2016594; rev:6; metadata:created_at 2013_03_18, updated_at 2013_03_18;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to cd.am Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; content:"cd.am"; http_header; nocase; pcre:"/^Host\x3a\x20[^\r\n]+\.cd\.am(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016595; rev:3; metadata:created_at 2013_03_19, updated_at 2013_03_19;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - jmx.jar"; flow:established,to_server; content:"/jmx.jar"; http_uri; content:" Java/"; http_header; content:!"hermesjms.com"; http_header; classtype:trojan-activity; sid:2016598; rev:2; metadata:created_at 2013_03_19, updated_at 2013_03_19;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain peocity.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|peocity|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016600; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain rusview.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|rusview|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016601; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain skyruss.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|skyruss|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016602; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain commanal.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|commanal|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016603; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain natareport.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|natareport|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016604; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogellrey.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|photogellrey|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016605; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogalaxyzone.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|photogalaxyzone|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016606; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insdet.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|insdet|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016607; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain creditrept.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|creditrept|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016608; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pollingvoter.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|pollingvoter|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016609; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dfasonline.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|dfasonline|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016610; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hudsoninst.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|hudsoninst|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016611; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain wsurveymaster.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|wsurveymaster|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016612; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nhrasurvey.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|nhrasurvey|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016613; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pdi2012.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|pdi2012|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016614; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nceba.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|nceba|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016615; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain linkedin-blog.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|linkedin-blog|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016616; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain aafbonus.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|aafbonus|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016617; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain milstars.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|milstars|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016618; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain vatdex.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|vatdex|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016619; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insightpublicaffairs.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|insightpublicaffairs|03|org|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016620; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain applesea.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|applesea|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016621; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledmg.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appledmg|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016622; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appleintouch.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|appleintouch|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016623; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain seyuieyahooapis.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|seyuieyahooapis|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016624; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledns.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appledns|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016625; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain emailserverctr.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|emailserverctr|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016626; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dailynewsjustin.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|dailynewsjustin|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016627; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hi-tecsolutions.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|hi-tecsolutions|03|org|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016628; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain slashdoc.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|slashdoc|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016629; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photosmagnum.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|photosmagnum|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016630; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain resume4jobs.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|resume4jobs|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016631; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain searching-job.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|searching-job|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016632; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain servagency.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|servagency|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016633; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain gsasmartpay.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|gsasmartpay|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016634; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain tech-att.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|tech-att|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016635; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Watering Hole applet name AppletHigh.jar"; flow:established,to_server; content:"/AppletHigh.jar"; http_uri; content:" Java/1."; http_header; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:trojan-activity; sid:2016639; rev:1; metadata:created_at 2013_03_21, updated_at 2013_03_21;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Watering Hole applet name AppletLow.jar"; flow:established,to_server; content:"/AppletLow.jar"; http_uri; content:" Java/1."; http_header; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:trojan-activity; sid:2016640; rev:1; metadata:created_at 2013_03_21, updated_at 2013_03_21;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:"[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:trojan-activity; sid:2016643; rev:4; metadata:created_at 2013_03_21, updated_at 2013_03_21;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Postal Reciept EXE in Zip"; flow:from_server,established; file_data; content:"PK"; within:2; content:"Postal-Receipt.exe"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016654; rev:1; metadata:created_at 2013_03_22, updated_at 2013_03_22;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java obfuscated binary (3)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|20 3b|"; within:2; content:"|3d 24 00 00|"; within:512; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016655; rev:4; metadata:created_at 2013_03_22, updated_at 2013_03_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Karagany encrypted binary (1)"; flow:established,to_client; file_data; content:"|81 f2 90 00 cf a8 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016663; rev:1; metadata:created_at 2013_03_25, updated_at 2013_03_25;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL April 01 2013"; flow:established,from_server; file_data; content:")).)+?[\r\n\s]value[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?(\d{2,3})?(?P([^a-zA-Z0-9]{1,100}|[a-zA-Z0-9]{1,100}))\d{2,3}((?P=sep)\d{2,3}){20}/Rs"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016705; rev:17; metadata:created_at 2013_04_01, updated_at 2013_04_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS svchost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/svchost.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/svchost\.exe$/Ui"; classtype:bad-unknown; sid:2016696; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS winlogon.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/winlogon.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/winlogon\.exe$/Ui"; reference:md5,fd95cc0bb7d3ea5a0c86d45570df5228; reference:md5,09330c596a33689a610a1b183a651118; classtype:bad-unknown; sid:2016697; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS services.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/services.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/services\.exe$/Ui"; reference:md5,145c06300d61b3a0ce2c944fe7cdcb96; classtype:bad-unknown; sid:2016698; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS lsass.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/lsass.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/lsass\.exe$/Ui"; reference:md5,d929747212309559cb702dd062fb3e5d; classtype:bad-unknown; sid:2016699; rev:11; metadata:created_at 2013_04_01, updated_at 2013_04_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS explorer.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/explorer.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/explorer\.exe$/Ui"; reference:md5,de1bc32ad135b14ad3a5cf72566a63ff; classtype:bad-unknown; sid:2016700; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS smss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/smss.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/smss\.exe$/Ui"; reference:md5,450dbe96d7f4108474071aca5826fc43; classtype:bad-unknown; sid:2016701; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS csrss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/csrss.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/csrss\.exe$/Ui"; reference:md5,21a069667a6dba38f06765e414e48824; classtype:bad-unknown; sid:2016702; rev:11; metadata:created_at 2013_04_01, updated_at 2013_04_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS rundll32.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/rundll32.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/rundll32\.exe$/Ui"; reference:md5,ea3dec87f79ff97512c637a5c8868a7e; classtype:bad-unknown; sid:2016703; rev:11; metadata:created_at 2013_04_01, updated_at 2013_04_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 28 2013"; flow:established,from_server; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss Recent Jar (3)"; flow:established,to_server; content:"/m1"; http_uri; nocase; content:".jar"; http_uri; content:" Java/1"; http_header; fast_pattern:only; pcre:"/\/m1[1-6]\.jar$/U"; classtype:trojan-activity; sid:2016708; rev:6; metadata:created_at 2013_04_02, updated_at 2013_04_02;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss Recent Jar (4)"; flow:established,to_server; content:"/cmm.jar"; http_uri; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016709; rev:5; metadata:created_at 2013_04_02, updated_at 2013_04_02;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Targeted Tibetan Android Malware C2 Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|android|06|uyghur|04|dnsd|02|me|00|"; nocase; fast_pattern; distance:0; reference:url,citizenlab.org/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/; classtype:trojan-activity; sid:2016711; rev:2; metadata:created_at 2013_04_03, updated_at 2013_04_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS W32/BaneChant.APT Winword.pkg Redirect"; flow:established,to_client; content:"301"; http_stat_code; content:"Moved Permanently"; http_stat_msg; content:"/update/winword.pkg"; http_header; pcre:"/Location\x3A[^\r\n]*\x2Fupdate\x2Fwinword\x2Epkg/H"; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:trojan-activity; sid:2016713; rev:1; metadata:created_at 2013_04_03, updated_at 2013_04_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BHEK q.php iframe inbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern:only; content:"[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016716; rev:4; metadata:created_at 2013_04_03, updated_at 2013_04_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BHEK ff.php iframe inbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern:only; content:"[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016717; rev:3; metadata:created_at 2013_04_03, updated_at 2013_04_03;) + +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK q.php iframe outbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern:only; content:"[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016718; rev:3; metadata:created_at 2013_04_03, updated_at 2013_04_03;) + +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK ff.php iframe outbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern:only; content:"[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016719; rev:3; metadata:created_at 2013_04_03, updated_at 2013_04_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; fast_pattern:22,20; pcre:"/Last-Modified\x3a Mon, (?!(?:0[29]|16|23|30))\d{2} Jul 2001/H"; classtype:trojan-activity; sid:2016721; rev:3; metadata:created_at 2013_04_03, updated_at 2013_04_03;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential Fiesta Flash Exploit"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:60; within:7; http_uri; pcre:"/\/\?[0-9a-f]{60,66}\x3b(?:1(?:0[0-3]|1\d)|90)\d{1,3}\x3b\d{1,3}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016726; rev:5; metadata:created_at 2013_04_04, updated_at 2013_04_04;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|74 3d c0 19|"; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016733; rev:3; metadata:created_at 2013_04_08, updated_at 2013_04_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit applet + obfuscated URL Apr 7 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"8ss&299"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016734; rev:1; metadata:created_at 2013_04_08, updated_at 2013_04_08;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/wmck.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016735; rev:2; metadata:created_at 2013_04_09, updated_at 2013_04_09;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/ckwm.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016736; rev:2; metadata:created_at 2013_04_09, updated_at 2013_04_09;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GonDadEK Kit Jar"; flow:to_client,established; file_data; content:"ckwm"; pcre:"/^(ckwm)*?(Exp|cc)\.class/R"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016737; rev:10; metadata:created_at 2013_04_09, updated_at 2013_04_09;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/Citadel Infection or Config URL Request"; flow:established,to_server; content:"/file.php|7C|file="; http_uri; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016738; rev:1; metadata:created_at 2013_04_09, updated_at 2013_04_09;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit/Sakura/CritX/SafePack/FlashPack applet + obfuscated URL Apr 10 2013"; flow:established,from_server; file_data; content:")).)+?(?i:value)[\r\n\s]*=[\r\n\s]*\x5c?[\x22\x27](?!http\x3a\/\/)(?P[^\x22\x27])(?P(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]+(?P=slash)/Rs"; classtype:trojan-activity; sid:2016751; rev:13; metadata:created_at 2013_04_11, updated_at 2013_04_11;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS GrandSoft PDF Payload Download"; flow:established,to_server; content:"User-Agent|3a 20|http|3a|//"; http_header; fast_pattern:only; pcre:"/^GET (?P(\/[A-Za-z0-9]+)?\/\d+\/\d+)\sHTTP\/1\.1\r\nUser-Agent\x3a\x20http\x3a\/\/(?P[^\r\n]+)(?P=uri)\r\nHost\x3a\x20(?P=host)\r\n(\r\n)?$/"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016764; rev:15; metadata:created_at 2013_04_17, updated_at 2018_03_06;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake DHL Kuluoz.B URI"; flow:established,to_server; content:".php?get"; http_uri; fast_pattern:only; pcre:"/\.php\?get[^=]*=\d_\d{5,}$/U"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016779; rev:3; metadata:created_at 2013_04_22, updated_at 2013_04_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Apr 21 2013"; flow:established,from_server; file_data; content:"OD&|3a|x9T6"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016781; rev:1; metadata:created_at 2013_04_22, updated_at 2013_04_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta - Payload - flashplayer11"; flow:established,to_client; content:"flashplayer11_"; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2016784; rev:2; metadata:created_at 2013_04_26, updated_at 2013_04_26;) + +alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Java Exploit Recievied"; flow:established,to_client; flowbits:isset,ET.http.javaclient.SakuraPorts; content:"|0d 0a 0d 0a|PK"; content:"javax/crypto/spec/SecretKeySpec"; distance:0; classtype:trojan-activity; sid:2016785; rev:2; metadata:created_at 2013_04_26, updated_at 2013_04_26;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET CURRENT_EVENTS Sakura - Payload Requested"; flow:established,to_server; content:" Java/1."; fast_pattern:only; content:"GET "; depth:4; pcre:"/^[^\r\n]*\/[0-9]{4}\.html HTTP\/1\./R"; content:".html HTTP/1."; classtype:trojan-activity; sid:2016786; rev:2; metadata:created_at 2013_04_26, updated_at 2013_04_26;) + +alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Payload Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient.SakuraPorts; content:"filename="; pcre:"/^[a-z]{4}\.txt\x0D\x0A/R"; classtype:trojan-activity; sid:2016787; rev:2; metadata:created_at 2013_04_26, updated_at 2013_04_26;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection mfunc"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"mfunc"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mfunc/Pi"; classtype:attempted-user; sid:2016788; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_04_26, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection mclude"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"mclude"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mclude/Pi"; classtype:attempted-user; sid:2016789; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_04_26, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection dynamic-cached-content"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"dynamic-cached-content"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?dynamic-cached-content/Pi"; classtype:attempted-user; sid:2016790; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_04_26, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received"; flow:established,to_client; content:"value"; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27]((?P%[A-Fa-f0-9]{2})|(?P[a-zA-Z0-9]))((?P=hex){10}|(?P=ascii){10})/R"; content:"var PluginDetect"; distance:0; classtype:trojan-activity; sid:2016791; rev:3; metadata:created_at 2013_04_26, updated_at 2013_04_26;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command"; flow:established,to_server; content:"SECID="; fast_pattern:only; content:"SECID="; http_cookie; pcre:"/\?[0-9a-f]{6}$/U"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:attempted-user; sid:2016794; rev:6; metadata:created_at 2013_04_26, updated_at 2013_04_26;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64"; flow:established,to_client; file_data; content:"X19hcHBsZXRfc3N2X3ZhbGlkYXRl"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016796; rev:4; metadata:created_at 2013_04_28, updated_at 2013_04_28;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass"; flow:established,to_client; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java JNLP Requested"; flow:established,to_server; flowbits:isset,ET.http.javaclient; urilen:71; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:trojan-activity; sid:2016798; rev:3; metadata:created_at 2013_04_29, updated_at 2013_04_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Flash Exploit Requested"; flow:established,to_server; urilen:70; content:".swf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$/Ui"; classtype:trojan-activity; sid:2016799; rev:2; metadata:created_at 2013_04_29, updated_at 2013_04_29;) + +#alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear landing with obfuscated plugindetect Apr 29 2013"; flow:established,from_server; content:"visibility|3a|hidden"; pcre:"/(?P\d{2})(?P(?!(?P=e))\d{2})(?P=e)\d{2}(?P=t)\d{6}(?P=e)\d{12}(?P(?!((?P=e)|(?P=t)))\d{2})\d{2}(?P(?!((?P=e)|(?P=t)|(?P=q)))\d{2})\d{2}(?P=dot)\d{2}(?P=q)/R"; classtype:trojan-activity; sid:2016801; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2013_04_30, malware_family Nuclear, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jreg.jar"; flow:established,to_server; content:"/jreg.jar"; http_uri; fast_pattern:only; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016804; rev:1; metadata:created_at 2013_04_30, updated_at 2013_04_30;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK UAC Disable in Uncompressed JAR"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"UACDisableNotify"; fast_pattern:only; classtype:trojan-activity; sid:2016805; rev:2; metadata:created_at 2013_04_30, updated_at 2013_04_30;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Eval With Base64.decode seen in DOL Watering Hole Attack 05/01/13"; flow:established,from_server; file_data; content:"Base64.decode"; nocase; fast_pattern:only; content:"eval("; nocase; pcre:"/^[\r\n\s]*?Base64\.decode[\r\n\s]*?\x28[\r\n\s]*?[\x22\x27]/Ri"; content:!"|22|J0RVREFPTkUn|22|"; content:!"|22|J01PQklMRSc|3D 22|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016807; rev:5; metadata:created_at 2013_05_01, updated_at 2013_05_01;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1)"; flow:established,from_server; content:"|55 04 03|"; content:"*.tor2web."; nocase; distance:2; within:10; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016806; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_05_01, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (2)"; flow:established,from_server; content:"|55 04 03|"; content:"*.onion."; nocase; distance:2; within:8; pcre:"/^(?:sh|lu|to)/Rsi"; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016810; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_05_01, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - Possible Redkit 1-4 char JNLP request "; flow:established,to_server; urilen:<11; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/U"; content:!"weather.aero"; http_header; classtype:trojan-activity; sid:2016811; rev:6; metadata:created_at 2013_05_02, updated_at 2013_05_02;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2"; flow:established,to_client; file_data; content:"9fYXBwbGV0X3Nzdl92YWxpZGF0"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016817; rev:3; metadata:created_at 2013_05_03, updated_at 2013_05_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 3"; flow:established,to_client; file_data; content:"fX2FwcGxldF9zc3ZfdmFsaWRhdGVk"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016818; rev:3; metadata:created_at 2013_05_03, updated_at 2013_05_03;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Requsting Payload"; flow:established,to_server; content:"/FlashPlayer.cpl"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016828; rev:4; metadata:created_at 2013_05_07, updated_at 2013_05_07;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Injection - var j=0"; flow:established,to_client; file_data; content:"00|3a|00|3a|00|3b| path=/|22 3b|var j=0|3b| while(j"; classtype:trojan-activity; sid:2016830; rev:1; metadata:created_at 2013_05_07, updated_at 2013_05_07;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2013-2423 IVKM PoC Seen in Unknown EK"; flow:to_client,established; content:"Union1.class"; content:"Union2.class"; fast_pattern; content:"SystemClass.class"; content:"PoC.class"; flowbits:isset,ET.http.javaclient; reference:url,weblog.ikvm.net/CommentView.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0; classtype:trojan-activity; sid:2016831; rev:2; metadata:created_at 2013_05_07, updated_at 2013_05_07;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Requesting Jar"; flow:established,to_server; content:"/j21.jar"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016832; rev:4; metadata:created_at 2013_05_07, updated_at 2013_05_07;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS IE HTML+TIME ANIMATECOLOR with eval as seen in unknown EK"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlimKit hex.zip Java Downloading Jar"; flow:established,to_server; content:" Java/1."; http_header; content:".zip"; http_uri; pcre:"/\/[a-f0-9]+\.zip$/U"; classtype:trojan-activity; sid:2016839; rev:3; metadata:created_at 2013_05_09, updated_at 2013_05_09;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; fast_pattern:only; content:""; content:"[\x22\x27])[a-f0-9]{9,16}\.(jar|zip)(?P=q)/R"; classtype:trojan-activity; sid:2016840; rev:4; metadata:created_at 2013_05_09, updated_at 2013_05_09;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Winwebsec/Zbot/Luder Checkin Response"; flow:established,from_server; file_data; content:"ingdx.htmA{ip}"; nocase; classtype:trojan-activity; sid:2016851; rev:2; metadata:created_at 2013_05_15, updated_at 2013_05_15;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript May 10 2013"; flow:established,from_server; file_data; content:"qV7/|3b|pF"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016852; rev:2; metadata:created_at 2013_05_15, updated_at 2013_05_15;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Page May 16 2013"; flow:established,from_server; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - cee.jar"; flow:established,to_server; content:"/cee.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016859; rev:1; metadata:created_at 2013_05_16, updated_at 2013_05_16;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlimKit Post Exploit Payload Download"; flow:to_server,established; content:"POST"; http_method; urilen:17; pcre:"/^\/[a-f0-9]{16}$/U"; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:"HTTP/1.0|0d 0a|"; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\r\nContent-Length\x3a\s0\r\nConnection\x3a\sclose\r\n(\r\n)?$/H"; classtype:trojan-activity; sid:2016869; rev:2; metadata:created_at 2013_05_20, updated_at 2013_05_20;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Requesting Payload"; flow:established,to_server; content:".php?ex="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016896; rev:3; metadata:created_at 2013_05_21, updated_at 2013_05_21;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious Redirect URL"; flow:established,to_server; content:"/8gcf744Waxolp752.php"; http_uri; classtype:trojan-activity; sid:2016919; rev:7; metadata:created_at 2013_05_23, updated_at 2013_05_23;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 1 May 24 2013"; flow:to_client,established; file_data; content:"gonagExp.class"; fast_pattern:only; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016923; rev:11; metadata:created_at 2013_05_24, updated_at 2013_05_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 2 May 24 2013"; flow:to_client,established; file_data; content:"20130422.class"; fast_pattern:only; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016924; rev:10; metadata:created_at 2013_05_24, updated_at 2013_05_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 1 May 24 2013"; flow:to_client,established; file_data; content:"AppletObject.code"; nocase; content:"Gond"; nocase; distance:0; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016925; rev:1; metadata:created_at 2013_05_24, updated_at 2013_05_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 2 May 24 2013"; flow:to_client,established; file_data; content:"1337.exe"; nocase; fast_pattern:only; content:").)+?[\x22\x27]1337\.exe/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016926; rev:1; metadata:created_at 2013_05_24, updated_at 2013_05_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 1 May 24 2013"; flow:to_client,established; file_data; content:"function weCameFromHell("; nocase; fast_pattern:4,20; content:"spawAnyone("; nocase; distance:0; classtype:trojan-activity; sid:2016927; rev:10; metadata:created_at 2013_05_24, updated_at 2013_05_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 2 May 24 2013"; flow:to_client,established; file_data; content:"FlashPlayer.cpl"; nocase; fast_pattern:only; content:"window.location"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P[_a-zA-Z][a-zA-Z0-9_-]+)\([\r\n\s]*?[\x22\x27](?!http\x3a\/\/)(?P[^\x22\x27])(?P(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]*?[\x22\x27][\r\n\s]*?,[\r\n\s]*?[\x22\x27][^\x22\x27]+[\x22\x27][\r\n\s]*?\)\+(?P=func)/Rsi"; classtype:trojan-activity; sid:2016928; rev:1; metadata:created_at 2013_05_24, updated_at 2013_05_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible HellSpawn EK Fake Flash May 24 2013"; flow:to_server,established; content:"/FlashPlayer.cpl"; http_uri; nocase; fast_pattern:only; pcre:"/\/FlashPlayer\.cpl$/U"; classtype:trojan-activity; sid:2016929; rev:10; metadata:created_at 2013_05_24, updated_at 2013_05_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible HellSpawn EK Java Artifact May 24 2013"; flow:to_server,established; content:"/PoC.class"; http_uri; nocase; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016930; rev:1; metadata:created_at 2013_05_24, updated_at 2013_05_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to Afraid.org Top 100 Dynamic DNS Domain May 28 2013"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016933; rev:2; metadata:created_at 2013_05_28, updated_at 2013_05_28;) + +alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received May 29 2013"; flow:established,to_client; content:"
                ]*?>((?P%[A-Fa-f0-9]{2})|(?P[a-zA-Z0-9]))((?P=hex){9,20}|(?P=ascii){9,20})%3C/R"; content:"{version|3a 22|0.8.0|22|"; distance:0; nocase; classtype:trojan-activity; sid:2016942; rev:5; metadata:created_at 2013_05_29, updated_at 2013_05_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET [81:90,9090] (msg:"ET CURRENT_EVENTS Sakura - Payload Requested"; flow:established,to_server; content:" Java/1."; content:".pkg HTTP/1."; nocase; pcre:"/^[^\r\n]+?\/\d+\.pkg HTTP\/1\./i"; classtype:trojan-activity; sid:2016943; rev:6; metadata:created_at 2013_05_29, updated_at 2013_05_29;) + +alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|58 23 3a d4|"; within:4; classtype:trojan-activity; sid:2016945; rev:6; metadata:created_at 2013_05_29, updated_at 2013_05_29;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Probable Nuclear exploit kit landing page"; flow:established,to_server; content:".html HTTP/"; fast_pattern; offset:37; depth:11; content:"GET /"; depth:5; pcre:"/^[0-9a-f]{32}\.html HTTP\/1\./R"; content:"Referer|3a|"; classtype:bad-unknown; sid:2016952; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2013_05_31, malware_family Nuclear, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritX/SafePack Reporting Plugin Detect Data June 03 2013"; flow:established,to_server; content:"/gate.php?ver="; http_uri; nocase; fast_pattern:only; pcre:"/&p=\d+\.\d+\.\d+\.\d+&j=\d+\.\d+\.\d+\.\d+&f=\d+\.\d+\.\d+\.\d+$/U"; classtype:trojan-activity; sid:2016964; rev:1; metadata:created_at 2013_06_03, updated_at 2013_06_03;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Metasploit Based Unknown EK Jar Download June 03 2013"; flow:established,to_server; content:"/j_"; http_uri; pcre:"/\/j_[a-z0-9]+_(?:0422|1723|3544|5076)\.jar$/U"; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016965; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_06_03, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET [81:90,443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Jun 1 2013"; flow:established,from_server; content:"a5chZev!"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016966; rev:7; metadata:created_at 2013_06_03, updated_at 2013_06_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Karagany encrypted binary (3)"; flow:established,to_client; file_data; content:"|f2 fd 90 00 bc a7 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016970; rev:3; metadata:created_at 2013_06_04, updated_at 2013_06_04;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Payload Download (9)"; flow:established,to_server; content:".txt?f="; fast_pattern:only; content:!"Referer|3a| "; http_header; pcre:"/\.txt\?f=\d+$/U"; classtype:trojan-activity; sid:2016976; rev:8; metadata:created_at 2013_06_05, updated_at 2013_06_05;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Office PNG overflow attempt invalid tEXt chunk length"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; byte_test:4,>,2147483647,-8,relative; reference:cve,2013-1331; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017005; rev:5; metadata:created_at 2013_06_11, updated_at 2013_06_11;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Kuluoz.B Shipping Label Spam Campaign"; flow:established,to_server; content:".php?"; http_uri; content:"_info="; distance:1; within:6; http_uri; pcre:"/\.php\?[a-z]_info=[a-z0-9]{1,4}_\d+?$/Ui"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2017002; rev:6; metadata:created_at 2013_06_12, updated_at 2013_06_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Kuluoz.B Spam Campaign Shipment_Label.exe in Zip"; flow:from_server,established; content:"Shipment_Label.zip"; nocase; fast_pattern:only; http_header; file_data; content:"PK"; within:2; content:".exe"; distance:0; classtype:trojan-activity; sid:2017003; rev:1; metadata:created_at 2013_06_12, updated_at 2013_06_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Glazunov EK Downloading Jar"; flow:established,to_server; content:" Java/1."; http_header; content:".zip"; http_uri; pcre:"/\/\d+\/\d\.zip$/U"; classtype:trojan-activity; sid:2017011; rev:4; metadata:created_at 2013_06_12, updated_at 2013_06_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible 2012-1533 altjvm (jvm.dll) Requested Over WeBDAV"; flow:established,to_server; content:"/jvm.dll"; http_uri; fast_pattern:only; pcre:"/\/jvm\.dll$/U"; reference:cve,2012-1533; classtype:trojan-activity; sid:2017012; rev:3; metadata:created_at 2013_06_13, updated_at 2013_06_13;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible 2012-1533 altjvm RCE via JNLP command injection"; flow:established,from_server; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing (Payload Downloaded Via Dropbox)"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; content:"6u27.jar"; content:"6u41.jar"; fast_pattern:only; classtype:trojan-activity; sid:2017014; rev:1; metadata:created_at 2013_06_13, updated_at 2013_06_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Jar 1 June 12 2013"; flow:established,to_server; content:"/6u27.jar"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017016; rev:4; metadata:created_at 2013_06_13, updated_at 2013_06_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Jar 2 June 12 2013"; flow:established,to_server; content:"/6u41.jar"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017017; rev:3; metadata:created_at 2013_06_13, updated_at 2013_06_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Jar 3 June 12 2013"; flow:established,to_server; content:"/7u17.jar"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017018; rev:3; metadata:created_at 2013_06_13, updated_at 2013_06_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dotka Chef EK .cache request"; flow:established,to_server; content:"Java/1"; http_header; content:"/.cache/?f|3d|"; fast_pattern:only; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017019; rev:1; metadata:created_at 2013_06_14, updated_at 2013_06_14;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dotka Chef EK exploit/payload URI request"; flow:to_server,established; content:"?f="; http_uri; content:"&k="; http_uri; pcre:"/&k=\d{16}(&|$)/U"; content:"Java/1"; http_header; classtype:trojan-activity; sid:2017020; rev:10; metadata:created_at 2013_06_14, updated_at 2013_06_14;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 1"; flow:established,to_server; content:".php?"; http_uri; content:"3a313"; http_uri; fast_pattern:only; pcre:"/=(3[0-9a]|2e)+3a313[3-9](3[0-9]){8}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017022; rev:2; metadata:created_at 2013_06_17, updated_at 2013_06_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 2"; flow:established,to_server; content:".php?hash=I3QxW"; http_uri; fast_pattern:only; pcre:"/\.php\?hash=I3QxW[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017023; rev:5; metadata:created_at 2013_06_17, updated_at 2013_06_17;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 3"; flow:established,to_server; content:".php?hash="; http_uri; fast_pattern:only; pcre:"/\/(?:java(?:byte|db)|o(?:utput|ther)|r(?:hino|otat)|msie\d|load)\.php\?hash=/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017024; rev:3; metadata:created_at 2013_06_17, updated_at 2013_06_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALVERTISING Unknown_InIFRAME - RedTDS URI Structure"; flow:established,to_server; content:"/red"; depth:7; http_uri; content:".php"; distance:2; within:6; http_uri; pcre:"/^\/[0-9]{1,2}\/red[0-9]{1,4}\.php[0-9]{0,1}$/Ui"; classtype:trojan-activity; sid:2017028; rev:1; metadata:created_at 2013_06_18, updated_at 2013_06_18;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - URI Structure"; flow:established,to_server; content:"/iniframe/"; depth:10; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/"; distance:1; within:5; http_uri; content:"/"; distance:32; within:1; http_uri; classtype:trojan-activity; sid:2017029; rev:3; metadata:created_at 2013_06_18, updated_at 2013_06_18;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - Redirect to /iniframe/ URI"; flow:established,to_client; content:"302"; http_stat_code; content:"/iniframe/"; http_header; classtype:trojan-activity; sid:2017030; rev:1; metadata:created_at 2013_06_18, updated_at 2013_06_18;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - In Referer"; flow:established,to_server; content:"/iniframe/"; http_header; content:"/"; distance:32; within:1; http_header; content:"/"; distance:1; within:5; http_header; content:"/"; distance:32; within:1; http_header; classtype:trojan-activity; sid:2017031; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALVERTISING Flash - URI - /loading?vkn="; flow:established,to_server; content:"/loading?vkn="; http_uri; classtype:trojan-activity; sid:2017032; rev:1; metadata:created_at 2013_06_18, updated_at 2013_06_18;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect June 18 2013"; flow:established,to_client; file_data; content:",53,154,170,170,164,76,63,63,"; classtype:trojan-activity; sid:2017035; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NailedPack EK Landing June 18 2013"; flow:established,to_client; file_data; content:"report_and_get_exploits(_0x"; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:2017034; rev:1; metadata:created_at 2013_06_18, updated_at 2013_06_18;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Javadoc API Redirect CVE-2013-1571"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?//"; http_header; fast_pattern:only; pcre:"/^Referer\x3a\x20[^\r\n]+\/((index|toc)\.html?)?\?\/\//Hmi"; reference:cve,2013-1571; classtype:bad-unknown; sid:2017037; rev:1; metadata:created_at 2013_06_20, updated_at 2013_06_20;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Jar Download June 20 2013"; flow:established,to_server; content:"/contacts.asp"; http_uri; content:" Java/1."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2017038; rev:1; metadata:created_at 2013_06_20, updated_at 2013_06_20;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS X20 EK Payload Download"; flow:established,to_server; content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2017039; rev:2; metadata:created_at 2013_06_20, updated_at 2013_06_20;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Landing URI Struct"; flow:established,to_server; content:".php?"; http_uri; content:"v=1."; http_uri; fast_pattern; content:"."; http_uri; distance:1; within:1; pcre:"/\.php\?(b=[a-fA-F0-9]{6}&)?v=1\.(?:(?:4\.[0-2]\.[0-3]|5\.0\.[0-2]|6.0\.[0-4])\d?|[7-8]\.0\.\d{1,2})$/U"; classtype:trojan-activity; sid:2017040; rev:1; metadata:created_at 2013_06_21, updated_at 2013_06_21;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.7.x"; flow:established,to_server; content:"/frozen.jar"; http_uri; fast_pattern:only; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2017041; rev:1; metadata:created_at 2013_06_21, updated_at 2013_06_21;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (Old)"; flow:established,to_server; content:"/arina.jar"; http_uri; fast_pattern:only; content:" Java/1.6"; http_header; classtype:trojan-activity; sid:2017042; rev:1; metadata:created_at 2013_06_21, updated_at 2013_06_21;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/sigwer.jar"; http_uri; fast_pattern:only; content:" Java/1.6"; http_header; classtype:trojan-activity; sid:2017043; rev:1; metadata:created_at 2013_06_21, updated_at 2013_06_21;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/dubstep.jar"; http_uri; fast_pattern:only; content:" Java/1.6"; http_header; classtype:trojan-activity; sid:2017044; rev:1; metadata:created_at 2013_06_21, updated_at 2013_06_21;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot CnC1"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:"|20 3a 03|10OK|3a 03 20|"; within:30; classtype:trojan-activity; sid:2017055; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot CnC2"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:" |3a|[AryaN]|3a| "; within:30; content: "download"; nocase; classtype:trojan-activity; sid:2017056; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Download and Execute Scheduled file command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Download and Execute Scheduled [File|3a|"; classtype:trojan-activity; sid:2017057; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Flood command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Flood|3a| Started [Type|3a|"; classtype:trojan-activity; sid:2017058; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Botkill command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Botkill|3a| Cycled once"; classtype:trojan-activity; sid:2017059; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity"; flow:established,from_server; file_data; content:").)+?&#(?:0*?(?:1(?:[0-1]\d|2[0-2])|[78][0-9]|9[07-9]|4[8-9]|5[0-7]|6[5-9])|x0*?(?:[46][1-9A-F]|[57][0-9A]|3[0-9]))(\x3b|&#)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017064; rev:18; metadata:created_at 2013_06_25, updated_at 2013_06_25;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Pony Loader default URI struct"; flow:to_server,established; content:"GET"; http_method; content:"/pony"; http_uri; fast_pattern:only; content:"/gate.php"; http_uri; nocase; classtype:trojan-activity; sid:2017065; rev:3; metadata:created_at 2013_06_25, updated_at 2013_06_25;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit Redirector To Landing Page"; flow:established,to_server; content:"/?wps="; http_uri; fast_pattern:only; pcre:"/^\x2F\x3Fwps\x3D[0-9]$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:trojan-activity; sid:2017068; rev:1; metadata:created_at 2013_06_26, updated_at 2013_06_26;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit Clicker.php TDS"; flow:established,to_server; content:"/clicker.php"; http_uri; fast_pattern:only; pcre:"/^\x2Fclicker\x2Ephp$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:trojan-activity; sid:2017069; rev:1; metadata:created_at 2013_06_26, updated_at 2013_06_26;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit XOR decodeURIComponent"; flow:established,to_client; file_data; content:"xor(decodeURIComponent("; distance:0; classtype:trojan-activity; sid:2017071; rev:2; metadata:created_at 2013_06_26, updated_at 2013_06_26;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Applet tag in jjencode as (as seen in Dotka Chef EK)"; flow:established,from_server; file_data; content:",$$$$|3a|(![]+|22 22|)"; fast_pattern:only; content:"<|22|+"; pcre:"/^(?P.{1,10})\.\$\_\$\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\(\!\[\]\+\x22\x22\)\[(?P=var)\.\_\$\_\]\+(?P=var)\.\$\$\$\_\+(?P=var)\.\_\_\+/R"; classtype:trojan-activity; sid:2017070; rev:1; metadata:created_at 2013_06_27, updated_at 2013_06_27;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:""; within:500; content:!"|0d|"; within:500; pcre:"/^\s*[^>]*?[a-zA-Z]+\s*?=\s*?[\x22\x27](?=[a-z]{0,20}[A-Z])(?=[A-Z]{0,20}[a-z])[A-Za-z]{15,21}[\x22\x27][^>]*?>(?=[A-Za-z_]{0,200}[0-9])(?=[0-9a-z_]{0,200}[A-Z])(?=[0-9A-Z_]{0,200}[a-z])[A-Za-z0-9_]{200}/R"; classtype:trojan-activity; sid:2020975; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_04_22, malware_family Nuclear, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing Apr 23 2015"; flow:established,from_server; file_data; content:"=window|3b|"; fast_pattern:only; content:"String.fromCharCode"; content:"|28 2f|Win64|3b 2f|i,"; nocase; content:"function"; pcre:"/^\s*?[^\x28\s]*?\x28\s*?(?P[^\s,\x29]+)\s*?,\s*?(?P[^\s,\x29]+)\s*?\x29\{[^\r\n]*?[\+=]String.fromCharCode\((?P=a2)\)[^\r\n]*?\}/Rs"; classtype:trojan-activity; sid:2020979; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK IE Exploit Apr 23 2015"; flow:established,from_server; file_data; content:"some"; fast_pattern:only; content:"<style>"; content:"|5c 3a|*{display|3a|inline-block|3b|behavior|3a|url(#default#VML)|3b|}</style>"; distance:3; within:65; classtype:trojan-activity; sid:2020980; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Flash Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".swf"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.swf\r\n/Hm"; file_data; content:"WS"; within:3; classtype:trojan-activity; sid:2020981; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK SilverLight Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".xap"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.xap\r\n/Hm"; file_data; content:"AppManifest.xaml"; fast_pattern:only; classtype:trojan-activity; sid:2020982; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Java Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".jar"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.jar\r\n/Hm"; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2020983; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK PDF Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".pdf"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{7,8}\d{2,3}\.pdf\r\n/Hm"; file_data; content:"PDF-"; within:500; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020984; rev:1; metadata:created_at 2015_04_23, updated_at 2017_04_04;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Secondary Landing Apr 20 2015"; flow:established,from_server; file_data; content:"2147023083"; content:"BlackList"; nocase; content:"lenBadFiles"; nocase; fast_pattern:only; content:"ProgFilePath"; nocase; content:"lenProgFiles"; nocase; classtype:trojan-activity; sid:2020985; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020986; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_24, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download file with Powershell via LNK file (observed in Sundown EK)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"c|00|m|00|d|00|.|00|e|00|x|00|e"; nocase; content:"P|00|o|00|w|00|e|00|r|00|S|00|h|00|e|00|l|00|l"; nocase; content:"D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00|F|00|i|00|l|00|e"; nocase; classtype:trojan-activity; sid:2020987; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sundown EK URI Struct T1 Apr 24 2015"; flow:established,to_server; content:"/street"; http_uri; fast_pattern:only; pcre:"/\/street[1-5]\.php$/U"; classtype:trojan-activity; sid:2020988; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; content:"/XV-"; fast_pattern:only; pcre:"/\/XV-\d+\.exe$/U"; classtype:trojan-activity; sid:2020989; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Secondary Landing T1 M2 Apr 24 2015"; flow:established,from_server; file_data; content:"System.Net.WebClient"; nocase; content:"Powershell"; nocase; content:"DownloadFile"; nocase; content:"|3b|d=unescape(m)|3b|document.write(d)|3b|"; classtype:trojan-activity; sid:2020990; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:Flash[23]?|Ink|New|One|HQ).exe$/U"; classtype:trojan-activity; sid:2020991; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M2 Apr 24 2015"; flow:established,to_server; content:"/BrowserUpdate.lnk"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2020992; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS IonCube Encoded Page (no alert)"; flow:established,from_server; file_data; content:"javascript>c=|22|"; content:"|3b|eval(unescape("; flowbits:noalert; flowbits:set,ET.IonCube; classtype:trojan-activity; sid:2020993; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sundown EK Flash Exploit Struct T2 Apr 24 2015"; flow:established,to_server; flowbits:isset,ET.IonCube; content:"/"; http_uri; content:".swf"; http_uri; distance:4; within:4; pcre:"/\/(?=[A-Za-z]{0,3}\d)(?=\d{0,3}[A-Za-z])[A-Za-z0-9]{4,5}\.swf$/U"; content:".php"; http_header; classtype:trojan-activity; sid:2020994; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct April 29 2015 M1"; flow:established,to_server; content:"GET"; depth:3; content:"/%20http%3A%2F"; distance:0; nocase; fast_pattern; content:"|20|HTTP/1."; distance:0; pcre:"/^GET \/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/%20http%3A%2F/i"; classtype:trojan-activity; sid:2021033; rev:3; metadata:created_at 2015_04_29, updated_at 2015_04_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct April 29 2015 M2"; flow:established,to_server; content:"GET "; depth:4; content:"/5/"; distance:0; content:"/"; distance:32; within:1; content:"http%3A%2F%2F"; within:17; content:"|20|HTTP/1."; distance:0; content:"|0d 0a|"; distance:1; within:2; pcre:"/^GET [^\s]*?\/5\/[a-f0-9]{32}\/%20http%3A%2F%2F/i"; classtype:trojan-activity; sid:2021034; rev:2; metadata:created_at 2015_04_29, updated_at 2015_04_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Java Exploit URI Struct April 29 2015"; flow:established,to_server; content:"GET"; depth:3; content:"|20|HTTP/1."; distance:0; content:"Java/"; distance:0; fast_pattern; pcre:"/^GET \/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?(?:\.[a-z]+)? HTTP\/1\./"; classtype:trojan-activity; sid:2021035; rev:4; metadata:created_at 2015_04_29, updated_at 2015_04_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK URI Struct April 29 2015"; flow:established,to_server; content:"|20|/"; offset:3; depth:3; content:"/5/"; fast_pattern; distance:0; content:"HTTP/1."; distance:0; content:"|0d 0a|"; distance:1; within:2; pcre:"/^[A-Z]{3,4} [^\s]*?\/5\/[A-Z]{3,}\/[a-f0-9]{32}(?:\.[^\x2f]+|\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?|\/\d+\/?)? HTTP\/1\.[01]\r\n/"; classtype:trojan-activity; sid:2021036; rev:5; metadata:created_at 2015_04_29, updated_at 2015_04_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Payload April 29 2015"; flow:established,to_server; content:"GET"; depth:3; content:"/5/"; distance:0; fast_pattern; content:"|20|HTTP/1."; distance:0; pcre:"/^GET \/[a-z]+\/[a-z]+\/5\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})? HTTP\/1\./"; content:"Referer|3a 20|"; distance:0; pcre:"/^[^\r\n]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r/R"; classtype:trojan-activity; sid:2021037; rev:6; metadata:created_at 2015_04_29, updated_at 2015_04_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK POST Beacon April 29 2015"; flow:established,to_server; content:"POST"; depth:4; content:"0/"; distance:0; content:"|20|HTTP/1."; distance:0; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; distance:0; fast_pattern:21,20; content:"%"; distance:0; pcre:"/^POST \/[a-z]+\/[a-z]+\//"; content:"|0d 0a 0d 0a|"; pcre:"/^-?\d+=(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P<var1>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){6}(?P<var2>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P=var2)(?:[a-zA-Z0-9]|%[A-F0-9]{2}){4}(?P=var1)/R"; classtype:trojan-activity; sid:2021038; rev:5; metadata:created_at 2015_04_29, updated_at 2015_04_29;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing April 29 2015"; flow:established,from_server; file_data; content:"lortnoCgA.lortnoCgA"; content:"reverse"; classtype:trojan-activity; sid:2021039; rev:1; metadata:created_at 2015_04_29, updated_at 2015_04_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Exploit Struct April 30 2015"; flow:established,to_server; content:"GET "; depth:4; content:"/"; distance:2; content:"|20|HTTP/1."; distance:0; content:"|0d 0a|"; distance:1; within:2; pcre:"/^GET [^\s]*?\/\d\/[A-Z]+\/[a-f0-9]{32}\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/? HTTP\/1\.[01]\r\n/"; content:"/%20http%3A%2F"; distance:0; fast_pattern; flowbits:set,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021042; rev:4; metadata:created_at 2015_04_30, updated_at 2015_04_30;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"ZWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021043; rev:1; metadata:created_at 2015_04_30, updated_at 2015_04_30;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"CWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021044; rev:1; metadata:created_at 2015_04_30, updated_at 2015_04_30;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SilverLight Exploit April 30 2015"; flow:established,from_server; file_data; content:"AppManifest.xaml"; fast_pattern:only; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021045; rev:1; metadata:created_at 2015_04_30, updated_at 2015_04_30;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Page May 01 2015"; flow:from_server,established; file_data; content:"CM|3a 20|u.indexOf(|27|NT 5.1|27|) > -1"; content:"PS|3a 20|u.indexOf(|27|NT 6.|27|) > -1"; classtype:trojan-activity; sid:2021046; rev:1; metadata:created_at 2015_05_01, updated_at 2015_05_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M1"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=Y21kIC9jIGVjaG8g"; classtype:trojan-activity; sid:2021047; rev:1; metadata:created_at 2015_05_01, updated_at 2015_05_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M2"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=cG93ZXJzaGVsbC5leGUg"; classtype:trojan-activity; sid:2021048; rev:1; metadata:created_at 2015_05_01, updated_at 2015_05_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Flash Payload ShellCode Apr 23 2015"; flow:established,from_server; file_data; content:"urlmon.dll|00|http|3a 2f|"; pcre:"/^\x2f+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\??[a-f0-9]+\x7chttp\x3a\x2f/Rs"; classtype:trojan-activity; sid:2021054; rev:1; metadata:created_at 2015_05_04, updated_at 2015_05_04;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Receiving Payload May 7 2015"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"Content-Type|3a 20|application/postscript|0d 0a|"; fast_pattern:18,20; content:"Cache-Control|3a 20|no-cache,no-store,max-age=0,must-revalidate|0d 0a|"; content:"Content-Disposition|3a 20|inline|3b| filename="; pcre:"/^[a-z]{10}\.[a-z]{3}\r\n\r\n/R"; classtype:trojan-activity; sid:2021064; rev:2; metadata:created_at 2015_05_07, updated_at 2015_05_07;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"JnB3ZD"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021081; rev:1; metadata:created_at 2015_05_08, updated_at 2015_05_08;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"Zwd2Q9"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021082; rev:1; metadata:created_at 2015_05_08, updated_at 2015_05_08;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M3"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"mcHdkP"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021083; rev:1; metadata:created_at 2015_05_08, updated_at 2015_05_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Landing May 12 2015"; flow:established,from_server; file_data; content:"<input type=|22|hidden|22| id=|22|myip|22|>"; nocase; fast_pattern:11,20; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021090; rev:3; metadata:created_at 2015_05_12, updated_at 2015_05_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download file with BITS via LNK file (Likely Malicious)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"|00|b|00|i|00|t|00|s|00|a|00|d|00|m|00|i|00|n|00|"; nocase; content:"|00|t|00|r|00|a|00|n|00|s|00|f|00|e|00|r|00|"; nocase; classtype:trojan-activity; sid:2021092; rev:1; metadata:created_at 2015_05_13, updated_at 2015_05_13;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Remote Macro Download"; flow:established,from_server; file_data; content:"(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80)"; nocase; classtype:trojan-activity; sid:2021093; rev:1; metadata:created_at 2015_05_13, updated_at 2015_05_13;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Secondary Landing May 12 2015 M2"; flow:established,from_server; file_data; content:"&|22|+DetectRTC.isWebSocketsSupported+|22|&|22|+"; nocase; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021110; rev:1; metadata:created_at 2015_05_16, updated_at 2015_05_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M1"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 20 53 45 45 44 3a|"; nocase; fast_pattern:only; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; classtype:trojan-activity; sid:2021136; rev:1; metadata:created_at 2015_05_21, updated_at 2015_05_21;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M2"; flow:from_server,established; file_data; content:"|5e 23 7e 40|"; nocase; fast_pattern:only; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2021137; rev:2; metadata:created_at 2015_05_21, updated_at 2015_05_21;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DNSChanger EK Landing URI Struct May 22 2015"; flow:to_server,established; content:"/stat/load"; http_uri; fast_pattern:only; content:".php"; http_uri; pcre:"/^GET\s*?\/stat\/load(?=(?-i)[a-z0-9]*?[A-Z])(?=(?-i)[A-Z0-9]*?[a-z])(?P<hname>[a-z0-9]+)\.php\s.+?Host\x3a\x20(?P=hname)\./smi"; classtype:trojan-activity; sid:2021141; rev:1; metadata:created_at 2015_05_22, updated_at 2015_05_22;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|14|formationtraffic.com"; distance:1; within:21; classtype:trojan-activity; sid:2021146; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_26, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JS iframe Embedded In GIF"; flow:established,from_server; file_data; content:"GIF89a="; nocase; within:8; content:"|3b|url="; nocase; distance:0; content:"iframe"; nocase; distance:0; content:"|3b|tail="; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021156; rev:1; metadata:created_at 2015_05_28, updated_at 2015_05_28;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS suspicious VBE-encoded script (seen in Sundown EK)"; flow:established,from_server; file_data; content:"Script.Encode"; content:"<!--"; within:8; content:"#@~"; within:5; flowbits:set,et.exploitkitlanding; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2021169; rev:2; metadata:created_at 2015_05_29, updated_at 2015_05_29;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 2 2015"; flow:established,from_server; file_data; content:"<title>WARNING|3a| INTERNET SECURITY ALERT"; nocase; fast_pattern; content:"function myFunction|28 29|"; nocase; distance:0; content:"Due to Suspicious Activity"; nocase; distance:0; classtype:trojan-activity; sid:2021177; rev:1; metadata:created_at 2015_06_03, updated_at 2015_06_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M1"; flow:established,to_client; file_data; content:"MICROSOFT WINDOWS SECURITY ALERT"; nocase; fast_pattern; content:"WARNING: VIRUS CHECK"; nocase; distance:0; classtype:trojan-activity; sid:2021181; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M2"; flow:established,to_client; file_data; content:"WARNING: VIRUS CHECK"; fast_pattern; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"There is a .net frame work file missing due to some harmfull virus"; nocase; distance:0; classtype:trojan-activity; sid:2021182; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M3"; flow:established,to_client; file_data; content:"Advised System Support!"; fast_pattern; nocase; content:"Your Computer May Not Be Protected"; nocase; distance:0; content:"Possible network damages if virus not removed immediately"; nocase; distance:0; classtype:trojan-activity; sid:2021183; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 8 2015 M1"; flow:established,to_client; file_data; content:"INTERNET BROWSER PROCESS WARNING ERROR"; nocase; fast_pattern:33,20; content:"WINDOWS HEALTH IS CRITICAL"; nocase; distance:0; classtype:trojan-activity; sid:2021206; rev:1; metadata:created_at 2015_06_08, updated_at 2015_06_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 8 2015 M2"; flow:established,to_client; file_data; content:"Norton Firewall Warning"; fast_pattern:18,20; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"Windows has blocked access to the Internet."; nocase; distance:0; classtype:trojan-activity; sid:2021207; rev:1; metadata:created_at 2015_06_08, updated_at 2015_06_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"|74 3d 75 74 66 38 74 6f 31 36 28 78 78 74 65 61 5f 64 65 63 72 79 70 74 28 62 61 73 65 36 34 64 65 63 6f 64 65 28 74 29 2c|"; nocase; classtype:trojan-activity; sid:2021217; rev:1; metadata:created_at 2015_06_09, updated_at 2015_06_09;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"base64decode"; nocase; content:"xxtea_decrypt"; nocase; fast_pattern:only; content:"long2str"; nocase; content:"str2long"; nocase; classtype:trojan-activity; sid:2021218; rev:2; metadata:created_at 2015_06_09, updated_at 2015_06_09;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Jun 09 2015"; flow:established,to_server; content:"/main.html"; http_uri; nocase; fast_pattern:only; content:"/index.html"; http_header; nocase; content:"cck_lasttime"; http_cookie; nocase; classtype:trojan-activity; sid:2021219; rev:3; metadata:created_at 2015_06_09, updated_at 2015_06_09;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK June 11 2015"; flow:established,from_server; content:"javascript"; http_header; content:"nginx"; nocase; http_header; file_data; pcre:"/^\s*?/Rs"; content:"document.write|28 28 22|"; pcre:"/^\s*?/Rs"; content:"document.write(iframe)|3b|"; isdataat:!2,relative; classtype:trojan-activity; sid:2022341; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_01_07, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious Wordpress Redirect - Possible Phishing Landing (set) Jan 7"; flow:to_server,established; content:"GET"; http_method; content:"/wp-"; http_uri; depth:4; fast_pattern; content:!"Referer|3a|"; http_header; flowbits:set,ET.wpphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025696; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Perimeter, deployment Datacenter, tag Phishing, tag Wordpress, signature_severity Major, created_at 2016_01_07, updated_at 2018_07_13;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Wordpress Redirect - Possible Phishing Landing Jan 7 2016"; flow:to_client,established; content:"302"; http_stat_code; content:"|0d 0a|Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"|0d 0a|location|3a 20|"; nocase; pcre:"/^[a-f0-9]{32}(?:\/index\.php)?\x0d\x0a/R"; flowbits:isset,ET.wpphish; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025671; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Perimeter, deployment Datacenter, tag Phishing, tag Wordpress, signature_severity Major, created_at 2016_01_07, updated_at 2018_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoinMiner Malicious Authline Seen in JAR Backdoor"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz|22 2c 20 22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:trojan-activity; sid:2022349; rev:1; metadata:created_at 2016_01_11, updated_at 2016_01_11;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Jan 13 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"SECURITY WARNING"; fast_pattern:3,20; content:"0x0000007E"; nocase; distance:0; content:"0xFFFFFFFFFC000000047"; nocase; distance:0; content:"Serious security threat"; nocase; distance:0; content:"msg.mp3"; nocase; classtype:trojan-activity; sid:2022364; rev:1; metadata:created_at 2016_01_14, updated_at 2016_01_14;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Jan 13 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS"; content:"WINDOWS HEALTH IS CRITICAL"; fast_pattern:6,20; distance:0; content:"myFunction()|3b|"; classtype:trojan-activity; sid:2022365; rev:2; metadata:created_at 2016_01_14, updated_at 2016_01_14;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Jan 13 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"getURLParameter"; nocase; content:"PhoneNumber"; nocase; distance:0; content:"AlertMessage"; content:"Windows Certified Support"; fast_pattern:5,20; nocase; distance:0; content:"myFunction"; nocase; distance:0; content:"needToConfirm"; nocase; distance:0; content:"msg1.mp3"; nocase; distance:0; classtype:trojan-activity; sid:2022366; rev:1; metadata:created_at 2016_01_14, updated_at 2016_01_14;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; content:"POST"; http_method; content:"email"; nocase; http_client_body; content:"pass"; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024554; rev:6; metadata:created_at 2016_01_14, updated_at 2017_10_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; content:"POST"; http_method; content:"user"; nocase; http_client_body; content:"pass"; nocase; http_client_body; fast_pattern; content:!"useragent"; nocase; http_client_body; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024555; rev:6; metadata:created_at 2016_01_14, updated_at 2018_01_26;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish Jan 14 2016"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Location|3a 20|http"; nocase; fast_pattern; http_header; content:"Location|3a 20|http"; nocase; pcre:"/^(?:s)?\x3a\/\/[^\/]*(?:(?:a(?:m(?:ericanexpress|azon)|(?:dob|ppl)e|libaba|ol)|r(?:e(?:gions|max)|bcroyalbank)|f(?:irst-online|acebook|edex)|m(?:icrosoft(?:online)?|atch)|u(?:s(?:bank|aa|ps)|ps)|(?:technologyordi|googl)e|na(?:twest|ver)|d(?:ropbox|hl)|yahoo(?:mail)?|1(?:26|63)|keybank|qq)\.com|i(?:n(?:t(?:ertekgroup\.org|uit\.com)|vestorjunkie\.com|g\.(?:be|nl))|c(?:icibank\.com|scards\.nl)|mpots\.gouv\.fr|rs\.gov)|c(?:(?:h(?:ristianmingl|as)e|apitalone(?:360)?|ibcfcib|panel)\.com|om(?:mbank\.com\.au|cast\.net)|redit-agricole\.fr)|b(?:a(?:nkofamerica\.com|rclays\.co\.uk)|(?:igpond|t)\.com|luewin\.ch)|o(?:(?:utlook|ffice)\.com|range\.(?:co\.uk|fr)|nline\.hmrc\.gov\.uk)|s(?:(?:(?:aatchiar|untrus)t|c)\.com|ecure\.lcl\.fr|parkasse\.de)|h(?:a(?:lifax(?:-online)?\.co\.uk|waiiantel\.net)|otmail\.com)|p(?:(?:rimelocation|aypal)\.com|ostbank\.de)|l(?:i(?:nkedin|ve)\.com|abanquepostale\.fr)|we(?:llsfargo\.com|stpac\.co\.nz)|etisalat\.ae)\/?/Ri"; content:!"domain=.facebook.com|3b|"; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025005; rev:12; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_01_14, updated_at 2017_11_16;) + +#alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Chrome Extension Phishing DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"chrome-extension"; nocase; distance:0; fast_pattern; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022372; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_01_19, updated_at 2016_11_11;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Chrome Extension Phishing HTTP Request"; flow:to_server,established; content:"Host|3a| chrome-extension."; http_header; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022373; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_01_19, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious LastPass URI Structure - Possible Phishing"; flow:established,to_server; content:"GET"; http_method; content:"/tabDialog.html?dialog=login"; http_uri; fast_pattern:only; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022374; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_01_19, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Script Loaded from Pastebin"; flow:established,to_client; file_data; content:"pastebin.com/raw"; fast_pattern:only; content:"<script "; pcre:"/^(?:(?!<\/script>).)*?src\s*=\s*\x5c?[\x22\x27]https?\x3a\/\/(?:www\.)?pastebin\.com\/raw(?:\/|\.php\?i=)[A-Z-a-z0-9]{8}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2022376; rev:1; metadata:created_at 2016_01_19, updated_at 2016_01_19;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Critical Error"; nocase; content:"WINDOWS VIRUS"; nocase; content:".net framework file missing"; nocase; fast_pattern:7,20; content:"contact Microsoft Support"; nocase; distance:0; classtype:trojan-activity; sid:2022409; rev:1; metadata:created_at 2016_01_26, updated_at 2016_01_26;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chrome Tech Support Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function pop"; fast_pattern; nocase; content:"function progressUpdate"; nocase; content:"Operating System"; nocase; content:"Browser"; nocase; content:"Internet Provider"; nocase; content:"Location"; nocase; content:"Scan progress"; nocase; classtype:trojan-activity; sid:2022410; rev:1; metadata:created_at 2016_01_26, updated_at 2016_01_26;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 27 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:>5; content:"/?3b"; http_uri; depth:4; pcre:"/^\/\?3b[A-Z0-9a-z]{2}(&subid=[^&]*)?$/U"; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:trojan-activity; sid:2022464; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_01_27, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (Known Evil Keitaro TDS)"; flow:established,from_server; flowbits:isset,ET.Keitaro; content:"302"; http_stat_code; content:"LOCATION|3a 20|http"; http_header; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; http_header; fast_pattern:5,20; classtype:trojan-activity; sid:2022465; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_01_27, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Keitaro TDS Redirect"; flow:established,from_server; content:"302"; http_stat_code; content:"LOCATION|3a 20|http"; http_header; nocase; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; http_header; fast_pattern:5,20; pcre:"/Date\x3a\x20(?P<dstring>[^\r\n]+)\r\n.*?Last-Modified\x3a\x20(?P=dstring)\r\n/Hs"; content:"Cache-Control|3a 20|max-age=0|0d 0a|Pragma|3a 20|no-cache|0d 0a|"; classtype:bad-unknown; sid:2022466; rev:4; metadata:created_at 2016_01_27, updated_at 2017_02_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Evil Redirect Leading to EK Feb 01 2016"; flow:established,from_server; file_data; content:"|7a 2d 69 6e 64 65 78 3a 2d 31 3b|"; content:"|6f 70 61 63 69 74 79 3a 30 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 3b 20 2d 6d 6f 7a 2d 6f 70 61 63 69 74 79 3a 30 3b 22 3e|"; fast_pattern:32,20; distance:0; content:"|63 6c 73 69 64 3a 64 32 37 63 64 62 36 65 2d 61 65 36 64 2d 31 31 63 66 2d 39 36 62 38 2d 34 34 34 35 35 33 35 34 30 30 30 30|"; nocase; within:500; reference:url,malware-traffic-analysis.net/2016/01/26/index.html; classtype:trojan-activity; sid:2022479; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_02_01, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Compromised WP Feb 01 2016"; flow:established,from_server; file_data; content:"|5c 22 5d 5d 2e 6a 6f 69 6e 28 5c 22 5c 22 29 3b 22 29 29 3b 2f 2a|"; fast_pattern:2,20; pcre:"/^\s*[a-f0-9]{32}\s*\x2a\x2f/R"; reference:url,blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html; classtype:trojan-activity; sid:2022481; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_02_02, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG encrypted payload M1 Feb 02 2016"; flow:established,to_client; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022484; rev:2; metadata:created_at 2016_02_02, updated_at 2017_08_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Phishing Landing via GetGoPhish Phishing Tool"; flow:to_server,established; content:"GET"; http_method; content:"?rid="; http_uri; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}$/Ui"; content:!"xerox.com|0d 0a|"; http_header; reference:url,getgophish.com; classtype:trojan-activity; sid:2022486; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_02_03, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Phishing Attempt via GetGoPhish Phishing Tool"; flow:to_server,established; content:"POST"; http_method; content:"?rid="; http_header; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}\x0d\x0a/Hi"; content:!"xerox.com|0d 0a|"; http_header; reference:url,getgophish.com; classtype:trojan-activity; sid:2022487; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_02_03, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 05 2016"; flow:established,to_server; content:"/?keyword="; http_uri; fast_pattern:only; pcre:"/\/\?keyword=(?:(?=[a-f]{0,31}[0-9])(?=[0-9]{0,31}[a-f])[a-f0-9]{32}|\d{5})$/U"; classtype:trojan-activity; sid:2022493; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_02_05, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 07 2016"; flow:established,to_server; content:"/QrQ8Gr"; http_uri; urilen:7; classtype:trojan-activity; sid:2022496; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_02_08, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish M1 Feb 06 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"id="; depth:3; nocase; http_client_body; content:"&password="; nocase; http_client_body; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022497; rev:2; metadata:created_at 2016_02_08, updated_at 2017_10_02;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish M2 Feb 06 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"fName="; depth:6; nocase; http_client_body; content:"&lName="; nocase; http_client_body; distance:0; content:"&ZIPCode="; nocase; http_client_body; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022498; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_02_08, updated_at 2017_10_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish M3 Feb 06 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"ccNum="; depth:6; nocase; http_client_body; content:"&NameOnCard="; nocase; http_client_body; distance:0; content:"&CVV="; nocase; http_client_body; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022499; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_02_08, updated_at 2017_10_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Xbagger Macro Encrypted DL"; flow:established,to_server; content:".jpg?"; http_uri; fast_pattern:only; content:"MSIE 7.0|3b| Windows NT"; http_header; content:"Range"; http_header; pcre:"/^\/[a-z0-9]+\.jpg\?(?=[a-z0-9]*[A-Z]+[a-z0-9])[A-Za-z0-9]+=\d{1,4}$/U"; classtype:trojan-activity; sid:2022500; rev:4; metadata:created_at 2016_02_10, updated_at 2016_02_10;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Redirect Feb 09 2016"; flow:to_client,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"|0d 0a|location|3a 20|"; fast_pattern; http_header; content:"|0d 0a|location|3a 20|"; pcre:"/^[a-f0-9]{32}\??\x0d\x0a/Ri"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025006; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_02_10, updated_at 2017_11_16;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dridex AlphaNum DL Feb 10 2016"; flow:established,to_server; urilen:15<>50; content:"MSIE 7.0|3b| Windows NT"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; content:!"="; http_uri; content:!"&"; http_uri; content:!"?"; http_uri; pcre:"/\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}$/U"; content:!"Cookie|3a|"; classtype:trojan-activity; sid:2022503; rev:1; metadata:created_at 2016_02_10, updated_at 2016_02_10;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<!-- get the phone number"; nocase; fast_pattern:5,20; content:"//Flag we have not run the script"; nocase; distance:0; content:"//This is the scripting used to replace"; nocase; distance:0; content:"// alert the visitor with a message"; nocase; distance:0; content:"// Setup whatever you want for an exit"; nocase; distance:0; classtype:trojan-activity; sid:2022525; rev:1; metadata:created_at 2016_02_16, updated_at 2016_02_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"background-color|3a| #FF1C1C|3b|"; fast_pattern:6,20; nocase; content:"color|3a| #FFFFFF|3b|"; nocase; distance:0; content:"function countdown"; nocase; distance:0; content:"function updateTimer"; nocase; distance:0; classtype:trojan-activity; sid:2022526; rev:1; metadata:created_at 2016_02_16, updated_at 2016_02_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; fast_pattern:3,20; nocase; content:"src=|22|a1.mp4|22|"; nocase; distance:0; content:"To STOP Deleting Hard Drive"; nocase; distance:0; classtype:trojan-activity; sid:2022527; rev:1; metadata:created_at 2016_02_16, updated_at 2016_02_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M4"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function main_alert"; nocase; fast_pattern; content:"WARNING"; nocase; distance:0; content:"Your hard drive will be DELETED"; nocase; distance:0; content:"To Stop This Process"; nocase; distance:0; classtype:trojan-activity; sid:2022528; rev:1; metadata:created_at 2016_02_16, updated_at 2016_02_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Feb 17"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"keyframes poplzatvci"; fast_pattern; content:"#lzatvciovlwmiiqxbwxywuerkhtunrlvherk"; nocase; distance:0; classtype:trojan-activity; sid:2022530; rev:1; metadata:created_at 2016_02_17, updated_at 2016_02_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dridex DL Pattern Feb 18 2016"; flow:established,to_server; content:"GET"; http_method; content:".exe?."; http_uri; fast_pattern:only; pcre:"/\.exe\?\.\d+$/U"; content:"MSIE 7.0|3b| Windows NT"; http_header; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022549; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|o(?:sts?\/[a-z0-9]+|ny[a-z]*)|rogcicicic|m\d{1,2})|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|vchost[^\x2f]*|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|in(?:voice(?:\/[^\x2f]+|[^\x2f]*)|st\d+|fos?)|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|[\x2f\s]order|keem)\.exe$)/Ui"; content:!".bloomberg.com|0d 0a|"; http_header; nocase; content:!".bitdefender.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2022550; rev:13; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_02_18, malware_family MalDocGeneric, performance_impact Low, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chalbhai Phishing Landing Feb 18 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"name=|22|chalbhai|22|"; fast_pattern; nocase; content:"id=|22|chalbhai|22|"; nocase; content:"method=|22|post|22|"; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025654; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_02_19, updated_at 2018_07_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Feb 23 2016"; flow:established,from_server; file_data; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; distance:0; content:"|3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e|"; pcre:"/^\s+\d+\x3b\s*\}/R"; content:"|5d 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65|"; fast_pattern; classtype:trojan-activity; sid:2022565; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_02_24, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 24 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:7; content:"/xLMCJ4"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025038; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_02_25, updated_at 2017_11_27;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL"; flow:established,to_server; urilen:10<>40; content:".exe"; fast_pattern; http_uri; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/U"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; content:!"Referer|3a|"; http_header; content:!".bloomberg.com|0d 0a|"; http_header; nocase; content:!"leg1.state.va.us"; http_header; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022566; rev:4; metadata:created_at 2016_02_25, updated_at 2017_03_17;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Feb 25 2016"; flow:established,from_server; file_data; content:"|36 31 2c 39 31 2c 33 34 2c 31 31 34 2c 31 31 38 2c 35 38 2c 34 39 2c 34 39 2c 33 34 2c 34 34 2c 33 34 2c 37 37 2c 38 33 2c 37 33 2c 36 39 2c 33 34 2c 34 34 2c 39 33 2c 35 39|"; content:"|39 39 2c 31 30 34 2c 39 37 2c 31 31 34 2c 36 37 2c 31 31 31 2c 31 30 30 2c 31 30 31 2c 36 35 2c 31 31 36|"; classtype:trojan-activity; sid:2022567; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_02_25, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; content:"POST"; http_method; content:"&address"; nocase; fast_pattern; http_client_body; content:"&cc"; nocase; http_client_body; content:"&cvv"; nocase; http_client_body; distance:0; content:"&ssn"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024556; rev:3; metadata:created_at 2016_02_29, updated_at 2017_10_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 29 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:5; content:"/5c2C"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025039; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_02_29, updated_at 2017_11_27;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Landing Feb 26"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"rackcdn.com|0d 0a|"; http_header; fast_pattern; pcre:"/^\/[a-zA-Z0-9]+\.html$/U"; pcre:"/\x0d\x0aHost\x3a\x20[a-f0-9]{20}-[a-f0-9]{32}\.r[0-9]{1,2}\.cf[0-9]\.rackcdn\.com\x0d\x0a/H"; classtype:trojan-activity; sid:2022574; rev:2; metadata:created_at 2016_02_29, updated_at 2016_08_26;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain M1 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"helpdesk"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022575; rev:1; metadata:created_at 2016_02_29, updated_at 2016_02_29;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain M2 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"errorcode"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022576; rev:1; metadata:created_at 2016_02_29, updated_at 2016_02_29;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phishing Landing Obfuscation Mar 01 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"unescape=function"; fast_pattern; content:"replace(new RegExp(|22|%26|22|, |22|g|22|), |22|&|22|)|3b|"; nocase; distance:0; content:"replace(new RegExp(|22|%3B|22|, |22|g|22|), |22 3b 22|)|3b|"; nocase; distance:0; content:"document.write"; nocase; distance:0; content:"replace(|27|<!--?--><?"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:trojan-activity; sid:2022578; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_03_01, updated_at 2017_10_13;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL Malicious Scanning 1"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"GRANT ALTER, ALTER ROUTINE"; distance:0; nocase; within:30; content:"TO root@% WITH"; fast_pattern:only; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022579; rev:1; metadata:created_at 2016_03_01, updated_at 2016_03_01;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL Malicious Scanning 2"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"set global log_bin_trust_function_creators=1"; fast_pattern:only; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022580; rev:1; metadata:created_at 2016_03_01, updated_at 2016_03_01;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL Malicious Scanning 3"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"select unhex("; fast_pattern; distance:0; content:"into dumpfile|20 27|"; distance:0; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022581; rev:1; metadata:created_at 2016_03_01, updated_at 2016_03_01;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Domain M1 Mar 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"errorfound"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022591; rev:1; metadata:created_at 2016_03_03, updated_at 2016_03_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Domain M2 Mar 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"unattendedfile"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022592; rev:1; metadata:created_at 2016_03_03, updated_at 2016_03_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Domain M3 Mar 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"internetsituation"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022593; rev:1; metadata:created_at 2016_03_03, updated_at 2016_03_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Landing - Data URI Inline Javascript Mar 07 2016"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"data|3a|text/html|3b|"; fast_pattern; content:"|3b|base64,"; distance:0; within:21; pcre:"/^[^\x22|\x27]+<\s*?script(?:(?!<\s*?\/\s*?script).)+?data\x3atext\/html\x3b(?:charset=UTF-8\x3b)?base64\x2c/si"; metadata: former_category CURRENT_EVENTS; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:trojan-activity; sid:2022597; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_03_07, updated_at 2017_10_13;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Fake Support Phone Scam Mar 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; nocase; content:"function myFunction()"; pcre:"/^\s*?\{\s*?setInterval\s*?\(\s*?function/Rsi"; content:"alert2.mp3"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2022602; rev:1; metadata:created_at 2016_03_07, updated_at 2016_03_07;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 8"; flow:established,from_server; file_data; content:"onload=|22|myFunction|28 29 3b 22|"; fast_pattern; nocase; content:"onclick=|22|myFunction|28 29 3b 22|"; nocase; content:"onkeydown=|22|myFunction|28 29 3b 22|"; nocase; content:"onunload=|22|myFunction|28 29 3b 22|"; nocase; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:trojan-activity; sid:2022603; rev:1; metadata:created_at 2016_03_08, updated_at 2016_03_08;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Enom Phish Mar 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"enom"; http_header; nocase; content:"ctl00_ScriptManager"; depth:19; nocase; fast_pattern; http_client_body; content:"user="; nocase; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; content:"Login=Login"; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; reference:url,welivesecurity.com/2016/03/07/beware-spear-phishers-hijack-website/; classtype:trojan-activity; sid:2022604; rev:3; metadata:created_at 2016_03_08, updated_at 2017_10_13;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 9 M1"; flow:established,from_server; file_data; content:"Callpixels"; fast_pattern; nocase; pcre:"/^\s*?\.\s*?Campaign\s*?\(\s*?\{\s*?campaign_key/Rsi"; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:trojan-activity; sid:2022605; rev:1; metadata:created_at 2016_03_09, updated_at 2016_03_09;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 9 M2"; flow:established,from_server; file_data; content:"//Flag we have not"; fast_pattern; nocase; content:"//The location of the page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; content:"//allow for the traffic source to send in their own default number"; nocase; distance:0; content:"//if no unformatted number just use it"; nocase; distance:0; classtype:trojan-activity; sid:2022606; rev:1; metadata:created_at 2016_03_09, updated_at 2016_03_09;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 9 M3"; flow:established,from_server; file_data; content:"<title>ALERT"; fast_pattern; content:"makeNewPosition"; nocase; distance:0; content:"animateDiv"; nocase; distance:0; content:"div.fakeCursor"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; classtype:trojan-activity; sid:2022607; rev:1; metadata:created_at 2016_03_09, updated_at 2016_03_09;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Mar 9 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function myFunction"; nocase; fast_pattern; content:"MICROSOFT COMPUTER HAS BEEN BLOCKED"; nocase; distance:0; content:"Windows System Alert"; nocase; distance:0; content:"Contact Microsoft"; nocase; distance:0; classtype:trojan-activity; sid:2022608; rev:1; metadata:created_at 2016_03_09, updated_at 2016_03_09;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Chase Phishing Domain Mar 14 2016"; flow:to_server,established; content:"GET"; http_method; content:"chase.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"chase.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+chase\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022615; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_03_14, updated_at 2017_11_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Apple Phishing Domain Mar 14 2016"; flow:to_server,established; content:"GET"; http_method; content:"apple.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"apple.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+apple\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022616; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_03_14, updated_at 2017_11_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible USAA Phishing Domain Mar 14 2016"; flow:to_server,established; content:"GET"; http_method; content:"usaa.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"usaa.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+usaa\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022617; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_03_14, updated_at 2017_11_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Paypal Phishing Domain Mar 14 2016"; flow:to_server,established; content:"GET"; http_method; content:"paypal.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"paypal.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+paypal\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022618; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_03_14, updated_at 2017_11_17;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Mar 15"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Security"; fast_pattern; nocase; content:"function DetectMobile"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"Please call"; nocase; distance:0; classtype:trojan-activity; sid:2022619; rev:1; metadata:created_at 2016_03_15, updated_at 2016_03_15;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 15 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; isdataat:!10,relative; classtype:trojan-activity; sid:2022620; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_03_15, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 15 2016 M2"; flow:established,to_server; content:"/track/k.track?wd="; http_uri; depth:18; content:"fid="; http_uri; content:"rds="; http_uri; classtype:trojan-activity; sid:2022621; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_03_15, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Evil Macro EXE DL mar 15 2016"; flow:established,to_server; content:"/image/"; http_uri; depth:13; content:".exe"; http_uri; fast_pattern:only; pcre:"/^\/image\/(?:data|flags)\/[^\x2f]+\.exe$/Ui"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022622; rev:1; metadata:created_at 2016_03_16, updated_at 2016_03_16;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"suspiciousactivity"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022625; rev:1; metadata:created_at 2016_03_16, updated_at 2016_03_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Mar 18 2016"; flow:from_server,established; file_data; content:"|52 65 67 45 78 70 28 27|"; content:"|27 2b 27 3d 28 5b 5e 3b 5d 29 7b 31 2c 7d 27 29 3b|"; distance:32; within:17; content:"|3b 64 2e 73 65 74 44 61 74 65 28 64 2e 67 65 74 44 61 74 65 28 29 2b 31 29 3b|"; content:"|3c 69 66 72 61 6d 65|"; distance:0; classtype:trojan-activity; sid:2022628; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_03_18, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f|"; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; distance:0; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; classtype:trojan-activity; sid:2022629; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_03_19, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19 2016 M2"; flow:established,to_server; content:"/imp/one.trk?wid="; http_uri; classtype:trojan-activity; sid:2022630; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_03_19, updated_at 2016_07_01;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 21 M1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"errorunauthorized"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022631; rev:1; metadata:created_at 2016_03_21, updated_at 2016_03_21;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 21 M2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"drivercrashed"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022632; rev:1; metadata:created_at 2016_03_21, updated_at 2016_03_21;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 21 M3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"computer-is-locked"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022633; rev:1; metadata:created_at 2016_03_21, updated_at 2016_03_21;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Mar 22 2016"; flow:established,from_server; file_data; content:"|6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 2e 55 41 20 3d 20 55 41|"; content:"|2e 73 70 6c 69 74 28 22 2c 22 29 2c 20 69 3d 30 2c 20 6b 3b 20 66 6f 72 20 28 3b 20 6b 20 3d 20 61 5b 69 5d 2c 20 69 20 3c 20 61 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 72 2e 70 75 73 68 28|"; content:"|2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 20 74 72 79 20 7b 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28|"; classtype:trojan-activity; sid:2022635; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_03_22, updated_at 2016_07_01;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 23"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"unauthorized-transaction"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022648; rev:1; metadata:created_at 2016_03_23, updated_at 2016_03_23;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Mar 23"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*?\(\s*?function\s*?\(\s*?\)\s*?\{\s*?alert\s*?\(/Rsi"; content:"<audio"; nocase; distance:0; classtype:trojan-activity; sid:2022649; rev:1; metadata:created_at 2016_03_23, updated_at 2016_03_23;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/Dridex Binary Download Mar 23 2016"; flow:to_server,established; content:"GET"; http_method; content:"/dana/home.php"; http_uri; fast_pattern; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"MSIE 7.0"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/\/home\.php$/U"; reference:md5,2f32bf996e093d5a4107d6daa6c51ec4; classtype:trojan-activity; sid:2022650; rev:2; metadata:created_at 2016_03_24, updated_at 2016_10_04;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Flash Update Mar 23"; flow:established,to_client; file_data; content:"<title>Flash"; nocase; fast_pattern; content:"#prozor"; nocase; distance:0; content:"#dugme"; nocase; distance:0; content:"Latest version of Adobe"; nocase; distance:0; classtype:trojan-activity; sid:2022651; rev:1; metadata:created_at 2016_03_24, updated_at 2016_03_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil EXE download from WinHttpRequest non-exe extension"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.WinHttpRequest.no.exe.request; classtype:trojan-activity; sid:2022653; rev:1; metadata:created_at 2016_03_24, updated_at 2016_03_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; content:"WinHttp.WinHttpRequest."; http_header; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/Ui"; content:!"download.nai.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2022658; rev:4; metadata:created_at 2016_03_24, updated_at 2016_03_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Mar 27"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"Cookie|3a|"; content:!"[DYNAMIC]"; http_header; pcre:"/^\/(?=[a-z][a-z\x2f]*\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d)[a-z0-9\x2f]+\/$/U"; classtype:trojan-activity; sid:2022666; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_03_28, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Mar 27 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z][a-z\x2f]*-[a-z\x2f]+-)[a-z\x2f-]+\/$/U"; classtype:trojan-activity; sid:2022682; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_03_29, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Evil Macro EXE DL mar 28 2016"; flow:established,to_server; content:"HEAD"; http_method; content:"User-Agent|3a 20|Microsoft BITS/7.5|0d 0a|"; http_header; fast_pattern:12,20; content:".exe"; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20[^\r\n]+(?:xyz|pw)\r?$/Hmi"; reference:md5,d599a63fac0640c21272099f39020fac; classtype:trojan-activity; sid:2022686; rev:3; metadata:created_at 2016_03_30, updated_at 2016_03_30;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 30 M1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"diskissue"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022690; rev:1; metadata:created_at 2016_03_30, updated_at 2016_03_30;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 30 M2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"avirus"; fast_pattern; distance:0; nocase; content:!"|07|spotify|03|com"; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022691; rev:2; metadata:created_at 2016_03_30, updated_at 2016_03_30;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Apr 1"; flow:established,to_client; file_data; content:"<title>SYSTEM ERROR WARNING"; fast_pattern; nocase; content:"function loadNumber"; nocase; distance:0; content:"campaign_key:"; nocase; distance:0; classtype:trojan-activity; sid:2022695; rev:1; metadata:created_at 2016_04_01, updated_at 2016_04_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Phish to Hostinger Domains Apr 4 M4"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"username"; nocase; http_client_body; fast_pattern; content:"pass"; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)\r\n/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025000; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_04_04, updated_at 2017_11_17;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"callasap"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022696; rev:1; metadata:created_at 2016_04_04, updated_at 2016_04_04;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Apr 4"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"catchControlKeys"; fast_pattern; content:"// Ctrl+U"; nocase; distance:0; content:"// Ctrl+C"; nocase; distance:0; content:"// Ctrl+A"; nocase; distance:0; content:"//e.cancelBubble is supported by IE"; nocase; distance:0; content:"//e.stopPropagation works in Firefox"; nocase; distance:0; classtype:trojan-activity; sid:2022697; rev:1; metadata:created_at 2016_04_04, updated_at 2016_04_04;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK April 12 2016 M1"; flow:established,to_server; content:"/2016/less/ing/frame.html"; http_uri; classtype:trojan-activity; sid:2022724; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_04_12, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK April 12 2016 M2"; flow:established,from_server; file_data; content:"|3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 76 61 72 20 6c 3d 27 68 74 74 70 3a|"; content:"|3b 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 27 2b 27 73 63 72 69 70 74 20 74 79 70 65 3d 5c 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 5c 27 20 73 72 63 3d 5c 27 27 2b 6c 2b 27 5c 27 3e 3c 27 2b 27 2f 73 63 72 69 70 74 3e 27 29 3b 3c 2f 73 63 72 69 70 74 3e|"; distance:0; classtype:trojan-activity; sid:2022725; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_04_12, updated_at 2016_07_01;) + +alert tcp any !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Open MGate Device"; flow:established,from_server; content:"Model name|20|"; pcre:"/^\x20+\x3a\x20MGate/R"; content:"|0d 00 0a|MAC address|20|"; distance:0; pcre:"/^\x20+\x3a\x20(?:[0-9A-F]{2}\x3a){5}[0-9A-F]{2}\x0d\x00\x0a/R"; classtype:successful-admin; sid:2022732; rev:2; metadata:created_at 2016_04_14, updated_at 2016_04_14;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain M3 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yourcomputer"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022739; rev:1; metadata:created_at 2016_04_18, updated_at 2016_04_18;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"unusualactivity"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022740; rev:1; metadata:created_at 2016_04_18, updated_at 2016_04_18;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yoursystem"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022741; rev:1; metadata:created_at 2016_04_18, updated_at 2016_04_18;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"howcanwehelp"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022742; rev:1; metadata:created_at 2016_04_18, updated_at 2016_04_18;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"bluescreen"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022743; rev:1; metadata:created_at 2016_04_18, updated_at 2016_04_18;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M5"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"cloud-on"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022744; rev:1; metadata:created_at 2016_04_18, updated_at 2016_04_18;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M6"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"call-now"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022745; rev:1; metadata:created_at 2016_04_18, updated_at 2016_04_18;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 20 2016"; flow:established,to_server; urilen:5; content:"/get2"; http_uri; content:"bc3ad="; http_cookie; classtype:trojan-activity; sid:2022751; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_04_20, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 21 2016 M2"; flow:established,to_server; content:"/idx.aspx?sid="; http_uri; content:"&bcOrigin="; http_uri; content:"&rnd="; http_uri; distance:0; classtype:trojan-activity; sid:2022752; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_04_21, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016 (fbset)"; flow:established,to_server; urilen:11<>57; content:".js"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{2,20}\/[a-z]{2,20}\/(?:(?:(?:featur|quot)e|ip)s|d(?:ropdown|etect)|co(?:mpiled|re)|header|jquery|lang|min|ga)\.js$/U"; flowbits:set,ET.WordJS; flowbits:noalert; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:trojan-activity; sid:2022770; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_04_27, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016"; flow:established,from_server; flowbits:isset,ET.WordJS; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; file_data; content:"<iframe"; within:7; fast_pattern; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:trojan-activity; sid:2022771; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_04_27, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 28 2016"; flow:established,from_server; file_data; content:"|3d 22 5c 78 32|"; content:"|3d 22 5c 78 36|"; content:"|3d 22 5c 78 37|"; fast_pattern:only; content:"</span>"; content:!"<span>"; distance:-500; within:500; pcre:"/^\s*?<script>\s*?(?:[A-Za-z][A-Za-z\d+]+\s*?\+?=\s*(?:[A-Za-z][A-Za-z\d]+|[\x22\x27]\\x[2-7][0-9a-fA-F](?:\\x[2-7][0-9a-fA-F]){0,4}[\x22\x27])\s*?\x3b){20}/Rs"; reference:url,researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/; classtype:trojan-activity; sid:2022772; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_04_28, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 29 2016"; flow:established,from_server; file_data; content:"|69 32 33 33 36 20 3d 3d 20 6e 75 6c 6c|"; nocase; fast_pattern:only; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 44 49 56 20 69 64 3d 63 68 65 63 6b 35 32 34 20 73 74 79 6c 65 3d 22 44 49 53 50 4c 41 59 3a 20 6e 6f 6e 65 22 3e|"; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d 22|"; classtype:trojan-activity; sid:2022774; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_04_29, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (delivered via e-mail)"; flow:established,from_server; file_data; content:"|3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 69 6e 6b 2d 70 72 6f 64 75 63 74 73 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 70 6c 65 61 73 65 2d 77 61 69 74 2e 67 69 66 22|"; nocase; fast_pattern:17,20; content:"|61 6c 74 3d 22 50 6c 65 61 73 65 20 77 61 69 74 2e 2e 2e 22 2f 3e|"; nocase; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d|"; nocase; classtype:trojan-activity; sid:2022779; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_05_03, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Fake Support Phone Scam May 10"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive Safety"; nocase; content:"myFunction()"; content:"Warning|3a| Internet Security Damaged"; content:"err.mp3"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2022802; rev:1; metadata:created_at 2016_05_11, updated_at 2016_05_11;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK May 13 2016"; flow:established,from_server; file_data; content:"|3c 74 69 74 6c 65 3e 53 65 61 72 63 68 3c 2f 74 69 74 6c 65 3e|"; content:"|23 6c 6c 6c 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d|"; fast_pattern; content:"|3c 64 69 76 20 69 64 3d 22 6c 6c 6c 22 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; classtype:trojan-activity; sid:2022805; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_05_13, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Update Phishing Landing M1 May 16"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mail Settings"; nocase; fast_pattern; content:"upgrade your mailbox"; nocase; distance:0; content:"Mail Administrator"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025677; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_05_16, updated_at 2018_07_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Update Phishing Landing M2 May 16"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Email Upgrade"; nocase; fast_pattern; content:"Confirm your account"; nocase; distance:0; content:"Mail Administrator"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025676; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_05_16, updated_at 2018_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL EXE May 2016 (Mozilla compatible)"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; content:"Mozilla/4.0|20|(compatible|3b|)"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/Ui"; reference:md5,f29a3564b386e7899f45ed5155d16a96; classtype:trojan-activity; sid:2022830; rev:1; metadata:created_at 2016_05_19, updated_at 2016_05_19;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL BIN May 2016 (No UA)"; flow:established,to_server; content:"GET"; http_method; content:"/system/"; depth:8; http_uri; nocase; fast_pattern; pcre:"/^\/system\/(?:cache|logs)\/[^\x2f]+\.(?:exe|dll|doc|bin)$/Ui"; content:!"Referer|3a 20|"; http_header; reference:md5,c6747ca29d5c28f4349a5a8343d6b025; classtype:trojan-activity; sid:2022834; rev:3; metadata:created_at 2016_05_24, updated_at 2016_05_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible ReactorBot .bin Download"; flow:established,to_server; content:"GET"; http_method; content:"/cgi/"; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2022841; rev:1; metadata:created_at 2016_05_27, updated_at 2016_05_27;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M4 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"System Official"; nocase; fast_pattern:2,20; content:"function stopNavigate"; nocase; distance:0; content:"<audio autoplay="; nocase; content:"autoplay"; nocase; distance:1; classtype:trojan-activity; sid:2022853; rev:1; metadata:created_at 2016_06_03, updated_at 2016_06_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M5 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"// escape function context"; nocase; content:"// necessary to prevent infinite loop"; nocase; distance:0; content:"// that kills your browser"; nocase; distance:0; fast_pattern:6,20; content:"// pressing leave will still leave, but the GET may be fired first anyway"; nocase; distance:0; classtype:trojan-activity; sid:2022854; rev:1; metadata:created_at 2016_06_03, updated_at 2016_06_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M3 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Error"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert\s*\([\x22\x27]\s*Warning/Rsi"; classtype:trojan-activity; sid:2022855; rev:1; metadata:created_at 2016_06_03, updated_at 2016_06_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script to pull the number yet"; nocase; content:"// alert the visitor"; fast_pattern; nocase; distance:0; content:"// repeat alert, whatever you want them to see"; nocase; distance:0; content:"// end function goodbye"; nocase; distance:0; classtype:trojan-activity; sid:2022856; rev:1; metadata:created_at 2016_06_03, updated_at 2016_06_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function countdown"; nocase; content:"function loadNumber"; nocase; distance:0; content:"function main_alert"; nocase; distance:0; fast_pattern; content:"function repeat_alert"; nocase; distance:0; content:"function goodbye"; nocase; distance:0; classtype:trojan-activity; sid:2022857; rev:1; metadata:created_at 2016_06_03, updated_at 2016_06_03;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign"; flow:to_server,established; content:"User-Agent|3a 20|Microsoft BITS/"; http_header; fast_pattern:6,20; content:".exe"; http_uri; nocase; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; metadata: former_category CURRENT_EVENTS; classtype:misc-activity; sid:2022858; rev:2; metadata:created_at 2016_06_03, updated_at 2017_12_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 03 2016"; flow:established,to_server; content:"/wordpress/?"; http_uri; depth:12; pcre:"/^\/wordpress\/\?[A-Za-z0-9]{4}(?:&utm_source=le)?$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022859; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_06_03, updated_at 2017_05_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 06 2016"; flow:established,from_server; file_data; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; fast_pattern:77,20; content:"name=|27|"; distance:0; content:"|27|"; distance:12; within:1; content:"|20 77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; within:44; classtype:trojan-activity; sid:2022869; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_06_06, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jun 8 2016"; flow:to_server,established; content:"GET"; http_method; content:".php?"; http_uri; content:"&email="; nocase; fast_pattern; http_uri; content:"&pass"; nocase; distance:0; http_uri; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024557; rev:3; metadata:created_at 2016_06_08, updated_at 2017_10_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS EXE Download from specific file share site (used in recent maldoc campaign)"; flow:to_server,established; content:".exe"; http_uri; content:"Host|3a 20|a.pomf.cat|0d 0a|"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; reference:md5,c321f38862a24dc8a72a251616b3afdf; classtype:trojan-activity; sid:2022884; rev:1; metadata:created_at 2016_06_09, updated_at 2016_06_09;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD IE Flash request to set non-standard filename (some overlap with 2021752)"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?\r?\n/Hmi"; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; content:!"sync-eu.exe.bid"; http_header; classtype:trojan-activity; sid:2022894; rev:4; metadata:created_at 2016_06_13, updated_at 2016_06_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Xbagger Macro Encrypted DL Jun 13 2016"; flow:established,to_server; content:".jpg?"; http_uri; fast_pattern:only; content:"MSIE 7.0|3b| Windows NT"; http_header; content:"Range"; http_header; pcre:"/^\/[a-z0-9_-]+\.jpg\?[A-Za-z0-9]{2,10}=\d{1,4}$/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022895; rev:2; metadata:created_at 2016_06_13, updated_at 2016_06_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016"; flow:established,to_server; content:".exe"; nocase; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?\r?\n/Hmi"; content:!"Referer|3a|"; http_header; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2022896; rev:4; metadata:created_at 2016_06_14, updated_at 2017_02_17;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 14 2016"; flow:established,from_server;file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 64 69 76|"; within:20; pcre:"/^(?:\x20id=\x22\d+\x22)?\x20style=\x22(?=[^\x22\r\n]*top\x3a\x20-\d{3}px\x3b)(?=[^\x22\r\n]*left\x3a-\d{3}px\x3b)(?=[^\x22\r\n]*position\x3a\x20absolute\x3b)[^\x22\r\n]*\x22>\x20<iframe[^\r\n>]*><\x2f/R";content:"|69 27 2b 27 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 27 29 3b|"; within:19; fast_pattern; isdataat:!4,relative; classtype:trojan-activity; sid:2022898; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_06_15, updated_at 2016_08_19;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 15 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|bc3ad="; fast_pattern:only; content:"campaigns"; http_cookie; classtype:trojan-activity; sid:2022904; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_06_16, updated_at 2016_07_01;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Hidden Javascript Redirect - Possible Phishing Jun 17"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; file_data; content:"data_receiver_url"; fast_pattern; nocase; content:"redirect_url"; nocase; distance:0; content:"current_page"; nocase; distance:0; content:"cc_data"; nocase; distance:0; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*href\s*=\s*redirect_url/Rsi"; metadata: former_category CURRENT_EVENTS; reference:url,myonlinesecurity.co.uk/very-unusual-paypal-phishing-attack/; classtype:trojan-activity; sid:2022905; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_06_17, updated_at 2017_10_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jun 22 2016 M1"; flow:established,to_server; content:"/js/analytic.php?id="; http_uri; fast_pattern:only; pcre:"/^\/js\/analytic\.php\?id=\d+&tz=\-?\d+&rs=\d+x\d+$/Ui"; classtype:trojan-activity; sid:2022909; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_06_22, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jun 22 2016 M2"; flow:established,from_server; file_data; content:"&tz=|27|+tzSignature()+|27|&rs=|27|+rsSignature()+"; fast_pattern:only; content:"document.write("; pcre:"/^[\x22\x27](?!<script)[\x22\x27+\s]*<[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[^\r\n]+\.php\?id=\d+&tz=\x27\+tzSignature\x28\x29\+\x27&rs=/R"; classtype:trojan-activity; sid:2022910; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_06_22, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Payload Jun 26 2016"; flow:established,from_server; file_data; content:"|2c 2d dd 4b 40 44 77 41|"; within:9; classtype:trojan-activity; sid:2022916; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_06_26, performance_impact Low, updated_at 2016_08_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jun 29 2016"; flow:from_server,established; content:"401"; http_stat_code; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; http_header; content:"has been blocked"; http_header; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022925; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_06_29, performance_impact Low, updated_at 2017_08_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx508"; fast_pattern; nocase; content:"Warning_0001"; nocase; distance:0; classtype:trojan-activity; sid:2022926; rev:1; metadata:created_at 2016_06_29, updated_at 2016_06_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M3"; flow:to_server,established; content:"GET"; http_method; content:"your-computer-is-locked-"; nocase; http_uri; fast_pattern; content:"your-computer-is-locked-"; http_uri; distance:0; nocase; classtype:trojan-activity; sid:2022927; rev:1; metadata:created_at 2016_06_29, updated_at 2016_06_29;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"Warning|3a 20|Internet Security"; nocase; distance:0; classtype:trojan-activity; sid:2022928; rev:1; metadata:created_at 2016_06_29, updated_at 2016_06_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Pony DLL Download"; flow:established,to_server; content:"/pm"; http_uri; content:".dll"; http_uri; fast_pattern:only; pcre:"/\/pm\d?\.dll$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022939; rev:2; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_07_01, malware_family MalDocGeneric, performance_impact Low, updated_at 2017_01_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"/~"; http_uri; depth:2; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/Ui"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r$/Hm"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:1; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_07_01, malware_family MalDocGeneric, performance_impact Low, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (dll generic custom headers)"; flow:established,to_server; content:".dll"; http_uri; fast_pattern:only; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022941; rev:2; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_07_01, malware_family MalDocGeneric, performance_impact Low, updated_at 2016_07_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (exe generic custom headers)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022942; rev:1; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_07_01, malware_family MalDocGeneric, performance_impact Low, updated_at 2016_07_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Payload Jul 05 2016"; flow:established,from_server; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:trojan-activity; sid:2022949; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2016_07_05, performance_impact Low, updated_at 2016_07_05;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown/Xer EK Landing Jul 06 2016 M1"; flow:established,from_server; content:"X-Powered-By|3a 20|Yugoslavian Business Network"; http_header; fast_pattern:12,20; content:"Content-Type|3a 20|text/html|3b|"; http_header; content:"nginx"; http_header; flowbits:set,SunDown.EK; reference:url,blog.talosintel.com/2016/10/sundown-ek.html; classtype:trojan-activity; sid:2023480; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_06, malware_family SunDown, updated_at 2016_11_02;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jul 7"; flow:to_server,established; content:"GET"; http_method; content:".dill/?ip="; fast_pattern; nocase; http_uri; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; classtype:trojan-activity; sid:2022954; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_07, performance_impact Low, updated_at 2016_07_07;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jul 7"; flow:from_server,established; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"default_number|3b|"; nocase; distance:0; content:"default_plain_number|3b|"; fast_pattern; nocase; distance:0; content:"plain_number|3b|"; nocase; distance:0; content:"loco_params|3b|"; nocase; distance:0; content:"loco|3b|"; nocase; distance:0; classtype:trojan-activity; sid:2022955; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_07, performance_impact Low, updated_at 2016_07_07;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 10 M2"; flow:established,from_server; file_data; content:"|76 61 72 20 66 72 61 67 6d 65 6e 74 20 3d 20 63 72 65 61 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70 3a|"; classtype:trojan-activity; sid:2022956; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_07_11, performance_impact Low, updated_at 2016_07_11;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Jul 10 M1"; flow:established,to_server; content:".js?chebstr=0."; http_uri; pcre:"/\.js\?chebstr=0\.\d+$/U"; classtype:trojan-activity; sid:2022957; rev:1; metadata:created_at 2016_07_11, updated_at 2016_07_11;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 12 2016"; flow:established,from_server; file_data; content:"|3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 2d 31|"; pcre:"/^\d{3}px\x3b\swidth\x3a3\d{2}px\x3b\sheight\x3a3\d{2}px\x3b\x22>[^<>]*?<iframe src=[\x22\x27][^\x22\x27]+[\x22\x27]\swidth=[\x22\x27]2\d{2}[\x22\x27]\sheight=[\x22\x27]2\d{2}[\x22\x27]><\/iframe>[^<>]*?\n[^<>]*?<\/span>/Rsi"; classtype:trojan-activity; sid:2022962; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_12, malware_family PsuedoDarkLeech, updated_at 2016_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 13 2016 2"; flow:established,to_server; content:"POST"; http_method; content:".swf"; nocase; http_header; content:"|4d 61 6e 75 66 75 63 6b|"; nocase; http_client_body; content:"|4d 61 63 72 6f 77 69 6e|"; nocase; http_client_body; classtype:trojan-activity; sid:2022964; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_07_13, performance_impact Low, updated_at 2016_07_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Google Drive/Dropbox Phish Nov 20 2016"; flow:to_server,established; content:"POST"; http_method; content:"mailtype="; depth:9; nocase; http_client_body; fast_pattern; content:"&Email"; distance:0; nocase; http_client_body; content:"&Passwd"; distance:0; nocase; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022967; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_13, performance_impact Low, updated_at 2017_10_06;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 13 2016"; flow:to_server,established; content:"POST"; http_method; content:"email"; fast_pattern; nocase; http_client_body; content:"pwd"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024558; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_14, performance_impact Low, updated_at 2017_10_13;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious SMTP Settings in XLS - Possible Phishing Document"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-type|3a 20|application/vnd.ms-excel"; http_header; file_data; content:"/configuration/sendusing"; nocase; fast_pattern; content:"/configuration/smtpserver"; nocase; distance:0; content:"/configuration/smtpauthenticate"; nocase; distance:0; content:"/configuration/sendusername"; nocase; distance:0; content:"/configuration/sendpassword"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; reference:md5,710ea2ed2c4aefe70bf082b06b82818a; reference:url,symantec.com/connect/blogs/malicious-macros-arrive-phishing-emails-steal-banking-information; classtype:trojan-activity; sid:2022974; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_18, performance_impact Low, updated_at 2017_10_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Bank of Oklahoma Phish M1 Jul 21 2016"; flow:to_server,established; content:"POST"; http_method; content:"__RequestVerificationToken="; depth:27; http_client_body; content:"&forgotPassword="; nocase; distance:0; http_client_body; content:"&lat="; nocase; distance:0; http_client_body; content:"&userName="; nocase; distance:0; http_client_body; fast_pattern; content:"&password="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022978; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_21, performance_impact Low, updated_at 2017_10_06;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Bank of Oklahoma Phish M2 Jul 21 2016"; flow:to_server,established; content:"POST"; http_method; content:"__RequestVerificationToken="; depth:27; http_client_body; content:"&bankId="; fast_pattern; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&q1="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022979; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_21, performance_impact Low, updated_at 2017_10_06;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 21 M1"; flow:to_server,established; content:"GET"; http_method; content:"/your-computer-is-locked-call-us-at-tollfreenow"; fast_pattern:27,20; nocase; http_uri; content:"your-computer-is-locked-call-us-at-tollfreenow"; nocase; distance:0; http_uri; classtype:trojan-activity; sid:2022980; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_21, performance_impact Low, updated_at 2016_07_21;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 21 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Google Security"; nocase; fast_pattern; content:"beep.mp3"; nocase; distance:0; content:"function alertCall"; nocase; distance:0; content:"function alertTimed"; nocase; distance:0; content:"function alertLoop"; nocase; distance:0; classtype:trojan-activity; sid:2022981; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_21, performance_impact Low, updated_at 2016_07_21;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Windows Settings Phishing Landing Jul 22 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Windows Settings"; fast_pattern; nocase; distance:0; content:"Enter account password"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024098; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2016_07_22, performance_impact Low, updated_at 2017_10_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Maldoc Downloading EXE Jul 26 2016"; flow:established,to_server;content:!".exe"; http_uri; nocase; pcre:"/\/(?:[a-z0-9]+_){4,}[a-z0-9]+(?:\/[a-f0-9]+)*?\/[a-f0-9]+\.(?![Ee][Xx][Ee])[a-z0-9]+$/U"; content:"|3a 20|Microsoft BITS"; http_header; fast_pattern:only; content:!".microsoft.com|0d 0a|"; http_header; nocase; reference:md5,82fb5101847e734dd9b36f51f1fc73e3; classtype:trojan-activity; sid:2022983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_07_26, malware_family MalDocGeneric, performance_impact Low, updated_at 2016_08_10;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Mar 30 M3"; flow:established,to_client; file_data; content:"try "; content:"= new ActiveXObject"; distance:0; content:"catch"; distance:0; content:"=|20 22|Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi|22|,"; content:"=|20 22|Kaspersky.IeVirtualKeyboardPluginSm.JavascriptApi|22|,"; content:".location="; distance:0; classtype:trojan-activity; sid:2022984; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_07_26, performance_impact Low, updated_at 2016_07_26;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jul 28 2016"; flow:established,to_client; content:"Set-Cookie|3a 20|yatutuzebil=1|3b|"; fast_pattern; content:"yatutuzebil"; http_cookie; classtype:trojan-activity; sid:2022990; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_07_28, performance_impact Low, updated_at 2016_07_28;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M1"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx"; nocase; fast_pattern; content:"<audio autoplay"; nocase; distance:0; content:"setInterval"; nocase; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert/Ri"; classtype:trojan-activity; sid:2022991; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_29, performance_impact Low, updated_at 2016_07_29;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jul 29 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Google Security"; nocase; fast_pattern:2,20; content:"alertCall"; nocase; distance:0; content:"alertTimed"; nocase; distance:0; content:"alertLoop"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022992; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_29, performance_impact Low, updated_at 2017_09_28;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"// this script is so you can get fields our of the URL"; fast_pattern:34,20; nocase; content:"CHECKS FULL PARAMETER NAME BEGIN OF"; distance:0; content:"// Firefox NS_ERROR_NOT_AVAILABLE"; distance:0; content:"// if delta less than 50ms"; nocase; distance:0; content:"// thus we need redirect"; nocase; distance:0; classtype:trojan-activity; sid:2022993; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_29, performance_impact Low, updated_at 2016_07_29;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function loadNumber"; nocase; fast_pattern; content:"function doRedirect"; nocase; distance:0; content:"function randomString"; nocase; distance:0; content:"function leavebehind"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"function confirmExit"; nocase; distance:0; classtype:trojan-activity; sid:2022994; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_29, performance_impact Low, updated_at 2016_07_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Jul 30 M1"; flow:established,to_server; content:".js?chbstr=0."; http_uri; pcre:"/\.js\?chbstr=0\.\d+$/U"; classtype:trojan-activity; sid:2022995; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_07_30, updated_at 2016_07_30;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Mobile Phishing Landing Aug 1"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"content=|22|Please verify"; nocase; content:"<meta name=|22|apple-mobile"; nocase; distance:0; content:"<title>Wells Fargo"; fast_pattern; nocase; distance:0; content:"your account is disabled"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025670; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_01, performance_impact Low, updated_at 2018_07_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Aug1 2016"; flow:established,from_server; file_data; content:"|76 61 72 20 68 65 61 64 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 62 6f 64 79 27 29 5b 30 5d 3b 20 76 61 72 20 73 63 72 69 70 74 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 73 63 72 69 70 74 2e 73 72 63 3d 20 22 2f 2f|"; pcre:"/^[^\r\n\x22\?]+[&?][^=\r\n\x22]+=[a-f0-9]+[^\r\n\x22\?]*[&?][^=\r\n\x22]+=[a-f0-9]+\x22\s*\x3b\s*head\.appendChild\(\s*script\s*\)\x3b/R"; classtype:trojan-activity; sid:2022998; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_08_01, performance_impact Low, updated_at 2016_08_01;) + +alert tcp $HOME_NET any -> [85.93.0.0/24,194.165.16.0/24] 80 (msg:"ET CURRENT_EVENTS EITest Flash Redirect Aug 09 2016"; flow:established,to_server; urilen:>20; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2023036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2016_08_10;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M1"; flow:to_server,established; content:"GET"; http_method; content:"/please-fix-immediately-"; nocase; fast_pattern:4,20; http_uri; content:"/index.html"; nocase; distance:0; http_uri; pcre:"/[A-Za-z0-9]{10,20}_14[0-9]{8,}\/index\.html$/Ui"; classtype:trojan-activity; sid:2023037; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2016_08_10;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"<audio autoplay"; nocase; distance:0; content:"data|3a|image/png|3b|base64,"; nocase; classtype:trojan-activity; sid:2023038; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2016_08_10;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SYSTEM ERROR"; fast_pattern; nocase; content:"getURLParameter"; distance:0; content:"decodeURI"; distance:0; content:"loadNumber"; distance:0; content:"confirmExit"; distance:0; classtype:trojan-activity; sid:2023039; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2016_08_10;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M4"; flow:to_server,established; content:"GET"; http_method; content:".php?num="; fast_pattern; nocase; http_uri; content:"&country="; nocase; distance:0; http_uri; content:"&city="; nocase; distance:0; http_uri; content:"&os="; nocase; distance:0; http_uri; content:"&ip="; nocase; distance:0; http_uri; classtype:trojan-activity; sid:2023040; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2016_08_10;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M5"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Hacking Attack"; nocase; fast_pattern; content:"mozfullscreenerror"; nocase; distance:0; content:"toggleFullScreen"; distance:0; content:"addEventListener"; distance:0; content:"countdown"; nocase; classtype:trojan-activity; sid:2023041; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2016_08_10;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Suspended Account Phish M1 Aug 09 2016"; flow:to_server,established; content:"POST"; http_method; content:"name-re="; nocase; depth:8; fast_pattern; http_client_body; content:"&dob"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; content:"&is_valid_email"; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023042; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2017_10_06;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Suspended Account Phish M2 Aug 09 2016"; flow:to_server,established; content:"POST"; http_method; content:"holdername="; nocase; depth:11; fast_pattern; http_client_body; content:"&numcard"; nocase; distance:0; http_client_body; content:"&ccv"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023043; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2017_10_06;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Suspended Account Phishing Landing Aug 09 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Log in to my account"; nocase; fast_pattern:7,20; content:"iCloud"; distance:0; nocase; content:"disabled for security reasons"; distance:0; nocase; content:"confirm your account information"; distance:0; nocase; content:"account has been frozen"; distance:0; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023044; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2017_10_13;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel Online Phishing Landing Aug 09 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Excel Online"; nocase; fast_pattern; content:"someone@example.com"; nocase; distance:0; content:"password"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023045; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2017_10_13;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Excel Online Phish Aug 9"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Excel; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023046; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2017_07_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Shared Document Phishing Landing Nov 19 2015"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"pagename=|22|login|22|"; nocase; content:"<title>Sign in - Adobe"; nocase; distance:0; fast_pattern:2,20; content:"password-revealer"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; reference:md5,ba42e59213f10f5c1bd70ce4813f25d1; classtype:trojan-activity; sid:2023047; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_11, performance_impact Low, updated_at 2017_07_12;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023048; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_11, performance_impact Low, updated_at 2017_07_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 12 M1"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script is so you can get fields our of the URL"; fast_pattern:26,20; nocase; content:"//Flag we have not run the script"; nocase; distance:0; content:"//The page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; classtype:trojan-activity; sid:2023051; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 12 M2"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"#foxboxmsg"; fast_pattern; nocase; content:"getURLParameter"; nocase; distance:0; content:"default_number"; nocase; distance:0; content:"default_plain_number"; nocase; distance:0; content:"loco_params"; nocase; distance:0; classtype:trojan-activity; sid:2023052; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing (err.mp3) Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"err.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:trojan-activity; sid:2023055; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing (msg.mp3) Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"msg.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:trojan-activity; sid:2023056; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Infect"; nocase; fast_pattern; content:"toggleFullScreen"; distance:0; content:"countdown"; distance:0; content:"twoDigits"; distance:0; classtype:trojan-activity; sid:2023057; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"vendorName"; nocase; content:"alertCall"; fast_pattern; nocase; distance:0; content:"alertTimed"; nocase; distance:0; content:"setInterval"; nocase; distance:0; content:"alertLoop"; nocase; distance:0; content:"onkeydown"; nocase; distance:0; content:"e.ctrlKey"; nocase; distance:0; content:"e.keyCode"; nocase; distance:0; content:"onbeforeunload"; nocase; distance:0; classtype:trojan-activity; sid:2023058; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Excel Phish Aug 15 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?cmd=login_submit"; http_header; nocase; fast_pattern; content:"login="; depth:6; nocase; http_client_body; content:"&passwd="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023061; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_15, performance_impact Low, updated_at 2016_08_15;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Email Storage Upgrade Phishing Landing Aug 15 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<TITLE>Login Authorization"; fast_pattern; nocase; content:"STORAGE UPGRADE"; nocase; distance:0; content:"Global Internet Administration!"; nocase; distance:0; classtype:trojan-activity; sid:2023062; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_15, performance_impact Low, updated_at 2016_08_15;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Credit Agricole Phish Aug 15 2016 M1"; flow:to_server,established; content:"POST"; http_method; content:"ident="; fast_pattern; depth:6; nocase; http_client_body; content:"&ReadOut="; nocase; distance:0; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&nuum="; nocase; distance:0; http_client_body; content:"&xrypt="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023063; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_15, performance_impact Low, updated_at 2017_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Credit Agricole Phish Aug 15 2016 M2"; flow:to_server,established; content:"POST"; http_method; content:"nom="; depth:4; nocase; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pemail="; fast_pattern; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023064; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_15, performance_impact Low, updated_at 2017_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Square Enix Phishing Domain Aug 15 2016"; flow:to_server,established; content:"GET"; http_method; content:"square-enix.com"; http_header; fast_pattern; content:!"square-enix.com|0d 0a|"; http_header; pcre:!"/^Referer\x3a[^\r\n]+square-enix\.com/Hmi"; classtype:trojan-activity; sid:2023065; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_15, performance_impact Low, updated_at 2016_09_22;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Bank of America Phishing Domain Aug 15 2016"; flow:to_server,established; content:"GET"; http_method; content:"bankofamerica.com"; http_header; fast_pattern; content:!"bankofamerica.com|0d 0a|"; http_header; pcre:"/Host\x3a[^\r\n]+bankofamerica\.com[^\r\n]{10,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023066; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_15, performance_impact Low, updated_at 2016_08_15;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious HTTP Refresh to SMS Aug 16 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; within:8; pcre:"/^[^>]+url=sms\x3a/Rsi"; content:"url=sms|3a|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2023068; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_16, performance_impact Low, updated_at 2016_08_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SMS Fake Mobile Virus Scam Aug 16 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Protect your Computer"; nocase; fast_pattern; content:"Your Computer"; nocase; distance:0; content:"INFECTED"; distance:0; content:"Enter Your Number"; nocase; distance:0; content:"SCAN NOW</button>"; nocase; distance:0; classtype:trojan-activity; sid:2023069; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_16, performance_impact Low, updated_at 2016_08_16;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Adobe Online Phish Aug 16 2016"; flow:to_server,established; content:"POST"; http_method; content:"=sent"; nocase; http_uri; content:"feedback="; nocase; depth:9; http_client_body; fast_pattern; content:"&feedbacknow="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish; pcre:"/=sent$/Ui"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024559; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_16, performance_impact Low, updated_at 2017_08_16;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Netflix Phish Aug 17 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"firstName="; depth:10; nocase; fast_pattern; http_client_body; content:"&lastName="; nocase; http_client_body; distance:0; content:"&cardNumber="; nocase; http_client_body; distance:0; content:"&authURL="; nocase; http_client_body; distance:0; content:"&encryptedOaepLen="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023072; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_17, performance_impact Low, updated_at 2017_07_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netflix Phishing Landing Aug 17 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Netflix"; nocase; fast_pattern; content:"Update Your Payment Information"; nocase; distance:0; content:"Please update your payment information"; nocase; distance:0; content:"not be charged for the days you missed"; nocase; distance:0; classtype:trojan-activity; sid:2023073; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_17, performance_impact Low, updated_at 2016_08_17;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Aug 17 2016"; flow:established,to_client; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 69 66 27 2b 27 72 61 27 2b 27 6d 65 27 29 3b|"; nocase; fast_pattern:19,20; content:"|2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 20 3d 20 27 61 62 27 2b 27 73 6f 6c 27 2b 27 75 74 65 27 3b|"; distance:0; nocase; content:"setAttribute"; nocase; pcre:"/^\s*\(\s*[\x22\x27]id[\x22\x27]\s*,\s*?(?P<var>[^,\x29\s\x3b]+)\s*\x29.*?\.appendChild\s*\(\s*(?P=var)/Rsi"; classtype:trojan-activity; sid:2023074; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_08_17, performance_impact Low, updated_at 2016_08_17;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Mobile Virus Scam M1 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Virus Detected"; nocase; fast_pattern; content:"#loading-bar"; nocase; distance:0; content:"navigator.vibrate"; nocase; distance:0; content:"Download Now"; nocase; distance:0; content:"Download Now"; nocase; distance:0; classtype:trojan-activity; sid:2023079; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_18, performance_impact Low, updated_at 2016_08_18;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Mobile Virus Scam M2 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"navigator.vibrate"; fast_pattern:only; content:"getURLParameter"; content:"gotooffer"; nocase; distance:0; content:"brandmodel"; nocase; distance:0; content:"countDown"; nocase; distance:0; content:"PreventExitPop"; nocase; distance:0; classtype:trojan-activity; sid:2023080; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_18, performance_impact Low, updated_at 2016_08_18;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 19 2016"; flow:to_server,established; content:"POST"; http_method; content:"login"; depth:5; fast_pattern; nocase; http_client_body; content:"pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024560; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_19, performance_impact Low, updated_at 2017_08_16;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Blockchain Account Phish Aug 19 2016"; flow:to_server,established; content:"POST"; http_method; content:"UID_input="; depth:10; nocase; http_client_body; fast_pattern; content:"&pass"; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024616; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2016_08_19, performance_impact Low, updated_at 2017_08_28;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Office 365 Phishing Landing Aug 24 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta name=|22|SiteID|22 20|content=|22 22|"; nocase; content:"<meta name=|22|ReqLC|22 20|content=|22|1033|22|"; fast_pattern; nocase; distance:0; content:"<meta name=|22|LocLC|22 20|content="; nocase; distance:0; content:"microsoftonline-p.com"; nocase; distance:0; content:"id=|22|credentials|22|"; nocase; distance:0; content:!"action=|22|/common/login|22|"; nocase; distance:0; within:50; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025673; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_24, performance_impact Low, updated_at 2018_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Google Drive Phishing Domain Aug 25 2016"; flow:to_server,established; content:"drive.google.com"; http_header; fast_pattern; content:!"drive.google.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+drive\.google\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023092; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_25, performance_impact Low, updated_at 2016_08_25;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Phish to .tk domain Aug 26 2016"; flow:to_server,established; flowbits:isset,ET.genericphish; content:"POST"; http_method; content:".tk|0d 0a|"; http_header; fast_pattern; metadata: former_category INFO; classtype:trojan-activity; sid:2023137; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_26, performance_impact Low, updated_at 2017_11_20;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious Proxifier DL (non-browser observed in maldoc campaigns)"; flow:established,to_server; content:"/distr/Proxifier"; http_uri; nocase; depth:16; fast_pattern; content:!"User-Agent|3a|"; http_header; nocase; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:!"Cookie|3a|"; content:"proxifier.com|0d 0a|"; http_header; nocase; reference:md5,2a0728a6edab6921520a93e10a86d4b2; classtype:trojan-activity; sid:2023138; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_08_26, performance_impact Low, updated_at 2016_08_26;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful TeamIPwned Phish Aug 30 2016"; flow:to_server,established; content:"POST"; http_method; content:"hellion.php"; nocase; http_uri; fast_pattern; content:"pass"; nocase; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025003; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_30, performance_impact Low, updated_at 2017_11_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phish Landing Sept 1 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function popupwnd"; fast_pattern; nocase; content:"javascript|3a|popupwnd"; nocase; distance:0; content:"liamg"; nocase; distance:0; content:"javascript|3a|popupwnd"; nocase; distance:0; content:"kooltuo"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025684; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_01, performance_impact Low, updated_at 2018_07_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2014-6332 Sep 01 2016 (HFS Actor) M1"; flow:established,from_server; file_data; content:"|26 63 68 72 77 28 32 31 37 36 29 26 63 68 72 77 28 30 31 29 26|"; nocase; content:"|26 63 68 72 77 28 33 32 37 36 37 29|"; nocase; content:"|73 65 74 6e 6f 74 73 61 66 65 6d 6f 64 65 28 29|"; nocase; content:"|72 75 6e 73 68 65 6c 6c 63 6f 64 65 28 29|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023145; rev:1; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_01, malware_family IEiExploit, performance_impact Low, updated_at 2016_09_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2014-6332 Sep 01 2016 (HFS Actor) M2"; flow:established,from_server; content:"Server|3a 20|HFS|20|"; http_header; file_data; content:"|6f 62 6a 57 73 68 2e 72 75 6e 20 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 54 65 6d 70 5c 70 75 74 74 79 2e 65 78 65 22|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023146; rev:1; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_01, malware_family IEiExploit, performance_impact Low, updated_at 2016_09_01;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Sept 02 2016"; flow:to_server,established; content:"POST"; http_method; content:"usr="; fast_pattern; nocase; http_client_body; content:"pwd="; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024561; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_02, updated_at 2017_10_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Sep 02 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z\d]+[+-][a-z\d]+[+-][a-z\d]+[+-])[a-z\d+-]*\/$/U"; classtype:trojan-activity; sid:2023150; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_02, performance_impact Low, updated_at 2016_09_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS iCloud Phishing Landing Sept 2 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>iCloud"; fast_pattern; nocase; content:"apple.com"; nocase; distance:0; content:"iCloud Settings"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024230; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing_07012016, signature_severity Major, created_at 2016_09_02, performance_impact Low, updated_at 2017_04_20;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M1"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 31 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 34 31 29|"; classtype:trojan-activity; sid:2023151; rev:1; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_02, updated_at 2016_09_02;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M2"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 34 39 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29|"; classtype:trojan-activity; sid:2023152; rev:1; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_02, updated_at 2016_09_02;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M3"; flow:established,to_client; file_data; content:"|43 68 72 28 33 32 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 30 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 39 37 29 20 26 20 43 68 72 28 31 30 32 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 30 30 29 20 26 20 43 68 72 28 31 30 31 29|"; classtype:trojan-activity; sid:2023153; rev:1; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_02, updated_at 2016_09_02;) + +#alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Ebay Phishing Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|107sbtd9cbhsbtd5d80"; fast_pattern; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023180; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing_07012016, signature_severity Major, created_at 2016_09_08, performance_impact Low, updated_at 2017_07_12;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Ebay Phish Sept 8 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Host|3a 20|107SbTd9CBhSbT"; http_header; nocase; fast_pattern; content:"Referer|3a 20|http|3a 2f 2f|107sbtd9cbhsbt"; http_header; distance:0; content:"email"; nocase; http_client_body; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023181; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_08, performance_impact Low, updated_at 2017_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 12 2016 (Flash)"; flow:established,to_server; content:"/promo"; http_uri; nocase; depth:6; content:"/promo.swf?t="; http_uri; nocase; fast_pattern:only; pcre:"/^\/promo\d+(?:x\d+)?\/promo\.swf\?t=\d+$/Ui"; classtype:trojan-activity; sid:2023186; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_12, malware_family EvilTDS, performance_impact Low, updated_at 2016_09_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|25 32 32 25 37 30 25 36 66 25 37 33 25 36 39 25 37 34 25 36 39 25 36 66 25 36 65 25 33 61 25 32 30 25 36 31 25 36 32 25 37 33 25 36 66 25 36 63 25 37 35 25 37 34 25 33 62|"; nocase; classtype:trojan-activity; sid:2023188; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, created_at 2016_09_12, malware_family EvilTDS, malware_family EITest, performance_impact Low, updated_at 2016_09_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) M2 Sep 12 2016"; flow:established,from_server; file_data; content:"|25 33 62 25 36 36 25 36 39 25 36 63 25 37 34 25 36 35 25 37 32 25 33 61 25 36 31 25 36 63 25 37 30 25 36 38 25 36 31 25 32 38 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 64 25 33 30 25 32 39 25 33 62 25 32 30 25 32 64 25 36 64 25 36 66 25 37 61 25 32 64 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 61 25 33 30 25 33 62 25 32 32 25 33 65|"; nocase; classtype:trojan-activity; sid:2023189; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, created_at 2016_09_12, malware_family EvilTDS, malware_family EITest, performance_impact Low, updated_at 2016_09_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b641)"; flow:established,from_server; file_data; content:"RnVuY3Rpb24gbGVha01lbS"; classtype:attempted-admin; sid:2023190; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family SunDown, malware_family RIG, updated_at 2016_09_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b642)"; flow:established,from_server; file_data; content:"Z1bmN0aW9uIGxlYWtNZW0g"; classtype:attempted-admin; sid:2023191; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family SunDown, malware_family RIG, updated_at 2016_09_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b643)"; flow:established,from_server; file_data; content:"GdW5jdGlvbiBsZWFrTWVtI"; classtype:attempted-admin; sid:2023192; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family SunDown, malware_family RIG, updated_at 2016_09_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b644)"; flow:established,from_server; file_data; content:"cHJlZml4ICYgIiV1MDAxNiV1NDE0MSV1NDE0MSV1NDE0MSV1NDI0MiV1NDI0Mi"; classtype:attempted-admin; sid:2023193; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family SunDown, malware_family RIG, updated_at 2016_09_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b645)"; flow:established,from_server; file_data; content:"ByZWZpeCAmICIldTAwMTYldTQxNDEldTQxNDEldTQxNDEldTQyNDIldTQyNDIi"; classtype:attempted-admin; sid:2023194; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family SunDown, malware_family RIG, updated_at 2016_09_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b646)"; flow:established,from_server; file_data; content:"wcmVmaXggJiAiJXUwMDE2JXU0MTQxJXU0MTQxJXU0MTQxJXU0MjQyJXU0MjQyI"; classtype:attempted-admin; sid:2023195; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family SunDown, malware_family RIG, updated_at 2016_09_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 12 2016 T2"; flow:established,from_server; file_data; content:".split"; nocase; pcre:"/^\s*\(\s*[\x22\x27][\x00-\x09\x80-\xff][\x22\x27]\s*\)\s*\x3b\s*[A-Za-z0-9]+\s*=\s*[\x22\x27]/Rsi"; content:"|01 2e 02 3c 03 3e 04 3d 05 5c 22 06 5c 27 07 29|"; fast_pattern; within:16; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023196; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family RIG, performance_impact Low, updated_at 2016_09_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b641)"; flow:established,from_server; file_data; content:"KyAnPHBhcmFtIG5hbWU9Rmxhc2hWYXJzIHZhbHVlPSJpZGRxZD"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023198; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_13, malware_family RIG, updated_at 2016_09_13;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b642)"; flow:established,from_server; file_data; content:"sgJzxwYXJhbSBuYW1lPUZsYXNoVmFycyB2YWx1ZT0iaWRkcWQ9"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023199; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_13, malware_family RIG, updated_at 2016_09_13;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b643)"; flow:established,from_server; file_data; content:"rICc8cGFyYW0gbmFtZT1GbGFzaFZhcnMgdmFsdWU9ImlkZHFkP"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023200; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_13, malware_family RIG, updated_at 2016_09_13;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Scam M1 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Download Security Essentials"; nocase; fast_pattern; content:"Malicious Software Removal"; nocase; distance:0; content:"<audio"; content:"autoplay="; nocase; distance:0; content:"autoplay"; distance:1; nocase; content:"audio/mpeg"; nocase; distance:0; content:"getURLParameter"; content:"setTimeout"; distance:0; classtype:trojan-activity; sid:2023235; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_15, updated_at 2016_09_15;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Scam M2 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Security Error"; nocase; fast_pattern; content:"+screen.availHeight"; nocase; distance:0; content:"screen.availWidth"; nocase; distance:0; content:"<audio"; content:"autoplay="; content:"autoplay"; distance:1; within:9; classtype:trojan-activity; sid:2023236; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_15, updated_at 2016_09_15;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Sept 15 2016"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"issuefound"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00/Rsi"; classtype:trojan-activity; sid:2023237; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_15, updated_at 2016_10_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PC Support Tech Support Scam Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>PC Support"; nocase; fast_pattern; content:"getParameterByName"; nocase; distance:0; content:"decodeURIComponent"; nocase; distance:0; content:"FormattedNumber"; nocase; distance:0; content:"showRecurringPop"; nocase; distance:0; classtype:trojan-activity; sid:2023238; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_15, updated_at 2016_09_15;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Scam M3 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:".chrome-alert"; nocase; content:"<title>"; nocase; distance:0; content:"Microsoft Official Support"; fast_pattern; nocase; distance:0; within:40; classtype:trojan-activity; sid:2023239; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_15, updated_at 2016_09_15;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016"; flow:established,from_server; file_data; content:"|29 2b 22 2e 49 65 56 22 2b|"; fast_pattern; content:"|29 2b 22 58 4f 22 2b|"; content:"|6e 65 77 20 77 69 6e 64 6f 77 5b 22 41 22 2b|"; content:"|29 7b 72 65 74 75 72 6e|"; content:"|2e 74 6f 53 74 72 69 6e 67|"; classtype:trojan-activity; sid:2023248; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_19, malware_family EvilRedirector, malware_family Magnitude, performance_impact Low, updated_at 2016_09_19;) + +alert tcp $HOME_NET any -> [31.184.192.0/19] 80 (msg:"ET CURRENT_EVENTS Possible EITest Flash Redirect Sep 19 2016"; flow:established,to_server; urilen:1; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2023249; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector_07012016, signature_severity Major, created_at 2016_09_19, malware_family EvilTDS, malware_family EITest, performance_impact Low, updated_at 2016_09_19;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016 (EItest Inject)"; flow:established,from_server; file_data; content:"3a-20-61-62-73-6f-6c-75-74-65-3b-7a-2d-69-6e-64-65-78-3a-2d-31-3b"; nocase; classtype:trojan-activity; sid:2023250; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_19, malware_family EvilTDS, malware_family EITest, updated_at 2016_09_19;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016 (EItest Inject) M2"; flow:established,from_server; file_data; content:"|32 32 2d 36 66 2d 37 30 2d 36 31 2d 37 31 2d 37 35 2d 36 35 2d 32 32 2d 32 66 2d 33 65 2d 33 63 2d 32 66 2d 36 66 2d 36 32 2d 36 61 2d 36 35 2d 36 33 2d 37 34 2d 33 65 2d 30 64 2d 30 61 2d 33 63 2d 32 66 2d 36 34 2d 36 39 2d 37 36 2d 33 65 22 2e 72 65 70 6c 61 63 65 28 2f 2d 2f 67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65|"; nocase; classtype:trojan-activity; sid:2023251; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_19, malware_family EvilTDS, malware_family EITest, updated_at 2016_09_19;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 20 2016"; flow:established,from_server; file_data; content:"Base64.encode(rc4("; nocase; fast_pattern; content:"+|22 3a|timeDelta|2c 22|+"; nocase; content:"cfg.key|29 29|"; nocase; distance:0; pcre:"/^[\x3b\x2c]postRequest\x28cfg\.urlSoftDetectorCallback/Ri"; classtype:trojan-activity; sid:2023252; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_20, malware_family EvilTDS, malware_family Malvertising, performance_impact Low, updated_at 2016_09_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SunDown EK Flash Exploit Sep 22 2016"; flow:established,to_server; content:".swf"; http_uri; content:"/index.php?"; http_header; pcre:"/^\/\d+\/\d+\.swf$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f[^\r\n\x2f]+\/index\.php\?[^\x3d&]+=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=)?\r\n/H"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, malware_family Exploit_Kit, updated_at 2016_10_06;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"LGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdIF";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023271; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, malware_family Exploit_Kit, updated_at 2016_09_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"pdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NVEX";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023272; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, malware_family Exploit_Kit, updated_at 2016_09_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGYUJ";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023273; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, malware_family Exploit_Kit, updated_at 2016_09_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"x7soyTdaNq94NWpdLGZ4NWpd";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023274; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, malware_family Exploit_Kit, updated_at 2016_09_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"MlADchNaR0LGZ4NWpdLGZ4N";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023275; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, malware_family Exploit_Kit, updated_at 2016_09_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"azTEhyWNbKGpdLGZ4NWpdLG";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023276; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, malware_family Exploit_Kit, updated_at 2016_09_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"wSNfF6IsxmIHAD8ewTEVACMiwT0d"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023277; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, cve CVE_2015_0016, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"IaOoM9BCQ9FnEgy6IoITEaz6Iex"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023278; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, cve CVE_2015_0016, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"9xb4GwTUbwUQoyD09AFIox7g9y6"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023279; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, cve CVE_2015_0016, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"yTEsz98oyHssxnxc"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023280; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"coBDgMAD9lBCQmN"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"hADUiGDEgPTUbAa"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023282; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"ATUazSM9vDcoOnUbxnU4Oncoynw9z"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023283; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"Isx7sawSohAH4sxmQsvH4hAD4mwT"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023284; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"pBCMlx6I4yTFfBCQbBCpfyTEfA6Il"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023285; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Sep 26 2016"; flow:established,from_server; file_data; content:"document.write"; within:14; pcre:"/^\s*\x28\s*[\x22\x27]<div\s*style\s*=\s*[\x22\x27](?=[^\x22\x27\r\n]*position\x3aabsolute\x3b)(?=[^\x22\x27\r\n]*top\x3a\s\-\d+px\x3b)(?=[^\x22\x27\r\n]*left\x3a\s0px\x3b)[^\r\n]*?<iframe[^\r\n>]*\s><\/i[\x22\x27]\+[\x22\x27]frame>[^\r\n]*<\/div>[\x22\x27]\s*\x29\x3b$/R"; content:"|3c 2f 69 27 2b 27 66 72 61 6d 65 3e|"; fast_pattern:only; classtype:trojan-activity; sid:2023302; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_26, malware_family AfraidGate, performance_impact Low, updated_at 2016_09_26;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 26 2016 T2"; flow:established,from_server; file_data; content:"|6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; pcre:"/^\s*\x27[^\x27]+\x27width=\x27250\x27\sheight=\x27250\x27>\s*<\/iframe>\s*<\/div>/R"; classtype:trojan-activity; sid:2023303; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_27, performance_impact Low, updated_at 2016_09_27;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74|"; content:"3c"; nocase; distance:-242; within:200; pcre:"/^(?P<split>.{1,10})2f(?P=split)64(?P=split)69(?P=split)76(?P=split)3e(?P=split)?[^\x22\x27]*[\x22\x27]\.replace\s*\(\s*[\x22\x27]?\/(?P=split)\/g[\x22\x27]?\s*,\s*[\x22\x27]\x25[\x22\x27]\s*\x29\s*\x3b/Ri"; classtype:trojan-activity; sid:2023307; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_28, malware_family EvilTDS, malware_family EITest, performance_impact Low, updated_at 2016_09_28;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (EITest Inject) Oct 03 2016"; flow:established,from_server; file_data; content:"|25 75 30 30 33 64 25 75 30 30 36 63 25 75 30 30 33 33 25 75 30 30 35 33|"; content:"|73 72 63 20 3d 20 75 6e 65 73 63 61 70 65|"; classtype:trojan-activity; sid:2023312; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_10_03, malware_family EvilTDS, malware_family EITest, performance_impact Low, updated_at 2016_10_06;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Exploit Likely SunDown EK"; flow:established,from_server; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"9090909090909090909090909090909090909090EB"; classtype:trojan-activity; sid:2023313; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_10_03, malware_family SunDown, performance_impact Low, updated_at 2016_10_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Landing Oct 03 2016"; flow:from_server,established; file_data; content:"|28 65 78 70 6c 6f 69 74 29|"; content:"|2e 65 78 65 63 28 69 6e 70 75 74 29 29 7b 72 65 74 75 72 6e 2d 31 7d 69 6e 70 75 74 3d 69 6e 70 75 74 2e 72 65 70 6c 61 63 65|"; content:"|6b 65 79 53 74 72|"; classtype:trojan-activity; sid:2023314; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_10_03, malware_family SunDown, performance_impact Low, updated_at 2016_10_03;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Locky AlphaNum Downloader Oct 3 2016"; flow:to_server,established; urilen:5<>10; content:"GET"; http_method; pcre:"/^\/(?=[a-z]*[0-9][a-z-0-9]*$)(?=[0-9]*[a-z][a-z-0-9]*$)[a-z0-9]{5,8}$/U"; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; fast_pattern:37,20; content:"Accept|3a|"; http_header; content:"Accept-Encoding"; http_header; flowbits:set,ET.LockyDL; flowbits:noalert; classtype:trojan-activity; sid:2023315; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_03, malware_family Locky, updated_at 2016_10_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Locky AlphaNum Downloader Oct 3 2016"; flow:from_server,established; flowbits:isnotset,ET.http.binary; flowbits:isset,ET.LockyDL; content:"ETag|3a|"; http_header; content:!"Content-Disposition|3a|"; http_header; content:!"Cookie|3a|"; content:"Content-Length|3a 20|1"; http_header; fast_pattern:only; pcre:"/^Content-Length\x3a\x201[6-8]\d{4}\r?$/Hm"; file_data; content:!"MZ"; within:2; content:!"PK"; within:2; content:!"GIF"; within:3; content:!"|FF D8 FF|"; within:3; content:!"CWS"; within:3; content:!"ZWS"; within:3; pcre:"/^.{4}[\x0a-\x7f]{0,100}[\x00-x09\x80-\xff]/s"; classtype:trojan-activity; sid:2023316; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_03, malware_family Locky, updated_at 2016_10_03;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Personalized OWA Webmail Phish Oct 04 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"&email="; nocase; http_uri; distance:0; content:"curl="; depth:5; nocase; http_client_body; content:"&flags="; nocase; distance:0; http_client_body; content:"&forcedownlevel="; nocase; distance:0; http_client_body; content:"&formdir="; nocase; distance:0; http_client_body; content:"&trusted="; nocase; distance:0; http_client_body; content:"&username="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&SubmitCreds="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025002; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_10_04, updated_at 2017_11_16;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful WeTransfer Phish Oct 04 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?cmd="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&session="; nocase; http_uri; content:"provider="; depth:9; nocase; http_client_body; fast_pattern; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&phone="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023964; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_10_04, updated_at 2017_02_16;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful iCloud Phish Oct 10 2016"; flow:to_server,established; content:"POST"; http_method; content:"/save.asp"; nocase; http_uri; fast_pattern; content:"apple"; http_header; content:"u="; depth:2; nocase; http_client_body; content:"&p="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023592; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_10_11, updated_at 2016_12_08;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 13 2016"; flow:to_server,established; content:"POST"; http_method; content:"jar"; nocase; http_client_body; depth:3; content:"&jar"; nocase; http_client_body; distance:0; content:"&jar"; nocase; http_client_body; distance:0; content:"&jar"; nocase; http_client_body; distance:0; content:"&jar"; nocase; http_client_body; distance:0; content:"&jar"; nocase; http_client_body; distance:0; content:"&jar"; nocase; http_client_body; distance:0; content:"&login="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024562; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_10_14, performance_impact Low, updated_at 2017_10_13;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016"; flow:established,from_server; file_data; content:"=l3S"; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:"document.createElement|28 22|iframe|22 29 3b|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/\?[^=&\x22\x27]+=l3S/Ri"; classtype:trojan-activity; sid:2023343; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_10_17, malware_family EITest, performance_impact Low, updated_at 2016_10_28;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 19 2016"; flow:established,from_server; content:"nginx"; http_header; pcre:"/^Content-Length\x3a\x20\d{2,3}\r?$/Hmi"; file_data; content:"document.write|28|"; within:15; pcre:"/^(?=[^\n>]*position\x3aabsolute)(?=[^\n>]*top\x3a\x20-\d+px\x3b)[^\n]*<iframe(?=[^\n>]*width=\d{3})(?=[^\n>]*height=\d{3})[^\n>]*src=[\x22\x27]http[^\n>]+\s*>\s*/R"; content:"</|27|+|27|iframe>"; within:12; fast_pattern; pcre:"/^[^\n]*\x29\x3b$/R"; classtype:trojan-activity; sid:2023352; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_10_19, performance_impact Low, updated_at 2016_10_19;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 19 2016 T2"; flow:established,from_server; content:"Content-Type|3a 20|text/javascript|0d 0a|"; http_header; content:"nginx"; http_header; file_data; content:"var"; within:3; pcre:"/^\s*(?P<var>[^\r\n\s\x3d\x2c\x3b]+)\s*=[^\n]*<iframe(?=[^\n>]*top\x3a-\d+px\x3b)[^\n>]+src\s*=\s*\x5c?[\x22\x27]http[^\n>]+>\s*<\/iframe>\x22\x3bdocument\.write\((?P=var)\)\x3b\s*$/R"; content:"</iframe>|22 3b|document.write"; fast_pattern; classtype:trojan-activity; sid:2023353; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_10_19, performance_impact Low, updated_at 2016_10_19;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)"; flow:established,to_server; content:"/?"; http_uri; depth:2; content:"q="; http_uri; content:"oq="; http_uri; fast_pattern:only; pcre:"/^\/(?=.*?[&?][a-z]{2}_[a-z]{2}=\d+(?:&|$))(?=.*?[&?]q=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$))(?=.*?[&?]oq=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$)).*?[&?][a-z]{3}=[A-Za-z_]{3,20}(?=[a-z\d]*\x2e)(?=[a-z\x2e]*\d)[a-z\d\x2e]+(?:&|$)/U"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023401; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2016_10_24, performance_impact Low, updated_at 2016_12_30;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 25 2016"; flow:to_server,established; content:"POST"; http_method; content:"u="; depth:2; nocase; http_client_body; content:"&p="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024563; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_10_26, performance_impact Low, updated_at 2017_10_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 26 2016"; flow:to_server,established; content:"POST"; http_method; content:"formtext"; nocase; http_client_body; content:"&formtext"; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024564; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_10_26, performance_impact Low, updated_at 2017_10_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Tor Module Download"; flow:established,to_server; content:"/tor/"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; pcre:"/\/tor\/[^\x2f\x2e]+(?:32|64)\.dll$/Ui"; reference:md5,dacbf4c26c5642c29e69e336e0f111f7; classtype:trojan-activity; sid:2023471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_01, performance_impact Low, updated_at 2016_11_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Secondary Landing Oct 31 2016"; flow:established,from_server; file_data; content:".controlurl"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".schematype"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".csrf"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".port"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:"upnp"; nocase; content:" ip"; nocase; pcre:"/^\s*=\s*[\x22\x27]?(?:10|127|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\./R"; classtype:attempted-admin; sid:2023473; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_01, malware_family DNSEK, performance_impact Low, updated_at 2016_11_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Nov 01 2016"; flow:established,from_server; file_data; content:"|5c 78 35 63 5c 78 36 62 5c 78 36 31 5c 78 37 33 5c 78 35 66 5c 78 36 35 5c 78 36 65 5c 78 36 37 5c 78 36 39 5c 78 36 65 5c 78 36 35 5c 78 32 65 5c 78 36 34 5c 78 36 63 5c 78 36 63 5c 78 32 66 5c 78 32 33 5c 78 33 32 5c 78 33 34 5c 78 32 66 5c 78 33 32 5c 78 32 32 5c 78 37 64|"; nocase; classtype:trojan-activity; sid:2023474; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_11_01, performance_impact Low, updated_at 2016_11_01;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M2"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern:only; content:"<script type=|22|text/javascript|22|>"; pcre:"/^\s*var\s*(?P<var>[^\s=]+)\s*=\s*document.createElement\(\s*[\x22\x27]iframe[\x22\x27](?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:trojan-activity; sid:2023482; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_11_03, malware_family EvilTDS, malware_family EITest, performance_impact Low, updated_at 2016_12_22;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish M1 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"username="; depth:9; nocase; http_client_body; content:"&login.x="; nocase; distance:0; http_client_body; content:"&login.y="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023487; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_08, updated_at 2017_07_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish M2 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"1="; depth:2; nocase; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&cvv1="; nocase; distance:0; http_client_body; fast_pattern; content:"&mobile1="; nocase; distance:0; http_client_body; content:"&next"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023488; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_08, updated_at 2016_11_08;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Cartasi Phishing Domain Nov 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"cartasi"; http_header; fast_pattern; content:!"cartasi.it|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+cartasi[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023495; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_09, performance_impact Low, updated_at 2017_11_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 15 2016"; flow:to_server,established; content:"POST"; http_method; content:"form"; nocase; http_client_body; fast_pattern; content:"&form"; nocase; http_client_body; distance:0; content:"&form"; nocase; http_client_body; distance:0; content:"&form"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024565; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_15, performance_impact Low, updated_at 2017_08_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Nov 15 2016"; flow:established,from_server; file_data; content:"<iframe src=|22|http|3a 2f 2f|"; pcre:"/^[a-z0-9_-]+\.(?=[0-9_-]*[A-Z])[A-Z0-9_-]+\.[^\x22]+\x22\s/R"; content:"|77 69 64 74 68 3d 22 31 22 20 68 65 69 67 68 74 3d 22 31 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d 31 70 78 3b 22 3e 3c 2f 69 66 72 61 6d 65 3e|"; within:67; fast_pattern:47,20; classtype:trojan-activity; sid:2023513; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_11_15, performance_impact Low, updated_at 2016_11_15;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 16 2016"; flow:to_server,established; content:"POST"; http_method; content:"e-mail="; depth:7; fast_pattern; nocase; http_client_body; content:"pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024566; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_16, performance_impact Low, updated_at 2017_08_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Shared Document Phishing Landing Nov 16 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function checkemail"; nocase; content:"function checkbae"; nocase; distance:0; fast_pattern; content:"Sign in to view"; nocase; distance:0; content:"Select your email"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025672; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_17, updated_at 2018_07_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Email Settings Error Phishing Landing Nov 16 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>An error"; nocase; fast_pattern; content:"settings is blocking"; nocase; distance:0; within:50; content:"incoming emails"; nocase; distance:0; within:50; content:"error in your SSL settings"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025687; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_17, updated_at 2018_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 22 2016"; flow:to_server,established; content:"POST"; http_method; content:"feedback="; depth:9; fast_pattern; nocase; http_client_body; content:"&feedback"; nocase; http_client_body; distance:0; content:"&feedback"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_22, performance_impact Low, updated_at 2017_08_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M3"; flow:established,from_server; file_data; content:"oq="; fast_pattern:only; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/(?=[^\x22\x27]*?[?&]oq=[A-Za-z0-9+\x2f_-]+(?:[\x22\x27]|&))(?=[^\x22\x27]*?[&?][a-z]+_[a-z]+=\d+)(?=[^\x22\x27]*?[&?]q=)/Ri"; classtype:trojan-activity; sid:2023547; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_11_28, malware_family EvilTDS, malware_family EITest, performance_impact Low, updated_at 2017_01_19;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious JS.Nemucod to PS Dropping PE Nov 14 M2"; flow:to_server,established; content:"GET"; http_method; content:".php?f="; http_uri; fast_pattern:only; content:!"Referer"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http_header; pcre:"/^\/\w+\.php\?f=[a-z]?\d{1,3}(?:\.(?:dat|gif))?$/U"; reference:md5,551c440d76be5ab9932d8f3e8f65726e; classtype:trojan-activity; sid:2023754; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_28, performance_impact Low, updated_at 2017_01_23;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS XBOOMBER Paypal Phishing Landing Nov 28 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<form method=|22|post|22|"; nocase; content:"action=|22|websc"; nocase; within:150; content:".php?SessionID-xb="; fast_pattern; nocase; distance:0; within:50; classtype:trojan-activity; sid:2023557; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_29, updated_at 2016_11_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful XBOOMBER Paypal Phish Nov 28 2016"; flow:to_server,established; content:"POST"; http_method; content:"/websc-"; nocase; http_uri; content:".php?SessionID-xb="; nocase; http_uri; fast_pattern; within:40; classtype:trojan-activity; sid:2023558; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_29, updated_at 2016_11_29;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M1 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern:only; content:"/#24/"; pcre:"/^#?\d+/R"; content:".exe"; content:"|5c 5c|Progra"; nocase; classtype:trojan-activity; sid:2023586; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2016_12_06, malware_family Exploit_Kit_RIG, updated_at 2016_12_06;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M2 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern:only; content:"/#16/"; pcre:"/^#?\d+/R"; content:".exe"; nocase; content:"|5c 5c|Progra"; nocase; classtype:trojan-activity; sid:2023587; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2016_12_06, malware_family Exploit_Kit_RIG, updated_at 2016_12_06;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 07 2016"; flow:to_server,established; content:"POST"; http_method; content:"Editbox1="; depth:9; nocase; http_client_body; content:"&Editbox2="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024568; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_08, updated_at 2017_08_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Stripe Phishing Landing Dec 09 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Stripe|3a|"; nocase; fast_pattern; content:"|2f 2a 20 56 4f 44 4b 41 20 2a 2f|"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025668; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_09, updated_at 2018_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Linkedin Phishing Domain Dec 09 2016"; flow:to_server,established; content:"GET"; http_method; content:"linkedin.com"; http_header; fast_pattern; content:!"linkedin.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+linkedin\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023596; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_09, updated_at 2016_12_09;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 13 2016"; flow:to_server,established; content:"POST"; http_method; content:"UserID="; depth:7; nocase; http_client_body; fast_pattern; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024569; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_13, updated_at 2017_08_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Redirect Dec 13 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Page Redirection"; nocase; fast_pattern:3,20; content:"don't tell people to `click` the link"; nocase; distance:0; content:"just tell them that it is a link"; nocase; distance:0; content:!"location.hostname"; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023638; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_13, performance_impact Low, updated_at 2018_03_13;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Edge SmartScreen Page Spoof Attempt Dec 16 2016"; flow:from_server,established; file_data; content:"ms-appx-web|3a|//"; fast_pattern; nocase; content:"microsoftedge"; nocase; distance:0; content:"/assets/errorpages/"; nocase; distance:0; content:"BlockedDomain="; nocase; distance:0; reference:url,www.brokenbrowser.com/spoof-addressbar-malware/; classtype:trojan-activity; sid:2023657; rev:1; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_16, malware_family Tech_Support_Scam, performance_impact Low, updated_at 2016_12_16;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 20 2016"; flow:to_server,established; content:"POST"; http_method; content:"name"; depth:7; nocase; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024570; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_20, updated_at 2017_08_16;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 27 2016"; flow:to_server,established; content:"POST"; http_method; content:"uid="; depth:4; nocase; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024571; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_29, updated_at 2017_08_16;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 03 2017"; flow:to_server,established; content:"POST"; http_method; content:"login_email"; depth:11; nocase; fast_pattern; http_client_body; content:"login_pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024572; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_03, updated_at 2017_08_16;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Netflix Payment Phish M1 Jan 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"firstName="; depth:10; nocase; http_client_body; content:"&lastName="; nocase; distance:0; http_client_body; content:"&cardNumber="; nocase; distance:0; http_client_body; content:"&expirationMonth="; nocase; distance:0; http_client_body; content:"&expirationYear="; nocase; distance:0; http_client_body; content:"&securityCode="; nocase; distance:0; http_client_body; fast_pattern; content:"&SubmitButton="; nocase; distance:0; http_client_body; content:"&msg_agree="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024462; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_05, updated_at 2017_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Bradesco Bank Phish M1 Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"p="; depth:2; nocase; http_client_body; content:"&a2="; nocase; distance:0; http_client_body; content:"&agencia="; nocase; distance:0; http_client_body; content:"&a1="; nocase; distance:0; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; fast_pattern; content:"&aa="; nocase; distance:0; http_client_body; content:"&digito="; nocase; distance:0; http_client_body; content:"&age="; nocase; distance:0; http_client_body; content:"&ir="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023696; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_05, updated_at 2017_01_05;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Bradesco Bank Phish M2 Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"agencia="; depth:8; nocase; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&digito="; nocase; distance:0; http_client_body; content:"&entrada_1="; nocase; distance:0; http_client_body; fast_pattern; content:"&entrada_2="; nocase; distance:0; http_client_body; content:"&entrada_3="; nocase; distance:0; http_client_body; content:"&entrada_4="; nocase; distance:0; http_client_body; content:"&looking1="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023697; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_05, updated_at 2017_03_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful National Bank Phish Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:"redirect="; depth:9; nocase; http_client_body; content:"&txtState="; nocase; distance:0; http_client_body; content:"&txtCount="; nocase; distance:0; http_client_body; content:"&txtOneTime="; nocase; distance:0; http_client_body; content:"&Account_ID="; nocase; distance:0; http_client_body; content:"&active_Password="; nocase; distance:0; http_client_body; fast_pattern; content:"&Submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023698; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_05, updated_at 2017_01_05;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing Jan 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta name=|22|description|22 20|content=|22 78 50 61 79 50 61 6c 5f 32 30 31 37|"; content:"|43 61 5a 61 4e 6f 56 61 31 36 33|"; within:50; fast_pattern; classtype:trojan-activity; sid:2023712; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_09, performance_impact Low, updated_at 2017_01_09;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 12 2017"; flow:to_server,established; content:"POST"; http_method; content:"ID="; depth:3; nocase; fast_pattern; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024573; rev:1; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_12, performance_impact Low, updated_at 2017_08_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern:only; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]*type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]*name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]*value\s*=\s*[\x22\x27][A-Za-z0-9+/]+[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2023742; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_17, malware_family EITest, performance_impact Low, updated_at 2017_01_17;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M1"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65 2e 77 65 62 73 74 6f 72 65|"; nocase; content:"|2e 6d 61 74 63 68 28 2f 3e 28 5c 77 3f 5c 73 3f 2e 2a 3f 29 3c 2f 67 29|"; nocase; fast_pattern:only; content:"|5b 69 5d 2e 72 65 70 6c 61 63 65 28 65 76 61 6c 28|"; content:"unescape"; nocase; pcre:"/^\s*\([^\x29]*(?:\%2F|\/)(?:\%5B|\[)(?:\%5E|^)(?=[^\x29]*(?:%3C|\<))(?=[^\x29]*(?:%3E|\>))(?=[^\x29]*(?:\%5C|\\)(?:\%6E|n))/Rsi"; classtype:trojan-activity; sid:2023743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_17, malware_family EITest, updated_at 2017_01_17;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern:only; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]+type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]+name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]+value\s*=\s*[\x22\x27](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2023744; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_17, malware_family EITest, updated_at 2017_01_17;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Chrome_Font.exe"; http_header; nocase; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Chrome_Font\.exe/Hmi"; classtype:trojan-activity; sid:2023745; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_17, malware_family EITest, updated_at 2017_01_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"user="; depth:5; nocase; fast_pattern; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024574; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_01_17, updated_at 2017_08_16;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"user_id="; depth:8; nocase; fast_pattern; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024575; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_01_17, updated_at 2017_08_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M4"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern:only; content:"<script type=|22|text|2f|"; pcre:"/^(?:rocket|java)script\x22>\s*var\s*(?P<ifr>[^\s=]+)\s*=\s*[\x22\x27]iframe[\x22\x27].*?\s*var\s*(?P<var>[^\s=]+)\s*=\s*document\.createElement\(\s*(?P=ifr)(?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:trojan-activity; sid:2023748; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, signature_severity Major, created_at 2017_01_19, malware_family EITest, performance_impact Low, updated_at 2017_01_19;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jan 20 2017"; flow:from_server,established; content:"401"; http_stat_code; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; http_header; content:"Warning|3a|"; nocase; http_header; distance:0; fast_pattern; content:"Call Microsoft"; http_header; nocase; classtype:trojan-activity; sid:2023751; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_20, updated_at 2017_01_20;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jan 20 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; nocase; fast_pattern:3,20; content:"background-color|3a 20|#FF0000"; nocase; distance:0; classtype:trojan-activity; sid:2023752; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_20, updated_at 2017_01_20;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft RDP Client for Mac RCE"; flow:established,to_client; content:"rdp|3a 2f 2f|"; nocase; content:"drivestoredirect"; fast_pattern; nocase; distance:0; content:"rdp|3a 2f 2f|"; nocase; pcre:"/^\S+?drivestoredirect/Ri"; reference:url,www.wearesegment.com/research/Microsoft-Remote-Desktop-Client-for-Mac-Remote-Code-Execution; classtype:attempted-admin; sid:2023755; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_24, performance_impact Low, updated_at 2017_01_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Jan 24"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Windows Official Support"; fast_pattern; nocase; content:"This Is A Critical Warning"; nocase; distance:0; classtype:trojan-activity; sid:2023757; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tag Phishing, signature_severity Major, created_at 2017_01_24, updated_at 2017_01_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple iCloud Phish Jan 23 2017"; flow:to_server,established; content:"POST"; http_method; content:"usuario="; depth:8; nocase; http_client_body; content:"&contrasena="; nocase; distance:0; http_client_body; content:"&hdtxt="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023758; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tag Phishing, signature_severity Major, created_at 2017_01_24, updated_at 2017_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Paypal Phish Jan 23 2016"; flow:to_server,established; content:"POST"; http_method; content:"/websrc"; http_uri; fast_pattern; content:"email"; nocase; http_client_body; content:"|25|40"; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\/websrc$/U"; classtype:trojan-activity; sid:2023759; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tag Phishing, signature_severity Major, created_at 2017_01_24, updated_at 2017_01_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish Jan 23 2017"; flow:to_server,established; content:"POST"; http_method; content:"locale.x="; nocase; http_client_body; content:"&processSignin="; nocase; distance:0; http_client_body; fast_pattern; content:"email="; nocase; distance:0; http_client_body; content:"password="; nocase; distance:0; http_client_body; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023760; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tag Phishing, signature_severity Major, created_at 2017_01_24, updated_at 2017_01_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Broken/Filtered RIG EK Payload Download"; flow:established,from_server; content:"Content-Type|3a 20|application/x-msdownload|0d 0a|"; http_header; content:"Content-Length|3a 20|3|0d 0a|"; http_header; fast_pattern; file_data; content:"|3d 28 28|"; within:3; isdataat:!1,relative; classtype:trojan-activity; sid:2023768; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_01_27, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_01_27;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&ROLLOUT="; nocase; distance:0; http_client_body; content:"&user="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023770; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_30, updated_at 2017_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Wells Fargo Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"card_num="; depth:9; nocase; http_client_body; content:"&full_name="; nocase; distance:0; http_client_body; content:"&ssn_num="; nocase; distance:0; http_client_body; fast_pattern; content:"&j_password="; nocase; distance:0; http_client_body; content:"&userPrefs="; nocase; distance:0; http_client_body; content:"&jsenabled="; nocase; distance:0; http_client_body; content:"&origin="; nocase; distance:0; http_client_body; content:"&screenid="; nocase; distance:0; http_client_body; content:"&ndsid="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023771; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_30, updated_at 2017_01_30;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Find My iPhone Phish (SP) Jan 30 2017"; flow:from_server,established; file_data; content:"<title>Buscar iPhone"; fast_pattern; content:"<div class=|22|icloud"; nocase; distance:0; content:"Buscar iPhone"; nocase; distance:0; content:"<div class=|22|error"; nocase; distance:0; classtype:trojan-activity; sid:2023772; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_30, updated_at 2017_01_30;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M1 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"cusd="; depth:5; nocase; http_client_body; content:"&tbNickname="; nocase; distance:0; http_client_body; fast_pattern; content:"&ddCIF="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023773; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_30, updated_at 2017_01_30;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M2 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?SecureToken="; http_header; content:"&fill="; http_header; distance:0; content:"PIN="; depth:4; nocase; http_client_body; fast_pattern; content:"&Go="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023774; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_30, updated_at 2017_01_30;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Ebay Phishing Domain Jan 30 2017"; flow:to_server,established; content:"GET"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023775; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_01_31, updated_at 2017_01_31;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Ebay Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023776; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_01_31, updated_at 2017_01_31;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Font_Update.exe"; http_header; nocase; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Font_Update\.exe/Hmi"; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; reference:url,blog.brillantit.com/exposing-eitest-campaign; classtype:trojan-activity; sid:2023817; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_01_31, performance_impact Low, updated_at 2017_01_31;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Discover Phishing Domain Feb 02 2017"; flow:to_server,established; content:"GET"; http_method; content:"discover.com"; http_header; fast_pattern; content:!"discover.com|0d 0a|"; http_header; content:!"autodiscover"; http_header; pcre:"/^Host\x3a[^\r\n]+discover\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023819; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Chase Phish Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"chase.com"; http_header; fast_pattern; content:!"chase.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+chase\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023820; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Apple Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"apple.com"; http_header; fast_pattern; content:!"apple.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+apple\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023821; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful USAA Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"usaa.com"; http_header; fast_pattern; content:!"usaa.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+usaa\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023822; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Paypal Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"paypal.com"; http_header; fast_pattern; content:!"paypal.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+paypal\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023823; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Bank of America Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"bankofamerica.com"; http_header; fast_pattern; content:!"bankofamerica.com|0d 0a|"; http_header; pcre:"/Host\x3a[^\r\n]+bankofamerica\.com[^\r\n]{10,}\r\n/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023824; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_11_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Google Drive Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"drive.google.com"; http_header; fast_pattern; content:!"drive.google.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+drive\.google\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023825; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Cartasi Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"cartasi"; http_header; fast_pattern; content:!"cartasi.it|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+cartasi[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023826; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Linkedin Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"linkedin.com"; http_header; fast_pattern; content:!"linkedin.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+linkedin\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023827; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Ebay Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023828; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Discover Phish Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"discover.com"; http_header; fast_pattern; content:!"discover.com|0d 0a|"; http_header; content:!"autodiscover"; http_header; pcre:"/^Host\x3a[^\r\n]+discover\.com[^\r\n]{20,}\r\n/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023829; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_11_17;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 01"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|account-google|08|serveftp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023833; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 02"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|aramex-shipping|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023834; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 03"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|device-activation|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023835; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 04"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|dropbox-service|08|serveftp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023836; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 05"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|dropbox-sign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023837; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 06"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|dropboxsupport|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023838; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 07"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|fedex-mail|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023839; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 08"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|fedex-shipping|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023840; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 09"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|fedex-sign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023841; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 10"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|googledriver-sign|04|ddns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023842; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 11"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|googledrive-sign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023843; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|google-maps|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023844; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 13"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|googlesecure-serv|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023845; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 14"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|googlesignin|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023846; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|googleverify-signin|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023847; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 16"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|mailgooglesign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023848; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 17"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|myaccount|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023849; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 18"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|secure-team|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023850; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 19"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|security-myaccount|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023851; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 20"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|verification-acc|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023852; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 21"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|dropbox-verfy|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023853; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 22"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|fedex-s|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023854; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 23"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|watchyoutube|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023855; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 24"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|verification-team|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023856; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 25"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|securityteam-notify|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023857; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 26"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|secure-alert|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023858; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 27"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|quota-notification|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023859; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 28"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|notification-team|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023860; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|fedex-notification|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023861; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 30"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|docs-mails|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023862; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 31"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|restricted-videos|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023863; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 32"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|dropboxnotification|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023864; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 33"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|moi-gov|08|serveftp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023865; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 34"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|activate-google|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023866; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 35"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|googlemaps|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023867; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Feb 2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Microsoft Official Support <"; fast_pattern; nocase; content:"var stroka"; nocase; distance:0; content:"wM/8AAEQgADQCgAwEiAAIRAQMRAf/dAAQACv/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIE"; distance:0; classtype:trojan-activity; sid:2023869; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_03, performance_impact Low, updated_at 2017_02_03;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing M1 Feb 07 2016 M1"; flow:established,from_server; file_data; content:"value"; nocase; pcre:"/^\s*=\s*[\x27\x22](?:sh(?:ell(?:32)?)?|exec)=6wLrBej5\x2f\x2f/Rsi"; content:"6wLrBej5"; fast_pattern:only; classtype:trojan-activity; sid:2023878; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_02_07, malware_family Exploit_Kit, performance_impact Low, updated_at 2017_02_07;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing M1 Feb 07 2016 M2"; flow:established,from_server; file_data; content:"EB02EB05E8F9FFFFFF"; nocase; fast_pattern:only; pcre:"/(?:value=[\x22\x27](?:sh(?:ell(?:32)?)?|exec)=|unescape\(EscapeHexString\(.)EB02EB05E8F9FFFFFF/si"; classtype:trojan-activity; sid:2023879; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_02_07, malware_family Exploit_Kit, performance_impact Low, updated_at 2017_02_07;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"craigslist.org"; http_header; fast_pattern; content:!"craigslist.org|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+craigslist\.org[^\r\n]{20,}\r\n/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023880; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_07, updated_at 2017_11_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"login="; depth:6; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submit=Sign+In&curl_version="; nocase; distance:0; http_client_body; fast_pattern:9,20; classtype:trojan-activity; sid:2023888; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_09, updated_at 2017_02_09;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Feb 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft Official Support"; nocase; fast_pattern:13,20; content:"<audio"; nocase; distance:0; content:"loop="; nocase; within:50; classtype:trojan-activity; sid:2023889; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_09, updated_at 2017_02_09;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish M1 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"iden="; depth:5; nocase; http_client_body; content:"&AG="; nocase; distance:0; http_client_body; content:"&CC="; nocase; distance:0; http_client_body; content:"&CCDIG="; nocase; distance:0; http_client_body; content:"&PASSNET="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023890; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_09, updated_at 2017_02_09;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish M2 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"DDD="; depth:4; nocase; http_client_body; content:"&CELLULAR="; nocase; distance:0; http_client_body; fast_pattern; content:"&SDESEIS="; nocase; distance:0; http_client_body; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023891; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_09, updated_at 2017_02_09;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing M1 Feb 13 2017"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"jQuery(function($)"; nocase; content:"cc-number"; within:50; nocase; fast_pattern; content:"formatCardNumber"; within:50; content:"cc-exp"; nocase; distance:0; content:"formatCardExpiry"; within:50; content:"cc-cvc"; nocase; distance:0; content:"formatCardCVC"; within:50; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025658; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_13, updated_at 2018_07_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing M2 Feb 13 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"#dob"; nocase; content:".mask"; within:10; content:"#ccexp"; nocase; distance:0; content:".mask"; within:10; content:"#ssn"; nocase; distance:0; content:".mask"; within:10; content:"Aes.Ctr.decrypt"; nocase; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025667; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_13, updated_at 2018_07_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Live External Link Phishing Landing M2 Feb 14 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Secure redirect"; nocase; fast_pattern:2,20; content:"auth.gfx.ms"; nocase; distance:0; content:"access sensitive information"; nocase; distance:0; content:"Confirm your password"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025675; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_14, updated_at 2018_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Account Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"locked.php"; nocase; http_uri; content:"Account-Unlock"; nocase; distance:0; http_uri; fast_pattern; content:"user="; depth:5; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023999; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_17, updated_at 2017_02_17;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful iCloud (CN) Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"Host|3a 20 31 31 32 32 33 33 68 74 2e 70 77|"; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024000; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_17, updated_at 2017_11_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful California Bank & Trust Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"AccountNo="; depth:10; nocase; http_client_body; fast_pattern; content:"&token="; nocase; distance:0; http_client_body; content:"&check=Login"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024001; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_02_17, updated_at 2017_02_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"&txtCelular="; nocase; http_client_body; content:"&txtSenhaCartao="; nocase; distance:0; http_client_body; fast_pattern; content:"btnLogIn"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024002; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_02_17, updated_at 2017_02_17;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Verified by Visa title over non SSL Feb 17 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; content:"Verified by Visa"; nocase; within:50; fast_pattern; classtype:trojan-activity; sid:2024003; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_17, performance_impact Low, updated_at 2017_02_17;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Shared Document Phishing Landing Feb 21 2017"; flow:from_server,established; file_data; content:"<title>Dropbox"; nocase; fast_pattern; content:"openOffersDialog"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025688; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_21, updated_at 2018_07_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious JS Refresh - Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"self.location.replace("; within:100; fast_pattern:2,20; pcre:"/\s*(?P<var>[^)]+)\s*\).+window\s*\.\s*location\s*=\s*\(\s*(?P=var)/Rsi"; classtype:trojan-activity; sid:2024007; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; content:"location|3a 20|"; http_header; fast_pattern; content:"|2f 3f|"; distance:32; within:2; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; classtype:trojan-activity; sid:2024008; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Craigslist (RO) Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"step=confirmation"; depth:17; nocase; http_client_body; content:"&rt="; nocase; distance:0; http_client_body; content:"&rp="; nocase; distance:0; http_client_body; content:"&p="; nocase; distance:0; http_client_body; content:"&whichForm="; nocase; distance:0; http_client_body; content:"&Email="; nocase; distance:0; http_client_body; content:"&Parola="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024009; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Craigslist (RO) Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"NumarCard="; depth:10; nocase; http_client_body; fast_pattern; content:"&CVV="; nocase; distance:0; http_client_body; content:"&Luna="; nocase; distance:0; http_client_body; content:"&NumeCard="; nocase; distance:0; http_client_body; content:"&PrenumeCard="; nocase; distance:0; http_client_body; content:"&NumedeContact="; nocase; distance:0; http_client_body; content:"&NumardeTelefon="; nocase; distance:0; http_client_body; content:"&EmaildeContact="; nocase; distance:0; http_client_body; content:"&cryptedStepCheck="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024010; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&CHKCLICK="; nocase; distance:0; http_client_body; content:"&NNAME="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024011; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; content:"&cardSelected="; nocase; distance:0; http_client_body; content:"&rbcCardNumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&twoDigitIssueNumber="; nocase; distance:0; http_client_body; content:"&atmpin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024012; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M3 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&fullname="; nocase; distance:0; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&ssn="; nocase; distance:0; http_client_body; content:"&mmn="; nocase; distance:0; http_client_body; content:"&dl="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024013; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M4 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&sq1="; nocase; distance:0; http_client_body; content:"&sq1a="; nocase; distance:0; http_client_body; content:"&sq2="; nocase; distance:0; http_client_body; content:"&sq2a="; nocase; distance:0; http_client_body; content:"&sq3="; nocase; distance:0; http_client_body; content:"&sq3a="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024014; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Orderlink (IN) Phish Feb 24 2017"; flow:to_server,established; urilen:7; content:"POST"; http_method; content:"/signin"; content:"/signin|0d 0a|"; http_header; fast_pattern; content:"_token="; depth:7; nocase; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"|25|40"; nocase; distance:0; http_client_body; content:"&pass"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024015; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_02_24, updated_at 2017_02_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Redirect M1 Feb 24 2017"; flow:from_server,established; content:"302"; http_stat_code; content:"location|3a 20|"; nocase; http_header; content:".php?cmd=_update-information&account_bank="; nocase; http_header; fast_pattern:22,20; distance:0; content:"&dispatch="; distance:32; within:10; nocase; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; classtype:trojan-activity; sid:2024016; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_02_24, updated_at 2017_02_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Redirect M2 Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; file_data; content:"<meta http-equiv="; nocase; within:50; content:"refresh"; nocase; distance:1; within:7; content:"/webapps/"; nocase; distance:0; content:"/websrc"; distance:5; within:7; fast_pattern; classtype:trojan-activity; sid:2024017; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_02_24, updated_at 2017_02_24;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Common Paypal Phishing URI Feb 24 2017"; flow:to_server,established; content:"GET"; http_method; content:"/webapps/"; http_uri; content:"/websrc"; distance:5; within:7; http_uri; fast_pattern; pcre:"/\/webapps\/[a-f0-9]{5}\/websrc/Ui"; classtype:trojan-activity; sid:2024018; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_02_24, updated_at 2017_02_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing Feb 24 2017"; flow:from_server,established; file_data; content:"<title>"; nocase; fast_pattern; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG EK URI Struct Feb 26 2017"; flow:established,to_server; urilen:>90; content:"oq="; http_uri; fast_pattern:only; pcre:"/^\/\?o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+$/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024020; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_02_27, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_02_27;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Feb 26 2016"; flow:established,from_server; file_data; content:"|3d 20 28 2f 2a 67 66 2a 2f 22 73 5c 78 37 35 62 73 22 29 2b 2f 2a 67 66 2a 2f 22 74 72 22 3b|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024021; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_02_27, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_02_27;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Phishing Landing Feb 27 2017"; flow:from_server,established; file_data; content:"Dropbox"; nocase; fast_pattern; content:"app.png"; nocase; distance:0; content:"live.png"; nocase; distance:0; content:"off.png"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025689; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_27, updated_at 2018_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Vanguard Phish Mar 06 2017"; flow:to_server,established; content:"POST"; http_method; content:"dmform-0="; depth:9; nocase; http_client_body; content:"&label-dmform-0=User+name"; nocase; distance:0; http_client_body; content:"&label-dmform-1=Password"; nocase; distance:0; http_client_body; content:"&label-dmform-8=Account+Email"; nocase; distance:0; http_client_body; content:"&label-dmform-9=Password"; nocase; distance:0; http_client_body; content:"&dmformsubject=Vang"; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024032; rev:1; metadata:created_at 2017_03_06, updated_at 2017_03_06;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Android Fake AV Download Landing Mar 06 2017"; flow:to_server,established; content:"GET"; http_method; content:".php?model="; nocase; http_uri; content:"&brand="; nocase; distance:0; http_uri; content:"&osversion="; nocase; distance:0; http_uri; content:"&ip="; nocase; distance:0; http_uri; content:"&voluumdata=BASE64"; nocase; distance:0; http_uri; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024033; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Internet, signature_severity Minor, created_at 2017_03_06, malware_family Fake_Alert, updated_at 2017_03_06;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Docusign Phishing Landing Mar 08 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>|26 23|68|3b 26 23|111|3b 26 23|99|3b 26 23|117|3b 26 23|115|3b 26 23|105|3b 26 23|103|3b 26 23|110|3b|"; fast_pattern:33,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025662; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_03_08, updated_at 2018_07_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK March 07 2017"; flow:established,from_server; file_data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 31 70 78 3b 20 68 65 69 67 68 74 3a 20 31 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; fast_pattern:70,20; pcre:"/^\s*\x27[^\x27\x3b\r\n]+\x27width=\x27250\x27\sheight=\x27250\x27\>/Ri"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024037; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_08, performance_impact Low, updated_at 2017_03_08;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Fake Font DL March 09 2017"; flow:from_server,established; content:"Content-Disposition|3a|"; nocase; http_header; content:"|43 68 72 ce bf 6d 65|"; nocase; http_header; fast_pattern:only; content:"|66 ce bf 6e 74|"; nocase; http_header; content:"|2e 65 78 65|"; nocase; http_header; file_data; content:"MZ"; within:2; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024040; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_09, updated_at 2017_03_09;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Mar 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Virus Alert"; nocase; fast_pattern:5,20; content:"|3a|-webkit-full-screen"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024042; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_09, updated_at 2017_03_09;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"yass_email="; depth:11; nocase; http_client_body; content:"&yass_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024046; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_13, updated_at 2017_03_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful National Bank Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"aliasDispatcher="; depth:16; nocase; http_client_body; content:"&indBNCFunds="; nocase; distance:0; http_client_body; content:"&accountNumber1="; nocase; distance:0; http_client_body; content:"&cardExpirDate="; nocase; distance:0; http_client_body; fast_pattern; content:"®istrationMode="; nocase; distance:0; http_client_body; content:"&cardActionTypeSelected="; nocase; distance:0; http_client_body; content:"&language="; nocase; distance:0; http_client_body; content:"&clientIpAdress="; nocase; distance:0; http_client_body; content:"&clientUserAgent="; nocase; distance:0; http_client_body; content:"&clientScreenResolution="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024047; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_13, updated_at 2017_03_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017"; flow:established,to_server; urilen:>90; content:"oq="; http_uri; fast_pattern:only; pcre:"/(?=.*?[?&]oq=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)).*?[?&]q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024048; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_03_13, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_03_13;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2"; flow:established,to_server; urilen:>90; content:"QMvXcJ"; http_uri; pcre:"/(?=.*?=[^&]{3,4}QMvXcJ).*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&.*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024049; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_03_13, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_03_13;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS INTERAC Payment Multibank Phishing Landing Mar 14 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta property=|22|og|3a|title|22 20|content=|22|Deposit your INTERAC e-Transfer|22|"; nocase; content:"<title>INTERAC e-Transfer"; nocase; distance:0; fast_pattern:5,20; content:"INTERAC|25|20e-Transfer"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025679; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_14, updated_at 2018_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful ANZ Internet Banking Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"typ="; depth:4; nocase; http_client_body; content:"&cid="; nocase; distance:0; http_client_body; content:"&cpass="; nocase; distance:0; http_client_body; content:"&homepn="; nocase; distance:0; http_client_body; content:"&workpn="; nocase; distance:0; http_client_body; content:"&mobilepn="; nocase; distance:0; http_client_body; content:"&telepass="; nocase; distance:0; http_client_body; content:"&ccnumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&cvv="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024050; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_14, updated_at 2017_03_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Instagram Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"cek=login"; depth:9; nocase; http_client_body; fast_pattern; content:"&username="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024051; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_14, updated_at 2017_03_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"login_cmd="; depth:10; nocase; http_client_body; content:"&login_params="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024052; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_14, updated_at 2017_03_29;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download M1 Mar 14 2017"; flow:established,from_server; file_data; content:"|2e de 08 bb 99 8a 7b 6c|"; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_03_14, malware_family Exploit_Kit_Terror, updated_at 2017_03_14;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download M2 Mar 14 2017"; flow:established,from_server; file_data; content:"|5e 5a a3 90 b9 31 7b 54|"; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_03_14, malware_family Exploit_Kit_Terror, updated_at 2017_03_14;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload RC4 Key M1 Mar 14 2017"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"uylzJB3mWrFjellI9iDFGQjO"; fast_pattern:only; content:"("; pcre:"/^\s*[\x22\x27]\s*http[^\x22\x27]+\.php\s*[\x22\x27]\s*\x2c\s*[\x22\x27]\s*uylzJB3mWrFjellI9iDFGQjO/Rs"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024055; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_14, malware_family terror_EK, performance_impact Moderate, updated_at 2017_03_14;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful iCloud Phish Mar 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv=|22|Content-Type|22|"; nocase; content:"alert"; content:"|41 70 70 6c 65 20 49 44|"; nocase; within:20; fast_pattern; content:"|68 69 73 74 6f 72 79 2e 62 61 63 6b|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024059; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_15, updated_at 2017_03_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish M1 Mar 15 2017"; flow:to_server,established; content:"POST"; http_method; content:"appid="; depth:6; nocase; http_client_body; fast_pattern; content:"|25|40"; distance:0; http_client_body; content:"&pwd"; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024060; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_15, updated_at 2017_03_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish M2 Mar 15 2017"; flow:to_server,established; content:"POST"; http_method; content:"fname="; depth:6; nocase; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&cchn="; nocase; distance:0; http_client_body; content:"&ccnum="; nocase; distance:0; http_client_body; fast_pattern; content:"&expdate="; nocase; distance:0; http_client_body; content:"&cvv2="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024061; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_15, updated_at 2017_03_29;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Live Email Account Phishing Landing Mar 16 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta name="; nocase; content:"mswebdialog-title"; nocase; distance:1; within:18; content:"Arcadis Office 365"; nocase; within:50; fast_pattern; content:"<title>Sign In"; nocase; within:50; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025664; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_16, updated_at 2018_07_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK March 15 2017"; flow:established,from_server; file_data; content:"iframe"; nocase; content:"src"; nocase; pcre:"/^\s*=\s*[\x22\x27][Hh][Tt][Tt][Pp][Ss]?\x3a\x2f\x2f[^\x2f]+\x2f(?=[^\x2f\x22\x27]+=[^\x2f\x22\x27&]{0,5}QMvXcJ)[^\x2f\x22\x27]{90}/Rs"; content:"QMvXcJ"; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024092; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_17, performance_impact Low, updated_at 2017_03_17;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK March 15 2017 M2"; flow:established,from_server; file_data; content:"<iframe"; within:7; pcre:"/^(?:\s+style=\x27hidden\x27)?\s+src=\x27https?\x3a[^>\x22\x27]+[\x22\x27]\s*width=\x270\x27\s+/Ri";content:"|68 65 69 67 68 74 3d 27 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c|"; within:34; isdataat:100; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024093; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_17, performance_impact Low, updated_at 2017_03_17;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 22 2017"; flow:to_server,established; content:"POST"; http_method; content:"identif="; depth:8; nocase; http_client_body; content:"&elserr="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024100; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_22, updated_at 2017_03_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024101; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_27, updated_at 2017_03_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M1 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"act="; depth:4; nocase; http_client_body; content:"&command="; nocase; distance:16; within:9; http_client_body; fast_pattern; content:"&PIN="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024102; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_27, updated_at 2017_03_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M2 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"account="; depth:8; nocase; http_client_body; content:"&pin"; nocase; distance:16; within:4; http_client_body; content:"&command="; nocase; distance:0; http_client_body; content:"&PrimaryApplicant="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024103; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_27, updated_at 2017_03_29;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Online Document Phishing Landing M1 Mar 25 2017"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Your session has timed out"; fast_pattern; nocase; content:"Click OK to sign in and continue"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025694; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_27, performance_impact Low, updated_at 2018_07_12;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL BIN March 2017"; flow:established,to_server; content:"GET"; http_method; content:"?showforum="; http_uri; fast_pattern:only; pcre:"/\?showforum=$/Ui"; content:!".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; metadata: former_category CURRENT_EVENTS; reference:md5,ad575f6795526f2ee5e730f76a3b5346; classtype:trojan-activity; sid:2024109; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_29, performance_impact Moderate, updated_at 2017_03_29;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MalDoc Retrieving Payload March 30 2017"; flow:to_server,established; content:"GET"; http_method; content:"/mang.bbk"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/mang\.bbk$/Ui"; metadata: former_category CURRENT_EVENTS; reference:md5,33018afc5ef9818eee0f3833d1f738b0; classtype:trojan-activity; sid:2024122; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_30, malware_family Maldoc, performance_impact Moderate, updated_at 2017_03_30;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco do Brasil Phish Mar 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"telefone="; depth:9; nocase; http_client_body; content:"&senha6="; nocase; distance:0; http_client_body; fast_pattern; content:"&ir="; nocase; distance:0; http_client_body; content:"&agencia="; nocase; distance:0; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&senha8="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024328; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_30, updated_at 2017_05_25;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M1"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|wide.singldays.top"; distance:1; within:19; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024124; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M2"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|wine.industrialzz.top"; distance:1; within:22; fast_pattern:2,20; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024125; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M3"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|one.industrialzz.top"; distance:1; within:21; fast_pattern:1,20; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024126; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M4"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|13|web.machinerysc.top"; distance:1; within:20; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024127; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M5"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|sub.contentedy.top"; distance:1; within:19; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024128; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M6"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|check-work-18799.top"; distance:1; within:21; fast_pattern:1,20; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024129; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M7"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|asp.refreshmentnu.top"; distance:1; within:22; fast_pattern:2,20; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024130; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M8"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|get.resemblanceao.bid"; distance:1; within:22; fast_pattern:2,20; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024131; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M9"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|sip.discoveredzp.bid"; distance:1; within:21; fast_pattern:1,20; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024132; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M1"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|0"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024133; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, malware_family RIG, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M2"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|1"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024134; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M3"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|2"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024135; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M4"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|3"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024136; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, malware_family RIG, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M5"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|4"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024137; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, malware_family RIG, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M6"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|5"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024138; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, malware_family RIG, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M7"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|6"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024139; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, malware_family RIG, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M8"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|7"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024140; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, malware_family RIG, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M9"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|8"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024141; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, malware_family RIG, updated_at 2017_03_31;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M10"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|9"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024142; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, malware_family RIG, updated_at 2017_03_31;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Mail.ru Phish Apr 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"new_auth_form="; depth:14; nocase; http_client_body; fast_pattern; content:"&page="; nocase; distance:0; http_client_body; content:"&back="; nocase; distance:0; http_client_body; content:"&FromAccount="; nocase; distance:0; http_client_body; content:"&Login="; nocase; distance:0; http_client_body; content:"&selector="; nocase; distance:0; http_client_body; content:"&Username="; nocase; distance:0; http_client_body; content:"&Password="; nocase; distance:0; http_client_body; content:"&saveauth="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024167; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_04, updated_at 2017_04_04;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"dllcode"; nocase; fast_pattern:only; content:"|28 26 68 34 64 2c 26 68 35 61 2c 26 68 38 30 2c 30 2c 31 2c 30 2c 30 2c 30|"; nocase; content:"GetSpecialFolder"; nocase; metadata: former_category CURRENT_EVENTS; reference:cve,2016-0189; classtype:trojan-activity; sid:2024168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_04_04, malware_family Exploit_Kit_Terror, performance_impact Low, updated_at 2017_04_04;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2016-0189 Exploit M2"; flow:established,from_server; file_data; content:"|73 74 72 54 6f 49 6e 74 28 4d 69 64 28 6d 65 6d 2c 20 31 2c 20 32 29 29|"; content:"|2b 20 26 48 31 37 34|"; metadata: former_category CURRENT_EVENTS; reference:cve,2016-0189; classtype:trojan-activity; sid:2024169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_04_04, malware_family Exploit_Kit_Terror, performance_impact Low, updated_at 2017_04_04;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2015-2419 Exploit"; flow:established,from_server; file_data; content:"EB125831C966B9"; nocase; content:"05498034088485C975F7FFE0E8E9FFFFFFD10D61074028D7D5D3B544E0"; distance:2; within:58; nocase; metadata: former_category CURRENT_EVENTS; reference:cve,2016-0189; classtype:trojan-activity; sid:2024170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_04_04, malware_family Exploit_Kit_Terror, performance_impact Low, updated_at 2017_04_04;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Terror EK Payload Download"; flow:established,to_server; content:"e=cve"; http_uri; fast_pattern:only; pcre:"/[&?]e=cve\d{8}(?:&|$)/U"; pcre:"/=[a-f0-9]{32,}(?:&|$)/U"; content:!"Referer|3a|"; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024180; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_04_04, malware_family Exploit_Kit_Terror, performance_impact Low, updated_at 2017_04_04;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful HM Revenue & Customs Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"gender="; depth:7; nocase; http_client_body; fast_pattern; content:"&name1="; nocase; distance:0; http_client_body; content:"&name2="; nocase; distance:0; http_client_body; content:"&day="; nocase; distance:0; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submitForm="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024184; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_07, updated_at 2017_04_07;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful HM Revenue & Customs Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cnumber="; depth:8; nocase; http_client_body; fast_pattern; content:"&expm="; nocase; distance:0; http_client_body; content:"&expy="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&cname="; nocase; distance:0; http_client_body; content:"&submitForm="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024185; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_07, updated_at 2017_04_07;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Santander Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cpf="; depth:4; nocase; http_client_body; fast_pattern; content:"&next_pag="; nocase; distance:0; http_client_body; content:"&entrar="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024186; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_07, updated_at 2017_04_07;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Santander Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_net="; depth:8; nocase; http_client_body; fast_pattern; content:"&cpf="; nocase; distance:0; http_client_body; content:"&continuar_acess="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024187; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_07, updated_at 2017_04_07;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Santander Phish M3 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_4="; depth:6; nocase; http_client_body; fast_pattern; content:"&psw_net="; nocase; distance:0; http_client_body; content:"&cpf="; nocase; distance:0; http_client_body; content:"&proseguir="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024188; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_07, updated_at 2017_04_07;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in CVE-2017-0199)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|application/hta|0d 0a|"; http_header; fast_pattern:9,20; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024197; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, cve 2017_0199, signature_severity Major, created_at 2017_04_11, performance_impact Low, updated_at 2017_08_07;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Payload DL"; flow:established,from_server; content:"|3b 20 66 69 6c 65 6e 61 6d 65 3d 43 68 72 ce bf 6d d0 b5 20 66 ce bf 6e e1 b9 ab 2e 65 78 65|"; http_header; nocase; file_data; content:"MZ"; within:2; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024198; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_11, malware_family EITest, updated_at 2017_04_11;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Inject M2"; flow:established,from_server; file_data; content:"|69 64 3d 22 70 70 68 68 22 20 3e 54 68 65 20 22 48 6f 65 66 6c 65 72 54 65 78 74 22 20 66 6f 6e 74 20 77 61 73 6e 27 74 20 66 6f 75 6e 64 2e|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024199; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_11, malware_family EITest, updated_at 2017_04_11;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Inject M3"; flow:established,from_server; file_data; content:"|69 64 3d 22 62 62 62 31 22 3e 43 6c 69 63 6b 20 6f 6e 20 74 68 65 20 43 68 72 6f 6d 65 5f 46 6f 6e 74 2e 65 78 65|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024200; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_11, malware_family EITest, updated_at 2017_04_11;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Malicious Expires Header Seen In Malicious JavaScript Downloader Campaign"; flow:established,to_client; content:"Expires|3A| Tue, 08 Jan 1935 00|3A|00|3A|00 GMT"; http_header; fast_pattern:9,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024229; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_20, performance_impact Moderate, updated_at 2017_04_20;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful iCloud Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"ip="; depth:3; nocase; http_client_body; content:"&city="; nocase; distance:0; http_client_body; content:"&country="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; fast_pattern; content:"&sbBtn="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024231; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_20, updated_at 2017_04_20;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Alitalia Airline Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"carta="; depth:6; nocase; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&imageField"; nocase; distance:0; http_client_body; content:"&nome="; nocase; distance:0; http_client_body; content:"&VBV="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024232; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_20, updated_at 2017_04_20;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ElTest Exploit Kit Redirection Script"; flow:established,to_client; file_data; content:"<script"; nocase; content:"text/javascript"; within:50; nocase; content:"|22|iframe|22|"; within:100; nocase; content:".style.border= |22|0px|22|"; within:200; fast_pattern; nocase; content:"frameborder"; within:100; nocase; content:".setAttribute("; within:50; nocase; content:"document.body.appendChild("; within:100; nocase; content:"= |22|http"; within:100; nocase; content:".src="; distance:0; nocase; content:"<|2F|script>"; within:50; nocase; metadata: former_category CURRENT_EVENTS; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-campaign-evolution-eitest-october-december-2016/; classtype:trojan-activity; sid:2024237; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_24, performance_impact Moderate, updated_at 2017_04_24;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HoeflerText Chrome Popup DriveBy Download Attempt 1"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font wasn't found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"Click on the Chrome_Font.exe"; distance:0; nocase; content:"Latest version"; distance:0; nocase; content:"href=|22|http"; distance:0; nocase; content:"window.chrome"; distance:0; nocase; metadata: former_category CURRENT_EVENTS; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; classtype:trojan-activity; sid:2024238; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_24, performance_impact Moderate, updated_at 2017_09_12;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful OWA Phish Apr 25 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; content:"office365.com/owa/"; nocase; distance:0; fast_pattern; content:"<title>Account"; nocase; distance:0; content:"Success"; nocase; within:20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024999; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_25, updated_at 2017_11_16;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Google App Oauth Phish M1 Mar 3 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Alert"; fast_pattern:7,20; nocase; content:""; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025912; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_26, updated_at 2018_07_26;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Underminer EK Landing"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip|0d 0a|"; http_header; file_data; content:"position|3a 20|absolute|3b 20|left|3a 20|-"; fast_pattern; nocase; content:"if(!!window.ActiveXObject && typeof("; nocase; within:200; content:"if(!!window.ActiveXObject && typeof("; distance:0; pcre:"/^[^\r\n]+\s*\)\s*\!==\s*[\x22\x27]undefined[\x22\x27]\s*\)\{\s+var\s+(?P[A-Za-z0-9]{1,25})\s*=\s*[^\.]+\.getElementById\s*\([\x22\x2][^\x22\x27]+[\x22\x27]\s*\)\s*\x3b\s+(?P=var)\s*\.\s*elements\[[\x22\x27][^\x22\x27]+[\x22\x27]\]\.value\s*=\s*[0-9]{1,15}\s*\;/Rsi"; content:"src="; distance:0; pcre:"/^\s*[\x22\x27][^\r\n]+\/[a-z0-9]{20,40}\.js[\x22\x27]\s*>\s*<\/script>\s*<\/body>/Rs"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025916; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_26, updated_at 2018_07_27;) + +#alert tcp $EXTERNAL_NET !6666:7000 -> $HOME_NET any (msg:"ET DELETED IRC Name response on non-standard port"; flow: to_client,established; dsize:<128; content:"|3a|"; depth:1; content:" 302 "; content:"=+"; content:"@"; reference:url,doc.emergingthreats.net/bin/view/Main/2000346; classtype:trojan-activity; sid:2000346; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) + +#alert tcp $HOME_NET any -> any 6667 (msg:"ET DELETED Likely Botnet Activity"; flow:to_server,established; content:"PRIVMSG|20|"; depth:8; pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|Total pacotes|Total bytes|M?dia de envio|portas? aberta)/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001620; classtype:string-detect; sid:2001620; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adobe 0day Shovelware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a|"; http_header; nocase; content:"/ppp/listdir.php?dir="; nocase; http_uri; pcre:"/\/[a-z]{2}\/[a-z]{4}01\/ppp\/listdir\.php\?dir=/Ui"; reference:url,isc.sans.org/diary.html?storyid=7747; reference:url,doc.emergingthreats.net/2010496; classtype:trojan-activity; sid:2010496; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Adobe Macromedia Flash Player In Windows XP Remote Arbitrary Code Execution CLSID Access Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D27CDB6E-AE6D-11cf-96B8-444553540000/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19710; reference:url,www.kb.cert.org/vuls/id/204889; reference:url,www.microsoft.com/technet/security/advisory/979267.mspx; reference:url,doc.emergingthreats.net/2010666; classtype:attempted-user; sid:2010666; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Adobe Flash 0Day Exploit Attempt"; flow:established,from_server; content:"CWS|09|"; content:"|BA D5 19 5D 86 67 D5 8E 7F BC D0 3C 6E D8 E2 17 16 E8 3A 9F CF 59 B8 7B F6|"; distance:16; reference:url,www.exploit-db.com/exploits/13787/; reference:url,doc.emergingthreats.net/2011672; classtype:misc-attack; sid:2011672; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV AntivirusDoktor2009 User-Agent (768)"; flow:established,to_server; content:"User-Agent|3a| 768"; http_header; reference:url,doc.emergingthreats.net/2010682; classtype:trojan-activity; sid:2010682; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV AntivirusDoktor2009 User-Agent (657)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| 657"; http_header; reference:url,doc.emergingthreats.net/2010683; classtype:trojan-activity; sid:2010683; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Internal User may have Visited an ASProx Infected Site (ads-t.ru)"; flow:established,from_server; file_data; content:""; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013060; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET 1064 (msg:"ET DELETED Win32/Fynloski Backdoor Keepalive Message"; flow:established,to_server; content:"KEEPALIVE"; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; reference:url,www.threatexpert.com/report.aspx?md5=baca8170608c189e2911dc4e430c7719; classtype:trojan-activity; sid:2013067; rev:2; metadata:created_at 2011_06_20, updated_at 2011_06_20;) + +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible GRANT TO SQL Injection Attempt"; flow:established,to_server; content:"GRANT"; nocase; http_uri; content:"TO"; nocase; http_uri; pcre:"/GRANT.{1,5}TO/Ui"; reference:url,beginner-sql-tutorial.com/sql-grant-revoke-privileges-roles.htm; classtype:web-application-attack; sid:2013068; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_20, updated_at 2016_07_01;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013077; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_06_21, malware_family Blackhole, updated_at 2018_01_25;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible CVE-2011-2110 Flash Exploit Campaign Log.txt Request"; flow:established,to_server; content:"GET"; http_method; content:"/log.txt"; http_uri; content:"|2E|swf?info=02"; http_header; reference:cve,2011-2110; reference:url,blog.fireeye.com/research/2011/06/old-wine-in-a-new-bottle.html; classtype:trojan-activity; sid:2013113; rev:3; metadata:created_at 2011_06_23, updated_at 2011_06_23;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.VB.OWR Checkin"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1B 00 01 02 00 1C 00|"; within:19; reference:url,www.threatexpert.com/report.aspx?md5=7684532e7e1d717427f6842e9d5ecd56; reference:url,anubis.iseclab.org/?action=result&task_id=1ac5dbffd86ddd7f49da78a66fbeb6c37&format=txt; classtype:trojan-activity; sid:2013121; rev:3; metadata:created_at 2011_06_28, updated_at 2011_06_28;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Ponmocup C2 Malware Update before fake JPEG download"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/shopping3.cgi?a="; nocase; http_uri; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013179; rev:9; metadata:created_at 2011_07_04, updated_at 2011_07_04;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Ponmocup C2 Malware Update after fake JPEG download"; flow:established,to_server; content:"/cgi-bin/unshopping3.cgi?b="; nocase; http_uri; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013180; rev:9; metadata:created_at 2011_07_04, updated_at 2011_07_04;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Known Facebook Iframe Phishing Attempt"; flow:established,to_client; content:"FB.IframeUtil.CanvasUtil"; nocase; content:"iframe_canvas"; nocase; distance:0; content:"action=|5C 22|http|3A|"; nocase; distance:0; content:"canvas_iframe_post"; nocase; distance:0; content:"onsubmit="; nocase; distance:0; reference:url,www.f-secure.com/weblog/archives/00002196.html; classtype:bad-unknown; sid:2013183; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2011_07_04, updated_at 2016_07_01;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Client Visiting cssminibar.js Injected Website Malware Related"; flow:established,to_client; content:"/cssminibar.js|22|>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013191; rev:1; metadata:created_at 2011_07_05, updated_at 2011_07_05;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Generic Trojan Checkin"; flow:established,to_server; content:"unit_id="; http_uri; content:"&uv_id="; http_uri; content:"&uv_new="; http_uri; content:"&url="; http_uri; content:"&charset="; http_uri; content:"&hashval="; http_uri; content:"&app="; http_uri; content:"&lg="; http_uri; classtype:trojan-activity; sid:2013204; rev:2; metadata:created_at 2011_07_05, updated_at 2011_07_05;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.Hooker Checkin Message"; flow:established,to_server; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&sin="; http_uri; classtype:trojan-activity; sid:2013205; rev:2; metadata:created_at 2011_07_05, updated_at 2011_07_05;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET 83 (msg:"ET DELETED W32/Alworo CnC Checkin"; flow:established,to_server; content:".php?userid="; nocase; content:"&time="; nocase; distance:0; content:"&msg="; nocase; distance:0; content:"&ver="; nocase; distance:0; content:"&pauid="; nocase; distance:0; content:"&checkId="; nocase; distance:0; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062909-5644-99&tabid=2; classtype:trojan-activity; sid:2013215; rev:2; metadata:created_at 2011_07_06, updated_at 2011_07_06;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Backdoor.Specfix Checkin"; flow:established,to_server; content:"/AWS"; http_uri; content:".jsp?"; http_uri; content:"x-bigfix-client-string|3A|"; http_header; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062203-3150-99&tabid=2; classtype:trojan-activity; sid:2013218; rev:1; metadata:created_at 2011_07_06, updated_at 2011_07_06;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Android.Ggtracker Ggtrack.org Checkin"; flow:established,to_server; content:"device_id="; nocase; http_uri; content:"adv_sub="; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062208-5013-99&tabid=2; classtype:trojan-activity; sid:2013219; rev:2; metadata:created_at 2011_07_06, updated_at 2011_07_06;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; file_data; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:3; metadata:created_at 2011_07_06, updated_at 2016_08_29;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate"; flow:established,from_server; content:"|7a 13 4e 00 74 5b c6 78 63 64 27 c1 2f e2 a0 5b bc 79 c5 7b|"; content:"sef1941@gmail.com"; within:250; reference:url,contagiodump.blogspot.com/2011/06/jun-22-cve-2011-0611-pdf-swf-fruits-of.html; classtype:misc-activity; sid:2013223; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2011_07_06, updated_at 2016_07_01;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Suspicious *.cu.cc domain"; flow:to_server,established; content:".cu.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013242; rev:2; metadata:created_at 2011_07_08, updated_at 2011_07_08;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a *.uni.cc domain"; flow:to_server,established; content:".uni.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013248; rev:2; metadata:created_at 2011_07_11, updated_at 2011_07_11;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Obfuscated Javascript Often Used in the Blackhole Exploit Kit 3"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|"; within:500; content:""; distance:64; within:83; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014753; rev:5; metadata:created_at 2012_05_17, updated_at 2012_05_17;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page JavaScript Split String Obfuscation of CharCode"; flow:established,to_client; content:"|22|h|22|+|22|arCode|22 3B|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014773; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_18, malware_family Blackhole, updated_at 2018_01_25;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Malicious PDF qweqwe="; flow:established,to_client; content:"> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole PDF Payload Request With Double Colon"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; content:"|3A 3A|"; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}\x3A\x3A[0-9]{1,5}$/Ui"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014776; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_18, malware_family Blackhole, updated_at 2018_01_25;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Thetatic.A Client POST Get CMD Checkin"; flow:established,to_server; content:"POST"; http_method; content:"CONTENT-TYPE|3a| application/x-www-form-urlencoded"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5)"; http_header; content:"cstype="; http_client_body; depth:7; content:"&authname="; distance:0; http_client_body; classtype:trojan-activity; sid:2014794; rev:2; metadata:created_at 2012_05_21, updated_at 2012_05_21;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Thetatic.A Checkin"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 5.1|3B| rv|3a|1.9.1) Gecko/20090624 Firefox/3.5|0D 0A|Accept|3a| */*|0D 0A|Host|3a| "; http_header; depth:110; fast_pattern:72,20; classtype:trojan-activity; sid:2014796; rev:5; metadata:created_at 2012_05_21, updated_at 2012_05_21;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page getElementByID Qwe - May 22nd 2012"; flow:established,to_client; file_data; content:"getElementById']('qwe')"; distance:0; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014800; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_22, malware_family Blackhole, updated_at 2018_01_25;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Try App.title Catch - May 22nd 2012"; flow:established,to_client; file_data; content:"try{app.title}catch("; distance:0; metadata: former_category CURRENT_EVENTS; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014801; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_22, malware_family Blackhole, updated_at 2018_01_25;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Obfuscated Javascript Blob"; flow:established,to_client; file_data; content:"
                 $HOME_NET any (msg:"ET DELETED Blackhole RawValue Specific Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B|"; distance:0; metadata: former_category CURRENT_EVENTS; reference:cve,2010-0188; classtype:trojan-activity; sid:2014821; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_30, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Malicious PDF asdvsa"; flow:established,from_server; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"(asdvsa"; within:80; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014823; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_30, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Script Profile ASD"; flow:established,to_client; file_data; content:"pre id=|22|asd|22|"; within:80; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014825; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_30, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Redkit Java Exploit request to b.class"; flow:established,to_server; urilen:10; content:"/b.class"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014824; rev:3; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Redkit Java Exploit request to .class file"; flow:established,to_server; content:".class"; http_uri; pcre:"/\/\w{1,2}\/\w{1,2}\.class$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014830; rev:3; metadata:created_at 2012_05_30, updated_at 2016_06_10;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Loading Gif Inline Image"; flow:established,from_server; content:"background|3a|url(data|3a|image/gif|3b|base64,R0lGODlhEAAQAAAAACH/C05FVFNDQVBFMi4wAwH//"; classtype:trojan-activity; sid:2014842; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_01, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; fast_pattern; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]/U"; flowbits:set,et.exploitkitlanding; metadata: former_category TROJAN; classtype:trojan-activity; sid:2014843; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_01, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Probable Golfhole exploit kit landing page #2"; flow:established,to_server; content:"/index.php?"; http_uri; depth:11; urilen:43; pcre:"/index.php\?[0-9a-f]{32}$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014844; rev:2; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Probable Golfhole exploit kit binary download #2"; flow:established,to_server; content:"/o/"; http_uri; depth:3; urilen:47; pcre:"/o/\d{9}\/[0-9a-f]{32}\/[0-9]$/U"; classtype:trojan-activity; sid:2014845; rev:2; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAvCn-A Checkin 2"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/support/sr"; http_uri; fast_pattern:only; urilen:11; classtype:trojan-activity; sid:2014856; rev:1; metadata:created_at 2012_06_04, updated_at 2012_06_04;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Fraudulent Paypal Mailing Server Response June 04 2012"; flow:from_server,established; content:"|0d 0a|Paypal"; fast_pattern; content:"|3a 20|Loading<"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014858; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_04, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dakotavolandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|dakotavolandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014859; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
+
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dak1otavola1ndos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dak1otavola1ndos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014860; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
+
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dako22tavol2andos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|dako22tavol2andos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014861; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
+
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d3akotav33olandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|d3akotav33olandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014862; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
+
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d4ak4otavolandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|d4ak4otavolandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014863; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Obfuscated Javascript redirecting to Blackhole June 7 2012"; flow:established,from_server; file_data; content:"st=\"no3"; content:"3rxtc\"\;Date"; distance:12; within:60; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014873; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_08, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SutraTDS (enema) used in Blackhole campaigns"; flow:to_server,established; content:"/top2.html"; http_uri; content:"|0d 0a|Host|3a| enema."; http_header; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014885; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_08, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch June 11 2012"; flow:from_server,established; content:"try{"; content:"=prototype"; within:25; content:"|3b|}catch("; within:15; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014888; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_12, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED RedKit - Landing Page Received - applet and 5digit jar"; flow:established,to_client; content:"<applet"; fast_pattern; content:".jar"; distance:0; pcre:"/\W[0-9]{5}\.jar/"; classtype:trojan-activity; sid:2014894; rev:7; metadata:created_at 2012_06_15, updated_at 2012_06_15;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing - UPS Number Loading.. Jun 15 2012"; flow:established,from_server; content:"|20|Number|3A 20 09|Loading|2E 2E 3C|"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014907; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_15, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing - Verizon Balance Due Jun 15 2012"; flow:established,from_server; content:"|20|Balance Due|3a| Loading|2c 20|please wait|2e 2e 2e|"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014908; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_15, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 9c 62 d8 66 66 66 66 54|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014909; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_15, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED RedKit - Landing Page Requested - 8Digit.html"; flow:established,to_server; urilen:14; content:".html"; http_uri; pcre:"/^\/[0-9]{8}\.html$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:trojan-activity; sid:2014916; rev:2; metadata:created_at 2012_06_18, updated_at 2012_06_18;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED RedKit - Landing Page Received - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.redkit.uri; file_data; content:"<applet"; classtype:trojan-activity; sid:2014917; rev:4; metadata:created_at 2012_06_18, updated_at 2012_06_18;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to Half.jar"; flow:established,to_server; content:"/Half.jar"; http_uri; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014918; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_18, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Try Prototype Catch Jun 18 2012"; flow:established,from_server; content:"try{prototype"; content:"|3B|}catch("; distance:0; within:12; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_18, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Please wait a moment Jun 20 2012"; flow:established,to_client; file_data; content:"Please wait a moment. You will be forwarded..."; fast_pattern:26,20; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014931; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_21, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to Trop.jar"; flow:established,to_server;  content:"/Trop.jar"; http_uri; nocase; classtype:trojan-activity; sid:2014937; rev:18; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_22, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole RawValue Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B 26 23|"; distance:0; metadata: former_category CURRENT_EVENTS; reference:cve,2010-0188; classtype:trojan-activity; sid:2014940; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_22, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hacked Website Response '/*km0ae9gr6m*/' Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014964; rev:2; metadata:created_at 2012_06_25, updated_at 2012_06_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hacked Website Response '/*qhk6sa6g1c*/' Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014965; rev:2; metadata:created_at 2012_06_25, updated_at 2012_06_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Unknown - Payload Download - 9Alpha1Digit.exe"; flow:established,to_client; content:"attachment"; http_header; content:".exe"; fast_pattern:only; http_header; pcre:"/[a-z]{9}[0-9]\.exe/H"; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2014968; rev:7; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Landing Page Requested - /*.php?*=16HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:23<>60; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{16}$/U"; pcre:"/[0-9]{1,16}[a-f]{1,16}[0-9]{1,16}$/U"; classtype:trojan-activity; sid:2014973; rev:17; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_26, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Landing Page Requested - /*.php?*=8HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:15<>52; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{8}$/U"; pcre:"/[0-9]{1,8}[a-f]{1,8}[0-9]{1,8}$/U"; classtype:trojan-activity; sid:2014974; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_27, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Landing Page Requested - /Home/index.php"; flow:established,to_server; content:"/Home/index.php"; http_uri; depth:15; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; classtype:trojan-activity; sid:2014975; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_27, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Recieved - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"<applet"; classtype:trojan-activity; sid:2014977; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_27, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Received - catch and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"}catch("; classtype:trojan-activity; sid:2014976; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_27, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Try Renamed Prototype Catch - June 28th 2012"; flow:established,to_client; file_data; content:"try {"; distance:0; content:"=prototype|2d|"; within:80; content:"} catch"; within:80; metadata: former_category CURRENT_EVENTS; reference:url,research.zscaler.com/2012/06/cleartripcom-infected-with-blackhole.html; classtype:trojan-activity; sid:2014981; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_28, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to spn.jar"; flow:established,to_server; content:"/spn.jar"; http_uri; nocase; classtype:trojan-activity; sid:2015001; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_02, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 3"; flow:established,from_server; content:"|3c|applet"; fast_pattern; content:"56|3a|14|3a|14|3a|19|3a|27|3a|50|3a|50|3a|"; within:100; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015005; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_03, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:"files.php?"; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015006; rev:5; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern:only; content:"&pdf="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015007; rev:8; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern:only; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015009; rev:3; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 1"; flow:established,to_client; file_data; content:"e|22|+|22|va"; distance:0; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22va/"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015012; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_03, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 2"; flow:established,to_client; file_data; content:"e|22|+|22|v|22|+|22|a"; distance:0; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22v\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015013; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_03, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 3"; flow:established,to_client; file_data; content:"ev|22|+|22|a"; distance:0; pcre:"/(\x3D|\x5B\x22])ev\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015014; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_03, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 1"; flow:established,to_client; file_data;  content:"=|22|ev|22 3B|"; distance:0; content:"+|22|al|22|"; distance:0; pcre:"/\x2B\x22al\x22(\x3B|\x5D)/"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015025; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_05, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 2"; flow:established,to_client; file_data; content:"=|22|e|22 3B|"; distance:0; content:"+|22|val|22|"; distance:0; pcre:"/\x2B\x22val\x22(\x3B|\x5D)/"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015026; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_06, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 3"; flow:established,to_client; file_data; content:"=|22|eva|22 3B|"; distance:0; content:"+|22|l|22|"; distance:0; pcre:"/\x2B\x22l\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015027; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_06, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Applet Code Rafa.Rafa 6th July 2012"; flow:established,to_client; file_data; content:"<applet/code=|22|Rafa.Rafa|22|"; classtype:trojan-activity; sid:2015043; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_06, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Obfuscated Applet Value 6th July 2012"; flow:established,to_client; content:"<applet"; content:"value=|22|&#"; isdataat:50,relative; distance:0; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; pcre:"/value\x3D\x22\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23/"; classtype:trojan-activity; sid:2015044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_06, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Java Exploit request to /Set1.jar 6th July 2012"; flow:established,to_server; content:"/Set1.jar"; http_uri; classtype:trojan-activity; sid:2015046; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_06, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Landing Page Redirect.php Port 8080 Request"; flow:established,to_server; content:"/redirect.php?d="; fast_pattern:only; http_uri; content:"|3A|8080|0D 0A|"; http_header; pcre:"/\x2Fredirect\x2Ephp\x3Fd\x3D[0-9a-f]{8}$/U"; classtype:trojan-activity; sid:2015047; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_06, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED 09 July 2012 Blackhole Landing Page - Please Wait Loading"; flow:established,from_server; file_data; content:"Please wait, the page is loading..."; distance:0; nocase; content:"x-java-applet"; distance:0; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015048; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_09, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Request For Blackhole Landing Page Go.php"; flow:established,to_server; content:"/go.php?d="; http_uri; fast_pattern:only; pcre:"/\x2Fgo\x2Ephp\x3Dd\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2015049; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_12, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; file_data; content:"<html><body><script>"; distance:0; content:"Math.floor"; fast_pattern; distance:0; content:"try{"; distance:0; content:"prototype"; within:20; content:"}catch("; within:20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015056; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_12, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdvkpbuldslsapeb.ru"; flow:established,to_server; content:"|3a| bdvkpbuldslsapeb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015061; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eilqnjkoytyjuchn.ru"; flow:established,to_server; content:"|3a| eilqnjkoytyjuchn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015062; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru"; flow:established,to_server; content:"|3a| npxsiiwpxqqiihmo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015063; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru"; flow:established,to_server; content:"|3a| qtmyeslmsoxkjbku.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015064; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain adbjjkquyyhyqknf.ru"; flow:established,to_server; content:"|3a| adbjjkquyyhyqknf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015065; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru"; flow:established,to_server; content:"|3a| ciqmhuwgvfsxdtrw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015066; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mocrafrewsdjztbj.ru"; flow:established,to_server; content:"|3a| mocrafrewsdjztbj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015067; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain otruvbidvikzhlop.ru"; flow:established,to_server; content:"|3a| otruvbidvikzhlop.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015068; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yafzvancybuwmnno.ru"; flow:established,to_server; content:"|3a| yafzvancybuwmnno.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015069; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bhujzorkulhkpwob.ru"; flow:established,to_server; content:"|3a| bhujzorkulhkpwob.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015070; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru"; flow:established,to_server; content:"|3a| lohnrnnpvvtxedfl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015071; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru"; flow:established,to_server; content:"|3a| ntvrnrdpyoadopbo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015072; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wakvnkyzkyietkdr.ru"; flow:established,to_server; content:"|3a| wakvnkyzkyietkdr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015073; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru"; flow:established,to_server; content:"|3a| zfyafrjmmajqfvbh.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015074; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru"; flow:established,to_server; content:"|3a| jnlkttkruqsdjqlx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015075; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lsbppxhgckolsnap.ru"; flow:established,to_server; content:"|3a| lsbppxhgckolsnap.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015076; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vznrahwzgntmfcqk.ru"; flow:established,to_server; content:"|3a| vznrahwzgntmfcqk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015077; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xeeypppxswpquvrf.ru"; flow:established,to_server; content:"|3a| xeeypppxswpquvrf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015078; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru"; flow:established,to_server; content:"|3a| inqgvoeohpcsfxmn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015079; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ksgmckchdppqeicu.ru"; flow:established,to_server; content:"|3a| ksgmckchdppqeicu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015080; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uyrorwlibbjeasoq.ru"; flow:established,to_server; content:"|3a| uyrorwlibbjeasoq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015081; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wejungvnykczyjam.ru"; flow:established,to_server; content:"|3a| wejungvnykczyjam.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015082; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru"; flow:established,to_server; content:"|3a| gmvdnpqbblixlgxj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015083; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jrkjelzwleadyxsd.ru"; flow:established,to_server; content:"|3a| jrkjelzwleadyxsd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015084; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sywleisrsstsqoic.ru"; flow:established,to_server; content:"|3a| sywleisrsstsqoic.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015085; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain venrfhmthwpqlqge.ru"; flow:established,to_server; content:"|3a| venrfhmthwpqlqge.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015086; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fmacqvmqafqwmebl.ru"; flow:established,to_server; content:"|3a| fmacqvmqafqwmebl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015087; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hrpgglxvqwjesffr.ru"; flow:established,to_server; content:"|3a| hrpgglxvqwjesffr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015088; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru"; flow:established,to_server; content:"|3a| rxbkqfydlnzopqrn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015089; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tdsorylshsxjeawf.ru"; flow:established,to_server; content:"|3a| tdsorylshsxjeawf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015090; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain elfxqghdubihhsgd.ru"; flow:established,to_server; content:"|3a| elfxqghdubihhsgd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015091; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru"; flow:established,to_server; content:"|3a| gqtcxunxhyujqjkf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015092; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sdxkjaophbtufumx.ru"; flow:established,to_server; content:"|3a| sdxkjaophbtufumx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015094; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain clkujrjqvexvbmoi.ru"; flow:established,to_server; content:"|3a| clkujrjqvexvbmoi.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015095; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru"; flow:established,to_server; content:"|3a| fqyyxagzkrpvxtki.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015096; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain owldagkyzrkhqnjo.ru"; flow:established,to_server; content:"|3a| owldagkyzrkhqnjo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015097; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rccjvgsgffokiwze.ru"; flow:established,to_server; content:"|3a| rccjvgsgffokiwze.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015098; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain blorcdyiipxcwyxv.ru"; flow:established,to_server; content:"|3a| blorcdyiipxcwyxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015099; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dpewaddpoewiycnj.ru"; flow:established,to_server; content:"|3a| dpewaddpoewiycnj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015100; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nwpykqeizraqthry.ru"; flow:established,to_server; content:"|3a| nwpykqeizraqthry.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015101; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pchgijctfprxhnje.ru"; flow:established,to_server; content:"|3a| pchgijctfprxhnje.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015102; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zisiiogqigzzqqeq.ru"; flow:established,to_server; content:"|3a| zisiiogqigzzqqeq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015103; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cpittmwbqtjrjpql.ru"; flow:established,to_server; content:"|3a| cpittmwbqtjrjpql.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015104; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mvuvchtcxxibeubd.ru"; flow:established,to_server; content:"|3a| mvuvchtcxxibeubd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015105; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain oblcasnhxbbocpfj.ru"; flow:established,to_server; content:"|3a| oblcasnhxbbocpfj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015106; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xixftoplsduqqorx.ru"; flow:established,to_server; content:"|3a| xixftoplsduqqorx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015107; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru"; flow:established,to_server; content:"|3a| bpnqmxkpxxgbdnby.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015108; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru"; flow:established,to_server; content:"|3a| kvzstpqmeoxtcwko.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015109; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru"; flow:established,to_server; content:"|3a| nbqypqrjiqxlfvdj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015110; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain whddmvrxufbkkoew.ru"; flow:established,to_server; content:"|3a| whddmvrxufbkkoew.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015111; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ymrhcvphevonympo.ru"; flow:established,to_server; content:"|3a| ymrhcvphevonympo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015112; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jveqgnmjxkocqifr.ru"; flow:established,to_server; content:"|3a| jveqgnmjxkocqifr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015113; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lavvckpordclbduy.ru"; flow:established,to_server; content:"|3a| lavvckpordclbduy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015114; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru"; flow:established,to_server; content:"|3a| vhhzcvbegxbjsxke.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015115; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru"; flow:established,to_server; content:"|3a| xmwettbvtbhvrjuo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015116; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iujniiokeyjbmerc.ru"; flow:established,to_server; content:"|3a| iujniiokeyjbmerc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015117; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kzxrowftdocgyghs.ru"; flow:established,to_server; content:"|3a| kzxrowftdocgyghs.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015118; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gacdiuwnhonuulpe.ru"; flow:established,to_server; content:"|3a| gacdiuwnhonuulpe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015119; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru"; flow:established,to_server; content:"|3a| ifrhgnqeeotnzrmz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015120; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru"; flow:established,to_server; content:"|3a| rmdlgyreitjsjkfq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015121; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uqspvdwyltgcyhft.ru"; flow:established,to_server; content:"|3a| uqspvdwyltgcyhft.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015122; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ezfydrexncoidbus.ru"; flow:established,to_server; content:"|3a| ezfydrexncoidbus.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015123; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hfveiooumeyrpchg.ru"; flow:established,to_server; content:"|3a| hfveiooumeyrpchg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015124; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qlihxnncwioxkdls.ru"; flow:established,to_server; content:"|3a| qlihxnncwioxkdls.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015125; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sqwlonyduvpowdgy.ru"; flow:established,to_server; content:"|3a| sqwlonyduvpowdgy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015126; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dyjvewshptsboygd.ru"; flow:established,to_server; content:"|3a| dyjvewshptsboygd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015127; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain febcbuyswmishvpl.ru"; flow:established,to_server; content:"|3a| febcbuyswmishvpl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015128; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain plmekaayiholtevt.ru"; flow:established,to_server; content:"|3a| plmekaayiholtevt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015129; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru"; flow:established,to_server; content:"|3a| rpckbgrziwbdrmhr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015130; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cyosongjihugkjbg.ru"; flow:established,to_server; content:"|3a| cyosongjihugkjbg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015131; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eefysywrvkgxuqdf.ru"; flow:established,to_server; content:"|3a| eefysywrvkgxuqdf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015132; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru"; flow:established,to_server; content:"|3a| nkrbvqxzfwicmhwb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015133; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qphhsudsmeftdaht.ru"; flow:established,to_server; content:"|3a| qphhsudsmeftdaht.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015134; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain axtopsbtntqnfdyk.ru"; flow:established,to_server; content:"|3a| axtopsbtntqnfdyk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015135; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru"; flow:established,to_server; content:"|3a| ddkudnuklgiwtdyw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015136; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mkwwclogcvgeekws.ru"; flow:established,to_server; content:"|3a| mkwwclogcvgeekws.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015137; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain opldkflyvlkywuec.ru"; flow:established,to_server; content:"|3a| opldkflyvlkywuec.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015138; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yvxfekhokspfuwqr.ru"; flow:established,to_server; content:"|3a| yvxfekhokspfuwqr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015139; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdprvpxdejpohqpt.ru"; flow:established,to_server; content:"|3a| bdprvpxdejpohqpt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015140; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru"; flow:established,to_server; content:"|3a| ljbvfrsvcevyfhor.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015141; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain noqzuukouyfuyrmd.ru"; flow:established,to_server; content:"|3a| noqzuukouyfuyrmd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015142; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xvcewyydwsmdgaju.ru"; flow:established,to_server; content:"|3a| xvcewyydwsmdgaju.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015143; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zatiscwwtipqlycd.ru"; flow:established,to_server; content:"|3a| zatiscwwtipqlycd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015144; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jjgshrjdcynohyuk.ru"; flow:established,to_server; content:"|3a| jjgshrjdcynohyuk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015145; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mouwwvcwwlilnxub.ru"; flow:established,to_server; content:"|3a| mouwwvcwwlilnxub.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015146; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru"; flow:established,to_server; content:"|3a| vuhaojpwxgsxuitu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015147; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yayfefhrwawquwcw.ru"; flow:established,to_server; content:"|3a| yayfefhrwawquwcw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015148; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iiloishkjwvqldlq.ru"; flow:established,to_server; content:"|3a| iiloishkjwvqldlq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015149; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain knauycqgsdhgbwjo.ru"; flow:established,to_server; content:"|3a| knauycqgsdhgbwjo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015150; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru"; flow:established,to_server; content:"|3a| uumwyzhctrwdsrdp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015151; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wzbdwenwshfzglwt.ru"; flow:established,to_server; content:"|3a| wzbdwenwshfzglwt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015152; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hiplksflttfkpsxn.ru"; flow:established,to_server; content:"|3a| hiplksflttfkpsxn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015153; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jnfrqmekhoevppvw.ru"; flow:established,to_server; content:"|3a| jnfrqmekhoevppvw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015154; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ttqtkmthptxvwiku.ru"; flow:established,to_server; content:"|3a| ttqtkmthptxvwiku.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015155; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vygzhvfiuommkqfj.ru"; flow:established,to_server; content:"|3a| vygzhvfiuommkqfj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015156; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru"; flow:established,to_server; content:"|3a| fhuidtlqttqxgjvn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015157; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain imjosxuhbcdonrco.ru"; flow:established,to_server; content:"|3a| imjosxuhbcdonrco.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015158; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru"; flow:established,to_server; content:"|3a| rtvqcdpbqxgwnrcn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015159; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru"; flow:established,to_server; content:"|3a| tykvyflnjhbnqpnr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015160; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ehyewyqydfpidbdp.ru"; flow:established,to_server; content:"|3a| ehyewyqydfpidbdp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015161; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gmokuosvnbkshdtd.ru"; flow:established,to_server; content:"|3a| gmokuosvnbkshdtd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015162; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qsbourrdxgxgwepy.ru"; flow:established,to_server; content:"|3a| qsbourrdxgxgwepy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015163; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru"; flow:established,to_server; content:"|3a| sxpskxdgoczvcjgp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015164; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dhedppigtpbwrmpc.ru"; flow:established,to_server; content:"|3a| dhedppigtpbwrmpc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015165; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain flthmyjeuhdygshf.ru"; flow:established,to_server; content:"|3a| flthmyjeuhdygshf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015166; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain osflhkaowydftniw.ru"; flow:established,to_server; content:"|3a| osflhkaowydftniw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015167; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rxupwhkznihnxzqx.ru"; flow:established,to_server; content:"|3a| rxupwhkznihnxzqx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015168; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru"; flow:established,to_server; content:"|3a| bgjzhlasdrwwnenj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015169; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain elxegvkalqvkyoxc.ru"; flow:established,to_server; content:"|3a| elxegvkalqvkyoxc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015170; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nrkhysgoltauclop.ru"; flow:established,to_server; content:"|3a| nrkhysgoltauclop.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015171; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pwyloytoagndnrex.ru"; flow:established,to_server; content:"|3a| pwyloytoagndnrex.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015172; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zenquqdskekaudbe.ru"; flow:established,to_server; content:"|3a| zenquqdskekaudbe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015173; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru"; flow:established,to_server; content:"|3a| cldcrgtnuwvgnbfd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015174; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mroeqjdaukskbgua.ru"; flow:established,to_server; content:"|3a| mroeqjdaukskbgua.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015175; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain owekhoeuhmdiehrw.ru"; flow:established,to_server; content:"|3a| owekhoeuhmdiehrw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015176; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru"; flow:established,to_server; content:"|3a| ydrngsmrdiiyvoiy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015177; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru"; flow:established,to_server; content:"|3a| bkhyiqitpoxewhmt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015178; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain krtbityuhlewigfe.ru"; flow:established,to_server; content:"|3a| krtbityuhlewigfe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015179; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nvjgyermzsmynaeq.ru"; flow:established,to_server; content:"|3a| nvjgyermzsmynaeq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015180; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jwkpdxqbemsmclal.ru"; flow:established,to_server; content:"|3a| jwkpdxqbemsmclal.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015181; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lccwpflcdjrdfjib.ru"; flow:established,to_server; content:"|3a| lccwpflcdjrdfjib.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015182; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uinyjmxfqinkxbda.ru"; flow:established,to_server; content:"|3a| uinyjmxfqinkxbda.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015183; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xndfbivuonkxfxrq.ru"; flow:established,to_server; content:"|3a| xndfbivuonkxfxrq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015184; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru"; flow:established,to_server; content:"|3a| hvpmffxpfnlquqxo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015185; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru"; flow:established,to_server; content:"|3a| kbgsbqjugdqrgtdw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015186; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tisubmfvqrgnloxr.ru"; flow:established,to_server; content:"|3a| tisubmfvqrgnloxr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015187; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vmibswhnpqhqwyih.ru"; flow:established,to_server; content:"|3a| vmibswhnpqhqwyih.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015188; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru"; flow:established,to_server; content:"|3a| gvujhzvjxwptrtdg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015189; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru"; flow:established,to_server; content:"|3a| iblpdiqdmmsbnuxb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015190; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain shxrsvasoncjnxpn.ru"; flow:established,to_server; content:"|3a| shxrsvasoncjnxpn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015191; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ummxjwieppswcnrg.ru"; flow:established,to_server; content:"|3a| ummxjwieppswcnrg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015192; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fuyfrockpfclxccd.ru"; flow:established,to_server; content:"|3a| fuyfrockpfclxccd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015193; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain haqmuqqukywrcxfa.ru"; flow:established,to_server; content:"|3a| haqmuqqukywrcxfa.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015194; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qhcplcuugevvyham.ru"; flow:established,to_server; content:"|3a| qhcplcuugevvyham.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015195; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru"; flow:established,to_server; content:"|3a| tmrtbcienxrbnsjc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015196; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dueebwwdllfburag.ru"; flow:established,to_server; content:"|3a| dueebwwdllfburag.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015197; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fzsirujgdbvabrjm.ru"; flow:established,to_server; content:"|3a| fzsirujgdbvabrjm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015198; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru"; flow:established,to_server; content:"|3a| pghnrmkoeoetfwsm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015199; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru"; flow:established,to_server; content:"|3a| rlvqmipovrqbmvqd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015200; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ctjbmgjudwisgshv.ru"; flow:established,to_server; content:"|3a| ctjbmgjudwisgshv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015201; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eyxejlabqaytqmjx.ru"; flow:established,to_server; content:"|3a| eyxejlabqaytqmjx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015202; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru"; flow:established,to_server; content:"|3a| ogmjjmqdhlbyabzg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015203; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru"; flow:established,to_server; content:"|3a| qlbpfyrupyadvjsl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015204; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain atnwerhvttvbivra.ru"; flow:established,to_server; content:"|3a| atnwerhvttvbivra.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015205; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dydderasilekaegh.ru"; flow:established,to_server; content:"|3a| dydderasilekaegh.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015206; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru"; flow:established,to_server; content:"|3a| mfqfrnqllqcrayiw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015207; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru"; flow:established,to_server; content:"|3a| pkglwwwmjxokzzfq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015208; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yrrnrgliojezjctg.ru"; flow:established,to_server; content:"|3a| yrrnrgliojezjctg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015209; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bxhzugppnulxghvm.ru"; flow:established,to_server; content:"|3a| bxhzugppnulxghvm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015210; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru"; flow:established,to_server; content:"|3a| lfvcngdbzjrzgyby.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015211; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nkkijjyioljbfysn.ru"; flow:established,to_server; content:"|3a| nkkijjyioljbfysn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015212; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xqwkdyjydkggsppd.ru"; flow:established,to_server; content:"|3a| xqwkdyjydkggsppd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015213; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru"; flow:established,to_server; content:"|3a| axmvnmubgwlmqfrp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015214; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain keabgwmpzqhpmlng.ru"; flow:established,to_server; content:"|3a| keabgwmpzqhpmlng.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015215; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru"; flow:established,to_server; content:"|3a| mjpflkwqskuqbjnk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015216; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru"; flow:established,to_server; content:"|3a| vqcicnuhtwhxmtjd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015217; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yvqnltydqtpresfu.ru"; flow:established,to_server; content:"|3a| yvqnltydqtpresfu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015218; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iefwvulgninlkoxe.ru"; flow:established,to_server; content:"|3a| iefwvulgninlkoxe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015219; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ljubdldgqwbarplc.ru"; flow:established,to_server; content:"|3a| ljubdldgqwbarplc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015220; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain upgghggmbusopaxv.ru"; flow:established,to_server; content:"|3a| upgghggmbusopaxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015221; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru"; flow:established,to_server; content:"|3a| wuvjdexaqtmqkvgk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015222; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hektxucstnbuncix.ru"; flow:established,to_server; content:"|3a| hektxucstnbuncix.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015223; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jiyxdlvawkranmin.ru"; flow:established,to_server; content:"|3a| jiyxdlvawkranmin.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015224; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tplczomvebjmhsgk.ru"; flow:established,to_server; content:"|3a| tplczomvebjmhsgk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015225; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vuaivypissryzhij.ru"; flow:established,to_server; content:"|3a| vuaivypissryzhij.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015226; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gdoqznfilmtulxxv.ru"; flow:established,to_server; content:"|3a| gdoqznfilmtulxxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015227; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iiewprjomieydnix.ru"; flow:established,to_server; content:"|3a| iiewprjomieydnix.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015228; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ropypfmcqjjfdiel.ru"; flow:established,to_server; content:"|3a| ropypfmcqjjfdiel.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015229; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain utfenjxpvwtroioi.ru"; flow:established,to_server; content:"|3a| utfenjxpvwtroioi.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015230; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain edtmjcvfnfcbweed.ru"; flow:established,to_server; content:"|3a| edtmjcvfnfcbweed.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015231; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hhishrpjdixwtctz.ru"; flow:established,to_server; content:"|3a| hhishrpjdixwtctz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015232; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru"; flow:established,to_server; content:"|3a| qouubrmdxtgnnjvm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015233; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain stkbtccbckhdkbii.ru"; flow:established,to_server; content:"|3a| stkbtccbckhdkbii.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015234; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru"; flow:established,to_server; content:"|3a| dcyjurmfwhgvyoio.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015235; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru"; flow:established,to_server; content:"|3a| fhnpjsnknkuvhazm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015236; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru"; flow:established,to_server; content:"|3a| pozrtgdmhvhvdscn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015237; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rsoxjlibxohdcyov.ru"; flow:established,to_server; content:"|3a| rsoxjlibxohdcyov.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015238; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ccdifvomwhtynpay.ru"; flow:established,to_server; content:"|3a| ccdifvomwhtynpay.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015239; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ehsmldxnregnruez.ru"; flow:established,to_server; content:"|3a| ehsmldxnregnruez.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015240; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru"; flow:established,to_server; content:"|3a| lsvdxjpwykxxvryd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015241; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru"; flow:established,to_server; content:"|3a| oxkjnvhjnvnegtyb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015242; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xfymtpavzblzbknq.ru"; flow:established,to_server; content:"|3a| xfymtpavzblzbknq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015243; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bloxgsfzinxmdspt.ru"; flow:established,to_server; content:"|3a| bloxgsfzinxmdspt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015244; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ksacasnubklrikdl.ru"; flow:established,to_server; content:"|3a| ksacasnubklrikdl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015245; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mxpgggggukxqteoy.ru"; flow:established,to_server; content:"|3a| mxpgggggukxqteoy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015246; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru"; flow:established,to_server; content:"|3a| wedkgpdcxlrunbmu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015247; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru"; flow:established,to_server; content:"|3a| yjsovtnpgbwqcbbd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015248; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jrfyaswntteouafv.ru"; flow:established,to_server; content:"|3a| jrfyaswntteouafv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015249; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru"; flow:established,to_server; content:"|3a| lwtcxuzbdrsnpqfb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015250; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain veihxoqukuetxqbn.ru"; flow:established,to_server; content:"|3a| veihxoqukuetxqbn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015251; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru"; flow:established,to_server; content:"|3a| xiwlnutkxsqxwjge.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015252; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hrkusbnevtmyisab.ru"; flow:established,to_server; content:"|3a| hrkusbnevtmyisab.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015253; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru"; flow:established,to_server; content:"|3a| kwyyhhqtwxupnhyu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015254; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tdndpphrtyniynvz.ru"; flow:established,to_server; content:"|3a| tdndpphrtyniynvz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015255; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wicjgufeimlbmcus.ru"; flow:established,to_server; content:"|3a| wicjgufeimlbmcus.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015256; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gqortbbbsnksxpmm.ru"; flow:established,to_server; content:"|3a| gqortbbbsnksxpmm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015257; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fjgtmicxtlxynlpf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015258; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ppsvcvrcgkllplyn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015259; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ruhctasjmpqbyvhm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015260; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bdvkpbuldslsapeb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bdvkpbuldslsapeb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015261; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eilqnjkoytyjuchn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eilqnjkoytyjuchn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015262; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|npxsiiwpxqqiihmo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015263; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qtmyeslmsoxkjbku|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015264; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain adbjjkquyyhyqknf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|adbjjkquyyhyqknf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015265; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ciqmhuwgvfsxdtrw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015266; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mocrafrewsdjztbj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mocrafrewsdjztbj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015267; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain otruvbidvikzhlop.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|otruvbidvikzhlop|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015268; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yafzvancybuwmnno.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yafzvancybuwmnno|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015269; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bhujzorkulhkpwob.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bhujzorkulhkpwob|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015270; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lohnrnnpvvtxedfl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015271; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ntvrnrdpyoadopbo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015272; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wakvnkyzkyietkdr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wakvnkyzkyietkdr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015273; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zfyafrjmmajqfvbh|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015274; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jnlkttkruqsdjqlx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015275; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lsbppxhgckolsnap.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lsbppxhgckolsnap|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015276; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vznrahwzgntmfcqk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vznrahwzgntmfcqk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015277; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xeeypppxswpquvrf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xeeypppxswpquvrf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015278; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|inqgvoeohpcsfxmn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015279; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ksgmckchdppqeicu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ksgmckchdppqeicu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015280; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uyrorwlibbjeasoq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uyrorwlibbjeasoq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015281; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wejungvnykczyjam.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wejungvnykczyjam|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015282; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gmvdnpqbblixlgxj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015283; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jrkjelzwleadyxsd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jrkjelzwleadyxsd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015284; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sywleisrsstsqoic.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sywleisrsstsqoic|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015285; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain venrfhmthwpqlqge.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|venrfhmthwpqlqge|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015286; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fmacqvmqafqwmebl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fmacqvmqafqwmebl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015287; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hrpgglxvqwjesffr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hrpgglxvqwjesffr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015288; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rxbkqfydlnzopqrn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015289; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tdsorylshsxjeawf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tdsorylshsxjeawf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015290; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain elfxqghdubihhsgd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|elfxqghdubihhsgd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015291; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gqtcxunxhyujqjkf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015292; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qxggipnnfmnihkic.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qxggipnnfmnihkic|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015293; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sdxkjaophbtufumx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sdxkjaophbtufumx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015294; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain clkujrjqvexvbmoi.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|clkujrjqvexvbmoi|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015295; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fqyyxagzkrpvxtki|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015296; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain owldagkyzrkhqnjo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|owldagkyzrkhqnjo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015297; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rccjvgsgffokiwze.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rccjvgsgffokiwze|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015298; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain blorcdyiipxcwyxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|blorcdyiipxcwyxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015299; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dpewaddpoewiycnj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dpewaddpoewiycnj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015300; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nwpykqeizraqthry.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nwpykqeizraqthry|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015301; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pchgijctfprxhnje.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pchgijctfprxhnje|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015302; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zisiiogqigzzqqeq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zisiiogqigzzqqeq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015303; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cpittmwbqtjrjpql.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cpittmwbqtjrjpql|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015304; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mvuvchtcxxibeubd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mvuvchtcxxibeubd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015305; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain oblcasnhxbbocpfj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|oblcasnhxbbocpfj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015306; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xixftoplsduqqorx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xixftoplsduqqorx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015307; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bpnqmxkpxxgbdnby|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015308; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kvzstpqmeoxtcwko|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015309; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nbqypqrjiqxlfvdj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015310; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain whddmvrxufbkkoew.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|whddmvrxufbkkoew|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015311; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ymrhcvphevonympo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ymrhcvphevonympo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015312; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jveqgnmjxkocqifr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jveqgnmjxkocqifr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015313; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lavvckpordclbduy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lavvckpordclbduy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015314; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vhhzcvbegxbjsxke|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015315; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xmwettbvtbhvrjuo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015316; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iujniiokeyjbmerc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iujniiokeyjbmerc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015317; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kzxrowftdocgyghs.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kzxrowftdocgyghs|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015318; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gacdiuwnhonuulpe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gacdiuwnhonuulpe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015319; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ifrhgnqeeotnzrmz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015320; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rmdlgyreitjsjkfq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015321; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uqspvdwyltgcyhft.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uqspvdwyltgcyhft|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015322; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ezfydrexncoidbus.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ezfydrexncoidbus|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015323; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hfveiooumeyrpchg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hfveiooumeyrpchg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015324; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qlihxnncwioxkdls.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qlihxnncwioxkdls|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015325; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sqwlonyduvpowdgy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sqwlonyduvpowdgy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015326; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dyjvewshptsboygd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dyjvewshptsboygd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015327; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain febcbuyswmishvpl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|febcbuyswmishvpl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015328; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain plmekaayiholtevt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|plmekaayiholtevt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015329; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rpckbgrziwbdrmhr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015330; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cyosongjihugkjbg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cyosongjihugkjbg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015331; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eefysywrvkgxuqdf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eefysywrvkgxuqdf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015332; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nkrbvqxzfwicmhwb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015333; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qphhsudsmeftdaht.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qphhsudsmeftdaht|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015334; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain axtopsbtntqnfdyk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|axtopsbtntqnfdyk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015335; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ddkudnuklgiwtdyw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015336; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mkwwclogcvgeekws.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mkwwclogcvgeekws|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015337; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain opldkflyvlkywuec.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|opldkflyvlkywuec|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015338; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yvxfekhokspfuwqr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvxfekhokspfuwqr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015339; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bdprvpxdejpohqpt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bdprvpxdejpohqpt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015340; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ljbvfrsvcevyfhor|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015341; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain noqzuukouyfuyrmd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|noqzuukouyfuyrmd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015342; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xvcewyydwsmdgaju.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xvcewyydwsmdgaju|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015343; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zatiscwwtipqlycd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zatiscwwtipqlycd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015344; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jjgshrjdcynohyuk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jjgshrjdcynohyuk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015345; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mouwwvcwwlilnxub.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mouwwvcwwlilnxub|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015346; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vuhaojpwxgsxuitu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015347; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yayfefhrwawquwcw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yayfefhrwawquwcw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015348; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iiloishkjwvqldlq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iiloishkjwvqldlq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015349; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain knauycqgsdhgbwjo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|knauycqgsdhgbwjo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015350; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uumwyzhctrwdsrdp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015351; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wzbdwenwshfzglwt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wzbdwenwshfzglwt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015352; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hiplksflttfkpsxn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hiplksflttfkpsxn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015353; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jnfrqmekhoevppvw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jnfrqmekhoevppvw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015354; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ttqtkmthptxvwiku.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ttqtkmthptxvwiku|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015355; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vygzhvfiuommkqfj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vygzhvfiuommkqfj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015356; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fhuidtlqttqxgjvn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015357; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain imjosxuhbcdonrco.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|imjosxuhbcdonrco|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015358; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rtvqcdpbqxgwnrcn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015359; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tykvyflnjhbnqpnr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015360; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ehyewyqydfpidbdp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ehyewyqydfpidbdp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015361; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gmokuosvnbkshdtd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gmokuosvnbkshdtd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015362; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qsbourrdxgxgwepy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qsbourrdxgxgwepy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015363; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sxpskxdgoczvcjgp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015364; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dhedppigtpbwrmpc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dhedppigtpbwrmpc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015365; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain flthmyjeuhdygshf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|flthmyjeuhdygshf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015366; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain osflhkaowydftniw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|osflhkaowydftniw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015367; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rxupwhkznihnxzqx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rxupwhkznihnxzqx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015368; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bgjzhlasdrwwnenj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015369; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain elxegvkalqvkyoxc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|elxegvkalqvkyoxc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015370; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nrkhysgoltauclop.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nrkhysgoltauclop|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015371; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pwyloytoagndnrex.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pwyloytoagndnrex|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015372; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zenquqdskekaudbe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zenquqdskekaudbe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015373; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cldcrgtnuwvgnbfd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015374; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mroeqjdaukskbgua.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mroeqjdaukskbgua|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015375; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain owekhoeuhmdiehrw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|owekhoeuhmdiehrw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015376; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ydrngsmrdiiyvoiy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015377; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bkhyiqitpoxewhmt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015378; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain krtbityuhlewigfe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|krtbityuhlewigfe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015379; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nvjgyermzsmynaeq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nvjgyermzsmynaeq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015380; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jwkpdxqbemsmclal.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jwkpdxqbemsmclal|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015381; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lccwpflcdjrdfjib.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lccwpflcdjrdfjib|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015382; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uinyjmxfqinkxbda.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uinyjmxfqinkxbda|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015383; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xndfbivuonkxfxrq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xndfbivuonkxfxrq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015384; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hvpmffxpfnlquqxo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015385; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kbgsbqjugdqrgtdw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015386; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tisubmfvqrgnloxr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tisubmfvqrgnloxr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015387; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vmibswhnpqhqwyih.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vmibswhnpqhqwyih|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015388; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gvujhzvjxwptrtdg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015389; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iblpdiqdmmsbnuxb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015390; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain shxrsvasoncjnxpn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|shxrsvasoncjnxpn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015391; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ummxjwieppswcnrg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ummxjwieppswcnrg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015392; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fuyfrockpfclxccd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fuyfrockpfclxccd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015393; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain haqmuqqukywrcxfa.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|haqmuqqukywrcxfa|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015394; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qhcplcuugevvyham.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qhcplcuugevvyham|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015395; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tmrtbcienxrbnsjc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015396; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dueebwwdllfburag.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dueebwwdllfburag|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015397; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fzsirujgdbvabrjm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fzsirujgdbvabrjm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015398; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pghnrmkoeoetfwsm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015399; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rlvqmipovrqbmvqd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015400; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ctjbmgjudwisgshv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ctjbmgjudwisgshv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015401; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eyxejlabqaytqmjx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eyxejlabqaytqmjx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015402; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ogmjjmqdhlbyabzg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015403; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qlbpfyrupyadvjsl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015404; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain atnwerhvttvbivra.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|atnwerhvttvbivra|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015405; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dydderasilekaegh.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dydderasilekaegh|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015406; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mfqfrnqllqcrayiw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015407; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pkglwwwmjxokzzfq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015408; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yrrnrgliojezjctg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yrrnrgliojezjctg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015409; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bxhzugppnulxghvm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bxhzugppnulxghvm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015410; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lfvcngdbzjrzgyby|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015411; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nkkijjyioljbfysn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nkkijjyioljbfysn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015412; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xqwkdyjydkggsppd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xqwkdyjydkggsppd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015413; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|axmvnmubgwlmqfrp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015414; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain keabgwmpzqhpmlng.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|keabgwmpzqhpmlng|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015415; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mjpflkwqskuqbjnk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015416; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vqcicnuhtwhxmtjd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015417; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yvqnltydqtpresfu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvqnltydqtpresfu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015418; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iefwvulgninlkoxe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iefwvulgninlkoxe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015419; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ljubdldgqwbarplc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ljubdldgqwbarplc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015420; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain upgghggmbusopaxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|upgghggmbusopaxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015421; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wuvjdexaqtmqkvgk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015422; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hektxucstnbuncix.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hektxucstnbuncix|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015423; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jiyxdlvawkranmin.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jiyxdlvawkranmin|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015424; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tplczomvebjmhsgk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tplczomvebjmhsgk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015425; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vuaivypissryzhij.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vuaivypissryzhij|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015426; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gdoqznfilmtulxxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gdoqznfilmtulxxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015427; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iiewprjomieydnix.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iiewprjomieydnix|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015428; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ropypfmcqjjfdiel.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ropypfmcqjjfdiel|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015429; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain utfenjxpvwtroioi.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|utfenjxpvwtroioi|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015430; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain edtmjcvfnfcbweed.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|edtmjcvfnfcbweed|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015431; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hhishrpjdixwtctz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hhishrpjdixwtctz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015432; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qouubrmdxtgnnjvm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015433; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain stkbtccbckhdkbii.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|stkbtccbckhdkbii|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015434; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dcyjurmfwhgvyoio|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015435; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fhnpjsnknkuvhazm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015436; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pozrtgdmhvhvdscn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015437; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rsoxjlibxohdcyov.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rsoxjlibxohdcyov|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015438; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ccdifvomwhtynpay.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ccdifvomwhtynpay|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015439; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ehsmldxnregnruez.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ehsmldxnregnruez|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015440; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lsvdxjpwykxxvryd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015441; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru Pseudo Random Domain";  content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|oxkjnvhjnvnegtyb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015442; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xfymtpavzblzbknq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xfymtpavzblzbknq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015443; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bloxgsfzinxmdspt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bloxgsfzinxmdspt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015444; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ksacasnubklrikdl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ksacasnubklrikdl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015445; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mxpgggggukxqteoy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mxpgggggukxqteoy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015446; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wedkgpdcxlrunbmu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015447; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yjsovtnpgbwqcbbd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015448; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jrfyaswntteouafv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jrfyaswntteouafv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015449; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lwtcxuzbdrsnpqfb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015450; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain veihxoqukuetxqbn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|veihxoqukuetxqbn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015451; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xiwlnutkxsqxwjge|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015452; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hrkusbnevtmyisab.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hrkusbnevtmyisab|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015453; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kwyyhhqtwxupnhyu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015454; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tdndpphrtyniynvz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tdndpphrtyniynvz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015455; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wicjgufeimlbmcus.ru Pseudo Random Domain";  content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wicjgufeimlbmcus|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015456; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gqortbbbsnksxpmm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gqortbbbsnksxpmm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015457; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru"; flow:established,to_server; content:"|3a| fjgtmicxtlxynlpf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015461; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru"; flow:established,to_server; content:"|3a| ppsvcvrcgkllplyn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015462; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru"; flow:established,to_server; content:"|3a| ruhctasjmpqbyvhm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015463; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED BlackHole TKR Landing Page /last/index.php"; flow:established,to_server; content:"/last/index.php"; http_uri; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015475; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_13, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED BlackHole Landing Page /upinv.html"; flow:established,to_server; content:"/upinv.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015476; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_13, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Eval Split String Obfuscation In Brackets"; flow:established,to_client; file_data; content:"[|22|e"; fast_pattern; content:"|22|+|22|"; within:11; content:"l|22|]"; within:11; pcre:"/\x7B\x22e(v|x22\x2B\x22)(v|x22\x2B\x22|a)(a|v|x22\x2B\x22)[^\x5D]*?l\x22\x5D/"; classtype:trojan-activity; sid:2015477; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_13, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"chcyih.class"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015486; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_19, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit Recent Jar (2)"; flow:established,to_server; content:"/java.jar"; http_uri; nocase; fast_pattern:only; content:" Java/1"; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015487; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_19, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"NewClass1.class"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015488; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_19, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED ProxyBox - HTTP CnC - Checkin Response"; flow:established,to_client; file_data; content:"1234567890|0a|"; within:11; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015501; rev:3; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ProxyBox - HTTP CnC - proxy_info.php"; flow:established,to_server; content:"/proxy_info.php"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015509; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Split String Obfuscated Math Floor - July 19th 2012"; flow:established,to_client; file_data; content:"=Math|3B|"; distance:0; content:"[|22|f"; distance:0; content:"|22|+|22|"; within:15; content:"r|22|]"; within:12; classtype:trojan-activity; sid:2015519; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_23, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Applet Structure"; flow:established,to_client; file_data; content:"<|2F|script><applet/archive="; fast_pattern; content:".jar"; within:20; content:"code=|22|"; distance:0; content:"|22|><param/name=|22|"; distance:9; within:15; content:"<|2F|applet><|2F|body><|2F|html>"; distance:0; pcre:"/code\x3D\x22[a-z]{4}\x2E[a-z]{4}\x22/i"; classtype:trojan-activity; sid:2015520; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_23, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole try eval prototype string splitting evasion Jul 24 2012"; flow:established,from_server; file_data; content:"try{eval(|22|p"; fast_pattern; content:"|3b|}catch("; within:30; classtype:trojan-activity; sid:2015525; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_25, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015548; rev:10; metadata:created_at 2012_07_31, updated_at 2012_07_31;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 2"; flow:established,to_server; urilen:5; content:"/mix/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015549; rev:4; metadata:created_at 2012_07_31, updated_at 2012_07_31;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 3"; flow:established,to_server; urilen:7; content:"/login/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015558; rev:3; metadata:created_at 2012_08_01, updated_at 2012_08_01;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; file_data; content:"|3c|script>try{"; fast_pattern; content:"Math."; within:15; content:"}catch("; within:20; content:"eval"; within:17; classtype:trojan-activity; sid:2015579; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_07, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Replace JavaScript Large Obfuscated Blob - August 3rd 2012"; flow:established,to_client; file_data; content:"=|22|"; isdataat:300,relative; content:"|22|"; within:300; content:"|22|.replace(/"; distance:0; content:"/g.|22 22 29 3B|"; fast_pattern; within:30; classtype:trojan-activity; sid:2015580; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_07, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Atadommoc.C - HTTP CnC"; flow:established,to_server; content:"POST"; http_method; content:"rxT"; http_client_body; depth:3; metadata: former_category TROJAN; classtype:trojan-activity; sid:2015581; rev:1; metadata:created_at 2012_08_07, updated_at 2018_05_08;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Redirection Page You Will Be Forwarded - 7th August 2012"; flow:established,to_client; file_data; content:"<h1><b>Please wait a moment. You will be forwarded...<|2F|h1><|2F|b>"; distance:0; classtype:trojan-activity; sid:2015582; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_07, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Redirection Page Try Math.Round Catch - 7th August 2012"; flow:established,to_client; file_data; content:"try{"; distance:0; content:"=Math.round|3B|}catch("; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015586; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_07, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Intial Structure - 8th August 2012"; flow:established,to_client; file_data; content:"|3C|html|3E 3C|body|3E 3C|script|3E|"; within:20; content:"=function|28 29 7B|"; fast_pattern; distance:1; within:12; classtype:trojan-activity; sid:2015590; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_08, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Potential Blackhole Zeus Drop - 8th August 2012"; flow:established,to_client; file_data; content:"P|00|r|00|o|00|d|00|u|00|c|00|t|00|N|00|a|00|m|00|e"; content:"n|00|o|00|n|00|a|00|m|00|e"; fast_pattern; within:15; classtype:trojan-activity; sid:2015591; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_08, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Specific JavaScript Replace hwehes - 8th August 2012"; flow:established,to_client; file_data; content:".replace(/hwehes/g"; fast_pattern:only; classtype:trojan-activity; sid:2015592; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_08, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown .rr.nu Malware landing page"; flow:established,to_server; content:"/sl.php"; http_uri; content:".rr.nu|0D 0A|"; fast_pattern:only; http_header; reference:url,isc.sans.edu/diary.html?storyid=13864; classtype:bad-unknown; sid:2015596; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole/Cool jnlp URI Struct"; flow:established,to_server; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jnlp(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_13, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page JavaScript Replace - 13th August 2012"; flow:established,to_client; file_data; content:"=document.body.childNodes["; content:"].innerHTML.replace(/"; distance:1; within:21; content:"/g,|22 22|)|3B|"; within:30; classtype:trojan-activity; sid:2015620; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_13, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page ChildNodes.Length - August 13th 2012"; flow:established,to_client; file_data; content:"=0|3B|i<document.body.childNodes.length|3B|i++{"; classtype:trojan-activity; sid:2015621; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_13, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Hwehes String - August 13th 2012"; flow:established,to_client; file_data; content:"hwehes"; content:"hwehes"; distance:0; content:"hwehes"; distance:0; content:"hwehes"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015622; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_13, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (6 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:8; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,6,little; pcre:"/^[a-z0-9]{6}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015627; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2012_08_15, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (7 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:9; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,7,little; pcre:"/^[a-z0-9]{7}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015628; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2012_08_15, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Cridex Response from exfiltrated data upload"; flow:to_client,established; file_data; content:"|de ad be ef|"; fast_pattern; distance:0; content:"|00 01 00 00 00|"; distance:3; within:5; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:trojan-activity; sid:2015629; rev:5; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
+
+#alert ip $HOME_NET any -> [184.82.162.163/32,184.22.103.202/32,158.255.211.28/32] any (msg:"ET DELETED Possible XDocCrypt/Dorifel CnC IP"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:trojan-activity; sid:2015630; rev:5; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible XDocCrypt/Dorifel Checkin"; flow:established,to_server; content:"GET"; http_method; content:"&pin="; http_uri; content:"&crc="; http_uri; content:"&uniq="; http_uri; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:trojan-activity; sid:2015631; rev:5; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing - Aug 21 2012"; flow:established,from_server; content:"|3c|html>|3c|body>|3c|applet "; fast_pattern; content:"code="; within:100; content:">|3c|param"; distance:0; content:">|3c|script>"; distance:0; content:".split("; within:100; content:").join("; within:100; classtype:trojan-activity; sid:2015648; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_21, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fake AV base64 affid initial Landing or owned Check-In, asset owned if /callback/ in URI"; flow:established,to_server; content:"/?"; http_uri; content:"=YWZmaWQ9"; http_uri; classtype:trojan-activity; sid:2015649; rev:3; metadata:created_at 2012_08_22, updated_at 2012_08_22;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Javascript 23 Aug 2012 split join split applet"; flow:established,from_server; file_data; content:"|3c|script"; distance:0; content:"split(|22|"; within:40; content:".join(|22 22|).split(|22 22 29 3b|"; within:50; classtype:trojan-activity; sid:2015651; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_23, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 23 Aug 2012"; flow:established,from_server; file_data; content:"applet"; distance:0; content:"0xb|3a|0x9|3a|0x9|3a|0x4|3a|0x1f|3a|0x31|3a|0x31|3a|"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015652; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_23, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing try catch try catch math eval Aug 27 2012"; flow:established,from_server; content:"try{"; content:"|3b|}catch("; within:25; content:"){try{"; fast_pattern; within:15; content:"}catch("; within:35; content:"eval("; distance:0; classtype:bad-unknown; sid:2015654; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_27, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 1"; flow:established,to_client; file_data; content:"PK"; within:2; content:"|2f|Gondvv.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015655; rev:3; metadata:created_at 2012_08_28, updated_at 2012_08_28;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 2"; flow:established,to_client; file_data; content:"PK"; within:2; content:"|2f|Gondzz.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015656; rev:3; metadata:created_at 2012_08_28, updated_at 2012_08_28;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Admin bhadmin.php access Outbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:attempted-user; sid:2015659; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_28, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED - Blackhole Admin Login Outbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:attempted-user; sid:2015660; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_28, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Admin bhadmin.php access Inbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:attempted-user; sid:2015661; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_28, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED - Blackhole Admin Login Inbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:attempted-user; sid:2015662; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_28, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015663; rev:2; metadata:created_at 2012_08_28, updated_at 2012_08_28;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:attempted-user; sid:2015664; rev:2; metadata:created_at 2012_08_28, updated_at 2012_08_28;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015665; rev:2; metadata:created_at 2012_08_28, updated_at 2016_04_29;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Exploit Kit suspected Blackhole"; flow:established,to_server; content:".js?"; http_uri; fast_pattern:only; urilen:33<>34; pcre:"/\/\d+\.js\?\d+&[a-f0-9]{16}$/U"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015670; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_29, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sakura exploit kit binary download request /out.php"; flow:established,to_server; content:"/out.php?id="; fast_pattern:only; http_uri; pcre:"/\/out.php\?id=\d$/U"; classtype:trojan-activity; sid:2015677; rev:4; metadata:created_at 2012_09_06, updated_at 2012_09_06;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Nov 09 2012"; flow:established,from_server; file_data; content:"applet"; content:"0b0909041f"; fast_pattern; within:200; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015680; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_06, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Java Exploit Kit with fast-flux like behavior hostile FQDN - Sep 05 2012"; flow:established,to_server; content:".justdied.com|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015681; rev:2; metadata:created_at 2012_09_06, updated_at 2016_09_14;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole alt URL request Sep 05 2012 bv6rcs3v1ithi.php?w="; flow:established,to_server; content:"/bv6rcs3v1ithi.php?w="; http_uri; fast_pattern:only; reference:url,urlquery.net/report.php?id=158608; classtype:attempted-user; sid:2015684; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_06, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015692; rev:2; metadata:created_at 2012_09_11, updated_at 2012_09_11;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 4"; flow:established,to_server; urilen:10; content:"/comments/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015696; rev:3; metadata:created_at 2012_09_11, updated_at 2012_09_11;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole repetitive applet/code tag"; flow:established,from_server; file_data; content:"applet/code="; content:"/archive="; distance:0; content:".jar"; distance:0; pcre:"/applet\/code=[\x22\x27](?P<val1>[a-zA-Z0-9]+)[a-z]\.(?P=val1)[a-z][\x22\x27][^\x3e]+\.jar[\x22\x27]/"; classtype:trojan-activity; sid:2015697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_12, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SPL Landing Page Requested"; flow:established,to_server; content:"/?"; http_uri; content:"YWZmaWQ9"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015698; rev:5; metadata:created_at 2012_09_12, updated_at 2012_09_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown base64-style Java-based Exploit Kit using github as initial director"; flow:established,to_server; content:"%3D HTTP/1."; fast_pattern:only; content:"/?"; http_uri; isdataat:45,relative; pcre:"/\/\?[a-z0-9]{5,}=[a-zA-Z0-9\x25]{40,}\x253D$/I"; classtype:trojan-activity; sid:2015699; rev:2; metadata:created_at 2012_09_12, updated_at 2012_09_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole2 - URI Structure"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/U"; metadata: former_category CURRENT_EVENTS; classtype:attempted-user; sid:2015700; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_14, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:".php?"; distance:0; pcre:"/^[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/R"; classtype:attempted-user; sid:2015701; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_14, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 6"; flow:established,to_server; urilen:6; content:"/news/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015705; rev:3; metadata:created_at 2012_09_17, updated_at 2012_09_17;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 5"; flow:established,to_server; urilen:6; content:"/view/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015706; rev:3; metadata:created_at 2012_09_17, updated_at 2012_09_17;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Blackhole Landing to 7-8 chr folder plus index.htm or index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:18<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; pcre:"/^\/[A-Za-z0-9]{7,8}\/index\.html?$/U"; classtype:bad-unknown; sid:2015709; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_17, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015710; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_17, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole2 - Client reporting targeted software versions"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; content:"="; distance:0; http_uri; content:"&"; http_uri; distance:64; within:1; content:"="; http_uri; distance:0; content:"&"; http_uri; distance:20; within:1; pcre:"/\.php\?[a-z]+=[a-f0-9]{64}&[^\?]+=[a-f0-9]{20}&/U"; classtype:attempted-user; sid:2015716; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_19, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql Exploit Kit 09/25/12 Sending PDF"; flow:established,from_server; content:"application/pdf|0d 0a|"; fast_pattern:only; content:"|0d 0a|Set-Cookie|3a 20|"; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\r\n/R"; content:"|0d 0a 0d 0a|%PDF-"; distance:0; classtype:trojan-activity; sid:2015725; rev:9; metadata:created_at 2012_09_21, updated_at 2012_09_21;)
+
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query to Unknown CnC DGA Domain adbullion.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|09|adbullion|03|com|00|"; nocase; distance:4; within:15; fast_pattern; classtype:bad-unknown; sid:2015729; rev:2; metadata:created_at 2012_09_21, updated_at 2012_09_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 7"; flow:established,to_server; urilen:7; content:"/feeds/"; http_uri; content:".dyndns"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015731; rev:3; metadata:created_at 2012_09_21, updated_at 2012_09_21;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole2 - Landing Page Received - classid"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:"<param"; distance:0; content:"value="; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015732; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_21, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql applet with obfuscated URL"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"103hj115hj115hj111hj57hj46hj46hj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015739; rev:6; metadata:created_at 2012_09_25, updated_at 2012_09_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING - Redirect To Blackhole - Push JavaScript"; flow:established,to_client; file_data; content:".push( 'h' )\;"; content:".push( 't' )\;"; within:20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_25, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12"; flow:established,to_server; urilen:51; content:"/4ff"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015750; rev:2; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12 (2)"; flow:established,to_server; urilen:51; content:"/504"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015751; rev:3; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Windows EXE with alternate byte XOR 51 - possible SofosFO/NeoSploit download"; flow:established,to_client; content:"|0d 0a|Mi"; isdataat:76,relative; content:"|54 5b 69 40 20 43 72 5c 67 41 61 5e 20 50 61 5d 6e 5c 74 13 62 56 20 41 75 5d 20 5a 6e 13 44 7c 53 13 6d 5c 64 56|"; distance:0; classtype:trojan-activity; sid:2015752; rev:2; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (4)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"hw.class"; content:"test.class"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015759; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_04, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.boCheMan-A/Dexter"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/gateway.php"; http_uri; content:"page="; depth:5; http_client_body; content:"&unm="; fast_pattern:only; http_client_body; content:"&cnm="; http_client_body; content:"&query="; http_client_body; reference:md5,ccc99c9f07e7be0f408ef3a68a9da298; classtype:trojan-activity; sid:2016019; rev:5; metadata:created_at 2012_10_06, updated_at 2012_10_06;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript _222_ padding"; flow:established,from_server; file_data; content:"d_222_o_222_c_222_u_222_"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015785; rev:4; metadata:created_at 2012_10_09, updated_at 2012_10_09;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole/Cool eot URI Struct"; flow:to_server,established; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.eot(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015787; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_09, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole/Cool Jar URI Struct"; flow:to_server,established; content:".jar"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jar(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015796; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_12, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 2 Landing Page (3)"; flow:to_server,established; content:"/ngen/controlling/"; fast_pattern:only; http_uri; content:".php"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015797; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_12, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole/Cool EXE URI Struct"; flow:to_server,established; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.exe(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015798; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_12, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript -_-- padding"; flow:established,from_server; file_data; content:"d-_--o-_--c-_--u-_--"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015801; rev:3; metadata:created_at 2012_10_16, updated_at 2012_10_16;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET DELETED Blackhole 2 Landing Page (5)"; flow:to_server,established; content:"/forum/links/column.php"; http_uri; nocase; content:".ru:8080|0d 0a|"; http_header; nocase; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015802; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_16, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Blackhole/Cool Landing URI Struct"; flow:to_server,established; content:".php"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.php(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; metadata: former_category CURRENT_EVENTS; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015803; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_16, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED BlackHole 2 PDF Exploit"; flow:established,from_server; file_data; content:"/Index[5 1 7 1 9 4 23 4 50 3]"; flowbits:isset,ET.pdf.in.http; metadata: former_category CURRENT_EVENTS; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015804; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_16, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Font File Download (32-bit Host) Dec 11 2012"; flow:to_server,established; content:"/32s_font.eot"; http_uri; classtype:trojan-activity; sid:2015815; rev:3; metadata:created_at 2012_10_18, updated_at 2012_10_18;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Font File Download (64-bit Host) Dec 11 2012"; flow:to_server,established; content:"/64s_font.eot"; http_uri; classtype:trojan-activity; sid:2015816; rev:4; metadata:created_at 2012_10_18, updated_at 2012_10_18;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Oct 19 2012"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"&|23|48|3b|&|23|98|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|52|3b|&|23|49|3b|&|23|102|3b|"; within:300; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015823; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_19, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole2 Non-Vulnerable Client Fed Fake Flash Executable"; flow: established,to_server; content:"/adobe/update_flash_player.exe"; http_uri; metadata: former_category CURRENT_EVENTS; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:2015817; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_19, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Citadel API Access Video Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015833; rev:5; metadata:created_at 2012_10_22, updated_at 2012_10_22;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 2.0 Binary Get Request"; flow:established,to_server; content:"GET"; http_method; content:" Java/1."; http_header; content:".php?"; http_uri; pcre:"/\.php\?\w{2,8}\=(0[0-9a-b]|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}$/U"; metadata: former_category CURRENT_EVENTS; reference:url,fortknoxnetworks.blogspot.be/2012/10/blackhole-20-binary-get-request.html; classtype:successful-user; sid:2015836; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_23, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole request for file containing Java payload URIs (1)"; flow:established,to_server; content:".php?asd=12gqw"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015843; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_25, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole file containing obfuscated Java payload URIs"; flow:established,from_server; file_data; content:"0b0909041f3131"; depth:14; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015844; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_25, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript __-_ padding"; flow:established,from_server; file_data; content:"d__-_o__-_c__-_u__-_m__-_e__-_n__-_t"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015845; rev:3; metadata:created_at 2012_10_25, updated_at 2012_10_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Georgian Targeted Attack - Client Request"; flow:established,to_server; urilen:9; content:"/calc.php"; http_uri; flowbits:set,ET.cyberEspionageGeorgia; flowbits:noalert; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015851; rev:3; metadata:created_at 2012_10_31, updated_at 2012_10_31;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Georgian Targeted Attack - Server Response"; flow:established,from_server; flowbits:isset,ET.cyberEspionageGeorgia; file_data; content:"<html><head><META HTTP-EQUIV=|22|Pragma|22| CONTENT=|22|no-cache|22|></head><body>"; base64_decode:bytes 365, offset 0, relative; base64_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode."; within:360; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015852; rev:3; metadata:created_at 2012_10_31, updated_at 2012_10_31;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole request for file containing Java payload URIs (2)"; flow:established,to_server; content:"php?fbebf=nt34t4"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015863; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_11_02, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 2.0 PDF GET request"; flow:established,to_server; content:".php?"; http_uri; content:"00020002"; http_uri; fast_pattern:only; pcre:"/\.php\?\w{2,9}\=(0[0-9a-b]|3[0-9]){5}\&\w{3,9}\=(3[0-9a-f]|4[0-9a-f])\&\w{3,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{3,9}\=(0[0-9a-b]{1,8})00020002$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/11/deeper-into-blackhole-urls-and-dialects.html; classtype:attempted-user; sid:2015864; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_11_06, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole request for file containing Java payload URIs (3)"; flow:established,to_server; content:".php?asvvab=125qwafdsg"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015871; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_11_07, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole request for Payload"; flow:established,to_server; content:".php?"; http_uri; content:"|3a|"; http_uri; fast_pattern; content:"|3a|"; distance:2; within:1; http_uri; content:"|3a|"; distance:2; within:1; http_uri; pcre:"/\.php\?[a-z]+=(([1-2][a-z]|3[0-9])\x3a){3,}([1-2][a-z]|3[0-9])&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015872; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_11_07, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 16/32-hex/a-z.php Landing Page URI"; flow:established,to_server; content:".php"; http_uri; content:"/"; http_uri; distance:-6; within:1; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015877; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_11_09, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>40; content:".js"; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+(_[e7uxMhp1Kt]+)?|a2\.\.)Z(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+|a2\.\.)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015889; rev:9; metadata:created_at 2012_11_15, updated_at 2012_11_15;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED CoolEK - Landing Page - Title"; flow:established,to_client; file_data; content:"<title>Hello my friend..."; classtype:trojan-activity; sid:2015891; rev:4; metadata:created_at 2012_11_15, updated_at 2012_11_15;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - pdf_new.php"; flow:established,to_server; content:"/pdf_new.php"; fast_pattern:only; http_uri; classtype:trojan-activity; sid:2015892; rev:3; metadata:created_at 2012_11_15, updated_at 2012_11_15;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK - PDF Exploit - pdf_old.php"; flow:established,to_server; content:"/pdf_old.php"; fast_pattern:only; http_uri; classtype:trojan-activity; sid:2015893; rev:5; metadata:created_at 2012_11_15, updated_at 2012_11_15;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Landing Pattern (1)"; flow:to_server,established; content:"/r/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/r\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015915; rev:3; metadata:created_at 2012_11_21, updated_at 2012_11_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Landing Pattern (2)"; flow:to_server,established; content:"/t/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/t\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015916; rev:4; metadata:created_at 2012_11_21, updated_at 2012_11_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED RedKit /h***.htm(l) Landing Page - Set"; flow:established,to_server; urilen:8<>11; content:"/h"; depth:2; http_uri; pcre:"/^\/h[a-z]{3}\.html?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:trojan-activity; sid:2015927; rev:3; metadata:created_at 2012_11_26, updated_at 2012_11_26;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 2 Landing Page (7)"; flow:to_server,established; content:"/news/enter/2012-1"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/news\/enter\/2012-1[0-2]-([0-2][0-9]|3[0-1])\.php/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015932; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_11_26, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole/Cool txt URI Struct"; flow:to_server,established; content:".txt"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.txt(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015933; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_11_26, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PHISH Gateway POST to gateway-p"; flow:established,to_server; content:"POST"; http_method; content:"/gateway-p"; http_uri; classtype:bad-unknown; sid:2015973; rev:1; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Dec 03 2012"; flow:established,from_server; file_data; content:"applet"; content:"yy3Ojj"; within:1600; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015978; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_12_03, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Nymaim Checkin"; flow:to_server,established; content:"POST "; depth:5; content:"/nymain/"; within:8; fast_pattern; content:"/index.php"; distance:0; content:"|0d 0a 0d 0a|filename="; distance:0; content:"&data="; distance:0; reference:md5,b904ce55532582a6ea516399d8e4b410; classtype:trojan-activity; sid:2016752; rev:3; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FakeScan - Landing Page - Title - Microsoft Antivirus 2013"; flow:established,to_client; file_data; content:"Microsoft Antivirus 2013"; classtype:bad-unknown; sid:2016020; rev:2; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FakeScan - Payload Download Received"; flow:established,to_client; content:"attachment"; http_header; content:"freescan"; http_header; fast_pattern; file_data; content:"MZ"; within:2; classtype:bad-unknown; sid:2016021; rev:2; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - TDS Redirection To Exploit Kit - Loading"; flow:established,to_client; file_data; content:"Loading...!"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016024; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_12_12, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - TDS Redirection To Exploit Kit - /head/head1.html"; flow:established,to_server; content:"/head/head1.html"; http_uri; classtype:bad-unknown; sid:2016025; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_12_12, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (2)"; flow:established,to_server; urilen:>25; content:"/highlands.js"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016046; rev:5; metadata:created_at 2012_12_17, updated_at 2012_12_17;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Font File Download Dec 18 2012"; flow:to_server,established; content:".eot"; http_uri; nocase; fast_pattern:only; pcre:"/\/(?:(?:article|contact|new)s|read|(?:fo|tu)r)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.eot|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.EOT)$/U"; classtype:trojan-activity; sid:2016057; rev:7; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK - New PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"1.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})1\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}1\.PDF)$/U"; classtype:trojan-activity; sid:2016058; rev:9; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK - Old PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"2.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})2\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}2\.PDF)$/U"; classtype:trojan-activity; sid:2016059; rev:13; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK - Jar - Jun 05 2013"; flow:to_server,established; content:".jar"; nocase; fast_pattern:only; http_uri; content:" Java/1"; http_header; pcre:"/Host\x3a[^\r\n]+?\.(pw|us)(\x3a\d{1,5})?\r$/Hmi"; pcre:"/^(\/[a-z]{3,20})?\/([a-z]{3,20}[-_])+[a-z]{3,20}\.jar$/U"; classtype:trojan-activity; sid:2016060; rev:13; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Popads Exploit Kit font request 32hex digit .eot"; flow:established,to_server; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.eot$/Ui"; classtype:attempted-user; sid:2016064; rev:4; metadata:created_at 2012_12_19, updated_at 2012_12_19;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED CoolEK - Landing Page (2)"; flow:established,to_client; file_data; content:"|0D 0A|"; classtype:trojan-activity; sid:2016066; rev:2; metadata:created_at 2012_12_19, updated_at 2012_12_19;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Backdoor.Win32.Skill.gk User-Agent"; flow:established,to_server; content:"|3b 20 3b 20|"; http_header; pcre:"/User-Agent[^\r\n]+(MSIE[^\r\n]*(\x3b\x20){2}|(\x3b\x20){2}[^\r\n]*MSIE)/iH"; classtype:trojan-activity; sid:2016074; rev:4; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/?affid="; depth:8; http_uri; content:"&promo_type="; http_uri; content:"&promo_opt="; http_uri; pcre:"/^\/\?affid=\d+&promo_type=\d+&promo_opt=\d+$/U"; reference:md5,527e115876d0892c9a0ddfc96e852a16; classtype:trojan-activity; sid:2016075; rev:2; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED pamdql/Sweet Orange delivering hostile XOR trojan payload from robots.php"; flow:established,to_server; content:"/robots.php?"; http_uri; classtype:trojan-activity; sid:2016092; rev:2; metadata:created_at 2012_12_27, updated_at 2012_12_27;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Stabuniq CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/rssnews.php"; http_uri; content:!"User-Agent|3A|"; http_header; content:"id="; http_client_body; depth:3; content:"&varname="; distance:0; content:"&comp="; distance:0; content:"&src="; distance:0; reference:url,contagiodump.blogspot.co.uk/2012/12/dec-2012-trojanstabuniq-samples.html; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; classtype:trojan-activity; sid:2016096; rev:2; metadata:created_at 2012_12_27, updated_at 2012_12_27;)
+
+#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DELETED DNS Reply Sinkhole - zeus.redheberg.com - 95.130.14.32"; content:"|00 01 00 01|"; content:"|00 04 5f 82 0e 20|"; distance:4; within:6; classtype:trojan-activity; sid:2016105; rev:3; metadata:created_at 2012_12_27, updated_at 2012_12_27;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|22 2a|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016112; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Stabuniq Observed C&C POST Target /rss.php"; flow:to_server,established; content:"POST"; http_method; content:"/rss.php"; http_uri; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2; reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html; classtype:trojan-activity; sid:2016131; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (iexplorer)"; flow:to_server,established; content:"User-Agent|3a 20|iexplorer|0d 0a|"; http_header; classtype:trojan-activity; sid:2016140; rev:4; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|3d 3b|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016143; rev:3; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Magnitude EK (formerly Popads) - Font Exploit - 32HexChar.eot"; flow:established,to_server; urilen:>36; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\.eot$/U"; content:!"fonts.gstatic.com|0d 0a|"; http_header; content:!".fitbit.com|0d 0a|"; http_header; classtype:attempted-user; sid:2016155; rev:6; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit PluginDetect FromCharCode Jan 04 2013"; flowbits:set,et.exploitkitlanding; flow:established,to_client; file_data; content:"80,108,117,103,105,110,68,101,116,101,99,116"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:attempted-user; sid:2016166; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_01_04, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Ransomware Checkin"; flow:established,to_server; content:"/index.html"; http_uri; content:"POST"; http_method; content:!"User-Agent|3a| "; http_header; content:"application/octet-stream|0d 0a 0d 0a|"; http_client_body; content:"/"; http_client_body; distance:2; within:1; pcre:"/filename=\x22\d+?\x22/P"; classtype:trojan-activity; sid:2016185; rev:2; metadata:created_at 2013_01_11, updated_at 2016_12_23;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Potential Zeus Binary Download - Specific PE Sections Structure"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode"; distance:0; content:"PE|00 00|"; distance:0; content:".text"; distance:0; content:"m13"; distance:0; content:"m12"; distance:0; content:"m11"; distance:0; content:"m10"; distance:0; content:"m9"; distance:0; content:"m8"; distance:0; content:"m7"; distance:0; content:"m6"; distance:0; content:"m5"; distance:0; content:"m4"; distance:0; content:"m3"; distance:0; content:".data"; distance:0; content:".data2"; distance:0; reference:url,ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf; classtype:trojan-activity; sid:2016188; rev:3; metadata:created_at 2013_01_11, updated_at 2013_01_11;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY Unknown - Landing Page Requested - /?Digit"; flow:established,to_server; urilen:9<>16; content:"/?"; http_uri; depth:13; pcre:"/^\/[a-z0-9]{6,10}\/\?[0-9]{1,2}$/Ui"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016193; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_01_11, updated_at 2018_04_23;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit encoded PluginDetect Jan 15 2013"; flow:established,to_client; file_data; content:"80|3A|!08|3A|!!7|3A|!03|3A|!05|3A|!!0|3A|68|3A|!0!|3A|!!6|3A|!0!|3A|99|3A|!!6"; classtype:trojan-activity; sid:2016213; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_01_15, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Payload Download"; flow:established,to_server; content:"/pics/new.png"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/new\.png$/U"; classtype:trojan-activity; sid:2016221; rev:5; metadata:created_at 2013_01_16, updated_at 2013_01_16;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 16/32-hex/a-z.php Jar Download"; flow:established,to_server; content:".php"; http_uri; content:"/"; http_uri; distance:-6; within:1; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php/U"; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016229; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_01_18, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED SofosFO - Landing Page"; flow:established,to_client; file_data; content:"BillyBonnyGetDepolo"; classtype:trojan-activity; sid:2016241; rev:3; metadata:created_at 2013_01_21, updated_at 2013_01_21;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Jan 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"Dyy"; within:300; content:"Ojj"; within:200; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016242; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_01_21, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Request for FakeAV Binary /two/data.exe Infection Campaign"; flow:established,to_server; content:"/index/two/data.exe"; http_uri; classtype:trojan-activity; sid:2016243; rev:2; metadata:created_at 2013_01_21, updated_at 2013_01_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 1"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/start.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016257; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 2"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/setup.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016258; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 3"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/search.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016259; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 4"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016260; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 5"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/login.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016261; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 6"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016262; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 7"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/welcome.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016263; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 8"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/file.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016264; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 9"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/default.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016265; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 10"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/home.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016266; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 11"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/online.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016267; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 12"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/install.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016268; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK - New PDF Exploit - Jan 24 2013"; flow:established,to_server; content:"3.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})3\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}3\.PDF)$/U"; classtype:trojan-activity; sid:2016278; rev:5; metadata:created_at 2013_01_25, updated_at 2013_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Payload Download (2)"; flow:established,to_server; content:"/pics/image.gif"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; nocase; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/image\.gif$/U";  classtype:trojan-activity; sid:2016279; rev:5; metadata:created_at 2013_01_25, updated_at 2013_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Payload Download (3)"; flow:established,to_server; content:"/pics/foto.png"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; nocase; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/foto\.png$/U"; classtype:trojan-activity; sid:2016280; rev:6; metadata:created_at 2013_01_25, updated_at 2013_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 13"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/index.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016281; rev:2; metadata:created_at 2013_01_25, updated_at 2013_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan-Spy.Win32.Zbot.hmcm Checkin"; flow:established,to_server; content:"/b/"; depth:3; http_uri; pcre:"/^\/b\/(eve|opt|req)\/[\-f0-9A-F]{24}$/U"; reference:md5,291b5ce96b3932944a32031d33bc8cfc; classtype:trojan-activity; sid:2018437; rev:3; metadata:created_at 2013_01_26, updated_at 2013_01_26;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Linux/SSHDoor.A User Login CnC Beacon"; flow:established,to_server; content:"sid="; http_uri; content:"|3A|"; http_uri; content:"&uname="; http_uri; reference:url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords; classtype:trojan-activity; sid:2016315; rev:3; metadata:created_at 2013_01_30, updated_at 2013_01_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Exploit Kit Java gif download"; flow:established,to_server; content:".gif"; http_uri; pcre:"/\.gif$/U"; content:" Java/1."; http_header; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016320; rev:3; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible g01pack Jar download"; flow:established,from_server; flowbits:isset,ET.g01pack.Java.Image; file_data; content:"PK"; depth:2; content:".class"; fast_pattern:only; classtype:trojan-activity; sid:2016321; rev:3; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Feb 04 2012"; flow:established,from_server; file_data; content:"applet"; content:"Ojj"; within:300; content:"Dyy"; within:300; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016341; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_02_05, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/ZeroAccess Counter.img Checkin"; flow:established,to_server; content:"/counter.img?theme="; fast_pattern; http_uri; content:"&digits="; http_uri; content:"&siteId="; http_uri; content:"User-Agent|3A| Opera/9 (Windows NT "; http_header; reference:url,malwaremustdie.blogspot.co.uk/2013/02/blackhole-of-closest-version-with.html; classtype:trojan-activity; sid:2016358; rev:3; metadata:created_at 2013_02_06, updated_at 2013_02_06;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/ads?rsp="; nocase; http_uri; fast_pattern; content:"msid=com.droiddream.advancedtaskkiller1"; nocase; http_uri; reference:url,anubis.iseclab.org/index.php?action=result&task_id=4fdbf09e9bb20824658cfd45b63a309e; classtype:trojan-activity; sid:2016385; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/afma_load_ads.js"; nocase; http_uri; fast_pattern; content:"pagead2.googlesyndication.com"; http_header; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016386; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Android/DNightmare -Task Killer Checkin 3"; flow:established,to_server; content:"GET"; http_method; content:"/m/gne/suggest?q="; nocase; http_uri; fast_pattern; content:"SID=DQAAAKQAAAAHga"; http_cookie; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016387; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Exploit Kit Java png download"; flow:established,to_server; content:".png"; http_uri; pcre:"/\.png$/U"; content:" Java/1."; http_header; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016402; rev:2; metadata:created_at 2013_02_12, updated_at 2013_02_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK - PDF Exploit - Feb 12 2013"; flow:established,to_server; content:".pdf"; nocase; http_uri; fast_pattern:only; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/U"; classtype:trojan-activity; sid:2016405; rev:6; metadata:created_at 2013_02_12, updated_at 2013_02_12;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED CoolEK landing applet plus class Feb 12 2013"; flow:established,to_client; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Payload Download (4)"; flow:established,to_server; content:"/w"; http_uri; nocase; content:" Java/1"; http_header; fast_pattern:only; pcre:"/\/(?:w(?:hite|orld)|step)\/\d+$/U"; classtype:trojan-activity; sid:2016408; rev:11; metadata:created_at 2013_02_12, updated_at 2013_02_12;)
+
+#alert udp $HOME_NET any -> 78.47.139.110 53 (msg:"ET DELETED Possible DNS Data Exfiltration to SSHD Rootkit Last Resort CnC";  reference:url,isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229; classtype:trojan-activity; sid:2016473; rev:3; metadata:created_at 2013_02_22, updated_at 2013_02_22;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Exploit Kit Java .psd download"; flow:established,to_server; content:".psd"; http_uri; pcre:"/\.psd$/U"; content:" Java/1."; http_header; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016495; rev:5; metadata:created_at 2013_02_25, updated_at 2013_02_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Exploit Kit Java jpeg download"; flow:established,to_server; content:".jpeg"; http_uri; pcre:"/\.jpeg$/U"; content:" Java/1."; http_header; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016506; rev:5; metadata:created_at 2013_02_25, updated_at 2013_02_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch Body Specific -  4/3/2013"; flow:established,to_client; file_data; content:"}try{doc[|22|body|22|]^=2}catch("; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016524; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_04, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch Body Style 2 Specific -  4/3/2013"; flow:established,to_client; file_data; content:"try{document.body^=2}catch("; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016525; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_04, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch False Specific -  4/3/2013"; flow:established,to_client; file_data; content:"}try{}catch("; distance:0; content:"=false|3B|}"; within:30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016526; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_04, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Blackhole/Cool plugindetect in octal Mar 6 2013"; flow:established,from_server; file_data; content:"0160,0144,0160,0144,075,0173"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016544; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_06, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Payload Download (6)"; flow:established,to_server; content:"/mypic.dll"; http_uri; nocase; fast_pattern:only; pcre:"/\/(w(?:hite|orld)|step)\/mypic\.dll$/U"; classtype:trojan-activity; sid:2016547; rev:11; metadata:created_at 2013_03_06, updated_at 2013_03_06;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Ponik.Downloader Randomware Download"; flow:established,to_server; urilen:>60; content:"-.php"; fast_pattern; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT  6.1|3B| WOW64) AppletWebKit/537.11 (KHTML, like Gecko)  Chrome/23.0.1271.97 Safari/537.11|0D 0A|"; http_header; pcre:"/\x2F[a-z\x2D]{60,120}.+\x2D\x2Ephp$/U"; reference:url,www.symantec.com/connect/blogs/fake-adobe-flash-update-installs-ransomware-performs-click-fraud; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-110915-5758-99; classtype:trojan-activity; sid:2016548; rev:2; metadata:created_at 2013_03_06, updated_at 2013_03_06;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Downloading Jar"; flow:established,to_server; content:" Java/1."; http_header; content:"/m"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/m[a-z]+?\?l[a-z]+?=[a-z]+$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016551; rev:6; metadata:created_at 2013_03_07, updated_at 2018_06_18;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (1) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kid.class"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2016554; rev:5; metadata:created_at 2013_03_08, updated_at 2013_03_08;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (2) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/dab.class"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2016555; rev:3; metadata:created_at 2013_03_08, updated_at 2013_03_08;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (3) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/jot.class"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2016556; rev:3; metadata:created_at 2013_03_08, updated_at 2013_03_08;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (4) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kir.class"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2016557; rev:4; metadata:created_at 2013_03_08, updated_at 2013_03_08;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Payload Download (7)"; flow:established,to_server; content:"/get"; http_uri; fast_pattern:only; content:".jpg"; http_uri; content:!"Referer|3a| "; http_header; pcre:"/\/get(?:a+|n+)\.jpg$/U"; classtype:trojan-activity; sid:2016559; rev:14; metadata:created_at 2013_03_08, updated_at 2013_03_08;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Asprox Spam Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"Content-Disposition|3A| form-data|3B| name=|22|sid|22|"; http_client_body; content:"Content-Disposition|3A| form-data|3B| name=|22|up|22|"; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|ping|22|"; fast_pattern:32,11; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|guid|22|"; distance:0; http_client_body; reference:url,www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016561; rev:2; metadata:created_at 2013_03_12, updated_at 2013_03_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"h"; depth:1; http_client_body; content:"="; within:12; http_client_body; content:"&p"; distance:24; within:2; http_client_body; content:"&i"; within:13; http_client_body; pcre:"/^h[a-z0-9]{0,10}\x3d[a-f0-9]{24}&p[a-z0-9]{0,10}\x3d[a-z0-9]{1,11}&i/P"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016562; rev:4; metadata:created_at 2013_03_12, updated_at 2018_06_18;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 16-hex/q.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:23; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016563; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_12, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 16-hex/q.php Jar Download"; flow:established,to_server; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php/U"; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016564; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_12, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Redkit Jar Naming Pattern March 03 2013"; flow:established,to_server; content:".jar"; http_uri; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9]{2}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016588; rev:13; metadata:created_at 2013_03_15, updated_at 2013_03_15;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Redkit URI Struct Flowbit"; flow:established,to_server; content:".htm"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{4}\.html?(\?[h-j]=\d+)?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:trojan-activity; sid:2016589; rev:7; metadata:created_at 2013_03_18, updated_at 2013_03_18;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CrimeBoss - Java Exploit - m11.jar"; flow:established,to_server; content:"/m11.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016597; rev:2; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -2 Mar 13 2013"; flow:established,from_server; file_data; content:"0156,0142,0156,0142,073,0171"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016636; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_20, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED [CrowdStrike] ANCHOR PANDA - PoisonIvy Keep-Alive - From Controller"; dsize:48; flow:established, from_server; content:"|54 90 1d b0 18 1b 7c ce f4 5b 24 2f ec c7 d2 21|"; depth:16; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016657; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_03_22, malware_family PoisonIvy, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED [CrowdStrike] ANCHOR PANDA - PoisonIvy Keep-Alive - From Victim"; dsize:48; flow: established, to_server; content: "|af c0 bb 65 5d 07 e0 0d bf ab 75 2f 82 79 ae 26|"; depth:16; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016658; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_03_22, malware_family PoisonIvy, updated_at 2016_07_01;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -4 Mar 22 2013"; flow:established,from_server; file_data; content:"0154,0140,0154,0140,071,0167"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016661; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_22, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -5 Mar 26 2013"; flow:established,from_server; file_data; content:"0153,0137,0153,0137,070,0166"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016678; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_27, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -7 Mar 30 2013"; flow:established,from_server; file_data; content:"0151,0135,0151,0135,066,0164"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016686; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_01, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>35; content:".php"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9A-Z]{15,35}\/((\d+[A-Z]){3}\d+|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016706; rev:21; metadata:created_at 2013_04_01, updated_at 2013_04_01;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Empty HTTP Content Type Server Response - Potential CnC Server"; flow:established,to_client; content:"Content-Type|3A 20 0D 0A|"; http_header; classtype:bad-unknown; sid:2016712; rev:2; metadata:created_at 2013_04_03, updated_at 2013_04_03;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sakura Jar Download SET"; flow:established,to_server; content:".php"; http_uri; content:" Java/1."; http_header; fast_pattern; flowbits:set,ET.Sakura.php.Java; flowbits:noalert; classtype:trojan-activity; sid:2016720; rev:2; metadata:created_at 2013_04_03, updated_at 2013_04_03;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 32-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:40; content:"/ff.php"; http_uri; offset:33; pcre:"/^\/[0-9a-f]{32}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016722; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_04, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 32-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:33; depth:7; http_uri; pcre:"/^\/[0-9a-f]{32}\/ff\.php/U"; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016723; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_04, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 16-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:24; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016724; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_04, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 16-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php/U"; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016725; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_04, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Reversed Applet Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"eulav "; nocase; fast_pattern:only; content:"eman "; nocase; content:"marap<"; nocase; within:500; content:"telppa"; within:500; nocase; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016729; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_05, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal"; flow:established,from_server; file_data; content:"mCharCode"; pcre:"/(?P
                [0-9a-f]{2,4})(?P[\x2e\x2c\x3b\x3a])(?P(?!(?P=p))[0-9a-f]{2,4})(?P=sep)(?P=p)(?P=sep)(?P=d)(?P=sep)([0-9a-f]{2,4}(?P=sep)){10}(?P(?!((?P=p)|(?P=d)))[0-9a-f]{2,4})(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P(?!((?P=p)|(?P=d)|(?P=q)))[0-9a-f]{2,4})(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P=dot)(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P=q)/R"; classtype:trojan-activity; sid:2016730; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_05, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Neutrino EK Plugin-Detect April 12 2013"; flow:established,from_server; file_data; content:"PluginDetect"; fast_pattern:only; nocase; content:"$(document).ready"; content:"function"; distance:0; pcre:"/\x28[\r\n\s]*?(?P[\x22\x27]?)[a-f0-9]{24}(?P=qa1)[\r\n\s]*?,[\r\n\s]*?(?P[\x22\x27]?)[a-z0-9]{1,20}(?P=qa2)[\r\n\s]*?/R"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016756; rev:5; metadata:created_at 2013_04_12, updated_at 2018_06_18;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data April 12 2013"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/c"; http_uri; depth:2; pcre:"/^\/c[a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; content:"p"; depth:1; http_client_body; pcre:"/^p[a-z0-9]{0,20}\x3d[a-z0-9]{1,20}&i[a-z0-9]{0,20}\x3d%[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016753; rev:9; metadata:created_at 2013_04_12, updated_at 2018_06_18;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 2 Landing Page (9)"; flow:to_server,established; content:"/closest/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/^\/closest\/(([a-z]{1,16}[-_]){1,4}[a-z]{1,16}|[a-z0-9]{20,}+)\.php/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016755; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_12, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Apr 18 2013"; flow:established,from_server; file_data; content:"telppa"; pcre:"/(?P
                [0-7]{2,4})(?P[^0-7])(?P(?!(?P=p))[0-7]{2,4})(?P=sep)(?P=p)(?P=sep)(?P=d)(?P=sep)([0-7]{2,4}(?P=sep)){10}(?P[0-7]{2,4})(?P=sep)[0-7]{2,4}(?P=sep)(?P[0-7]{2,4})(?P=sep)[0-7]{2,4}(?P=sep)(?P=dot)(?P=sep)[0-7]{2,4}(?P=sep)(?P=q)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016776; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_19, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Payload Download (8)"; flow:established,to_server; content:"/getqq.jpg"; http_uri; nocase; fast_pattern:only; pcre:"/getqq\.jpg$/U"; classtype:trojan-activity; sid:2016782; rev:14; metadata:created_at 2013_04_23, updated_at 2013_04_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED - Possible BlackHole request with decryption Base "; flow:established,to_server; content:"&jopa="; nocase; http_uri; fast_pattern:only; pcre:"/&jopa=\d+$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_05_02, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Trojan POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Length|3a| 0|0d 0a|"; http_header; content:"/a/"; http_uri; fast_pattern; content:"PHPSESSID="; http_cookie; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016834; rev:1; metadata:created_at 2013_05_08, updated_at 2013_05_08;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED BlackHole Java Exploit Artifact"; flow:established,to_server; content:"/hw.class"; http_uri; content:" Java/1."; http_header; metadata: former_category CURRENT_EVENTS; reference:url,vanheusden.com/httping/; classtype:policy-violation; sid:2016848; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_05_14, malware_family Blackhole, updated_at 2018_01_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data May 15 2013"; flow:established,to_server; content:"POST"; nocase; http_method; pcre:"/^\/[a-z][a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+[?&][a-z]+=\d+\r$/Hmi";content:"=%25"; http_client_body; pcre:"/=%25[0-9A-F]{2}%25[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016853; rev:15; metadata:created_at 2013_05_15, updated_at 2018_06_18;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED W32/Pushdo CnC Server Fake JPEG Response"; flow:established,to_client; file_data; content:""; fast_pattern:only; reference:url,securelist.com/blog/research/65240/energetic-bear-more-like-a-crouching-yeti/; reference:md5,bdd1d473a56607ec366bb2e3af5aedea; reference:url,802bba9d078a09530189e95e459adcdf; classtype:trojan-activity; sid:2018921; rev:1; metadata:created_at 2014_08_11, updated_at 2014_08_11;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Archie.EK IE Exploit URI Struct"; flow:to_server,established; content:"GET|20|"; depth:4; content:"/ie7.html"; distance:0; content:"|20|HTTP/1."; distance:0; classtype:trojan-activity; sid:2018932; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_08_13, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Archie.EK IE CVE-2013-2551 Payload Struct"; flow:to_server,established; content:"GET /dd HTTP/1."; depth:15; content:!"Referer|3a|"; distance:0; content:" MSIE "; distance:0; classtype:trojan-activity; sid:2018934; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_08_13, updated_at 2016_07_01;)
+
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ff 7f 8a 27 bf 5c f4 53|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018937; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_14, updated_at 2016_07_27;)
+
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre C2)"; flow:established,from_server; content:"|55 04 07|"; content:"|05|miami"; distance:1; within:6; content:"|55 04 03|"; distance:0; content:"|0c|94.23.236.54"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018940; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_14, updated_at 2016_07_27;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Aug 16 2014"; flow:established,to_client; content:"0|22 29 3b 0a 0d 0a|"; pcre:"/^\s*?|0d 0a|"; nocase; within:100; metadata: former_category INFO; classtype:bad-unknown; sid:2025267; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_30, updated_at 2018_01_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Windows OS Submitting USB Metadata to Microsoft"; flow:established,to_server; content:"POST"; http_method; content:"metadata.svc"; http_uri; content:"/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|"; http_header; content:"User-Agent|3a 20|MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT|0d 0a|"; http_header; fast_pattern:12,20; metadata: former_category INFO; classtype:misc-activity; sid:2025275; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_01_31, performance_impact Low, updated_at 2018_01_31;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Suspicious Browser Plugin Detect - Observed in Phish Landings"; flow:established,to_client; file_data; content:"#browser_info"; content:"getBrowserMajorVersion()"; nocase; distance:0; fast_pattern; content:"#os_info"; nocase; distance:0; content:"getOSVersion()"; nocase; distance:0; content:"getScreenPrint()"; nocase; distance:0; content:"getPlugins()"; nocase; distance:0; content:"getJavaVersion()"; nocase; distance:0; content:"getFlashVersion()"; nocase; distance:0; content:"getSilverlightVersion()"; nocase; distance:0; metadata: former_category INFO; classtype:bad-unknown; sid:2025399; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_26, updated_at 2018_02_26;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Secondary Flash Request Seen (no alert)"; flow:established,to_server; content:"x-flash-version|3a 20|"; http_header; content:"/[[DYNAMIC]]/1"; http_header; fast_pattern; flowbits:set,ET.SecondaryFlash.Req; flowbits:noalert; metadata: former_category INFO; classtype:trojan-activity; sid:2025411; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Sundown_EK, signature_severity Major, created_at 2018_03_09, updated_at 2018_03_09;)
+
+alert tcp any any -> any any (msg:"ET INFO Possible Sandvine PacketLogic Injection"; flow:established,from_server; id:13330; flags:AF; content:"HTTP/1.1 307 Temporary Redirect|0a|Location|3a 20|"; depth:42; fast_pattern:17,20; content:"Connection: close|0a 0a|"; distance:0; isdataat:!1,relative; metadata: former_category INFO; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/; classtype:misc-activity; sid:2025428; rev:2; metadata:attack_target Client_and_Server, deployment Datacenter, signature_severity Minor, created_at 2018_03_13, performance_impact Low, updated_at 2018_03_13;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious User-Agent (CustomStringHere)"; flow:established,to_server; content:"User-Agent|3a 20|CustomStringHere"; http_header; metadata: former_category INFO; reference:md5,7a8cb1223e006bc7e70169c060d7057b; classtype:misc-activity; sid:2025436; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_03_19, updated_at 2018_03_19;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO NYU Internet HTTP/SSL Census Scan"; flow:to_server,established; content:"User-Agent|3a 20|NYU Internet Census (https://scan.lol|3b 20|research@scan.lol)"; http_header; fast_pattern:49,20; metadata: former_category INFO; reference:url,scan.lol; classtype:network-scan; sid:2025460; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Minor, created_at 2018_04_03, updated_at 2018_04_03;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.men) - set"; flow:established,to_server; content:".men|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.men(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025495; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.webcam) - set"; flow:established,to_server; content:".webcam|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.webcam(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; metadata: former_category INFO; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025497; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.yokohama) - set"; flow:established,to_server; content:".yokohama|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.yokohama(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025498; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.tokyo) - set"; flow:established,to_server; content:".tokyo|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.tokyo(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025499; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.gq) - set"; flow:established,to_server; content:".gq|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.gq(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025500; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.work) - set"; flow:established,to_server; content:".work|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.work(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025501; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)
+
+alert tcp any any -> any 4786 (msg:"ET INFO Cisco Smart Install Protocol Observed"; flow:established,only_stream; content:"|00 00 00 01 00 00 00 01|"; depth:8; metadata: former_category INFO; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; classtype:misc-activity; sid:2025519; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, deployment Internal, signature_severity Minor, created_at 2018_04_20, updated_at 2018_04_20;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible Rogue LoJack Asset Tracking Agent"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"TagId|3a 20|"; http_header; fast_pattern; content:!".namequery.com|0d 0a|"; http_header; threshold: type limit, count 2, seconds 300, track by_src;  metadata: former_category INFO; reference:url,asert.arbornetworks.com/lojack-becomes-a-double-agent/amp/; classtype:misc-attack; sid:2025553; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_05_02, updated_at 2018_05_02;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET INFO Observed DNS Query to .myq-see .com DDNS Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|myq-see|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category INFO; classtype:policy-violation; sid:2025560; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_07, performance_impact Moderate, updated_at 2018_05_07;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO [eSentire] Possible Kali Linux Updates"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a 20|APT-HTTP|2f|"; http_header; content:"kali.org|0d 0a|"; http_header; fast_pattern; pcre:"/^Host\x3a\x20[a-z0-9.]+\.kali\.org/Hm"; metadata: former_category INFO; classtype:trojan-activity; sid:2025627; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_06_25, updated_at 2018_06_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Keywords Download"; flow: to_server,established; content:"keywords/kyf"; nocase; http_uri; content:"partner_id="; nocase; http_client_body; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002001; classtype:trojan-activity; sid:2002001; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Install"; flow: to_server,established; content:"/downloads/installers/"; nocase; http_uri; content:"simpleinternet/180sainstaller.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002003; classtype:trojan-activity; sid:2002003; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Defs Download"; flow: to_server,established; content:"/geodefs/gdf"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002048; classtype:trojan-activity; sid:2002048; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware config Download"; flow: to_server,established; content:"/config.aspx?did="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002099; classtype:trojan-activity; sid:2002099; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware versionconfig POST"; flow:to_server,established; content:"/versionconfig.aspx?"; http_uri; content:"&ver="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002354; classtype:trojan-activity; sid:2002354; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Actionlibs Download"; flow:to_server,established; content:"/actionurls/ActionUrlb"; nocase; http_uri; content:"partnerid="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003057; classtype:trojan-activity; sid:2003057; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Download"; flow:to_server,established; content:"/downloads/valueadd/ping/ping.htm"; nocase; http_uri; content:"zango.com|0d 0a|"; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003058; classtype:trojan-activity; sid:2003058; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware TB Installer Download"; flow:to_server,established; content:"/ZangoTBInstaller.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003059; classtype:trojan-activity; sid:2003059; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Local Stats Post"; flow:to_server,established; content:"/php/rpc_uci.php"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003060; classtype:trojan-activity; sid:2003060; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Event Activity Post"; flow:to_server,established; content:"/php/uci.php"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003061; classtype:trojan-activity; sid:2003061; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Config 2"; flow:to_server,established; content:"config.aspx"; nocase; http_uri; content:"?ver="; nocase; http_uri;  content:!"User-Agent|3a| "; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003217; classtype:trojan-activity; sid:2003217; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware (tracked event 2 reporting)"; flow: to_server,established; content:"/trackedevent.aspx?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&rnd="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003306; classtype:trojan-activity; sid:2003306; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Spyware (tbrequest data post)"; flow: to_server,established; content:"/tbrequest"; nocase; http_uri; content:"&q="; nocase; http_uri; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003610; classtype:trojan-activity; sid:2003610; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"IpAddr="; nocase; http_uri; content:"&OS="; nocase; http_uri; content:"&RegistryChanged="; nocase; http_uri; content:"&RegistryUpdate="; nocase; http_uri; content:"&NewInstallation="; nocase; http_uri; content:"&utilMissing="; nocase; http_uri; content:"&Basedir="; nocase; http_uri; content:"&BundleID="; nocase; http_uri; content:"&InitInstalled="; nocase; http_uri; content:"&Interval="; nocase; http_uri; content:"&LastInitRun="; nocase; http_uri; content:"&LastInitVer="; nocase; http_uri; content:"&LastSrngRun="; nocase; http_uri; content:"&LastUtilRun="; nocase; http_uri; content:"&SrngInstalled="; nocase; http_uri; content:"&SrngVer="; nocase; http_uri; content:"&UtilInstalled="; nocase; http_uri; content:"&UtilVer="; nocase; http_uri; content:"&PCID"; nocase; http_uri; reference:url,vil.nai.com/vil/content/v_103738.htm; reference:url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99; reference:url,doc.emergingthreats.net/2009807; classtype:trojan-activity; sid:2009807; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE 2nd-thought (W32.Daqa.C) Download"; flow: from_server,established; content:"|67 6f 69 64 72 2e 63 61 62|"; nocase; content:"|48 6f 73 74 3a 20 77 77 77 2e 77 65 62 6e 65 74 69 6e 66 6f 2e 6e 65 74|"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001447; classtype:trojan-activity; sid:2001447; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update (KillerSet)"; flow:established,to_server; content:"/?KillerSet="; nocase; http_uri; content:"GET"; nocase; http_method; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008149; classtype:trojan-activity; sid:2008149; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 51yes.com Spyware Reporting User Activity"; flow:established,to_server; content:"/sa.aspx?id="; nocase; http_uri; content:"&refe=http"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003620; classtype:trojan-activity; sid:2003620; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE A-d-w-a-r-e.com Activity (popup)"; flow: established,to_server; content:"/cgi-bin/PopupV"; nocase; http_uri; content:"?ID={"; nocase; http_uri; reference:url,www.a-d-w-a-r-e.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001730; classtype:trojan-activity; sid:2001730; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE A-d-w-a-r-e.com Activity (cmd)"; flow: established,to_server; content:"/app/VT00/ucmd.php?V="; nocase; http_uri; reference:url,www.a-d-w-a-r-e.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001735; classtype:trojan-activity; sid:2001735; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ABX Toolbar ActiveX Install"; flow: to_server,established; content:"/abx_search_webinstall/abx_search.cab"; nocase; http_uri; reference:url,isc.sans.org/diary.php?date=2005-03-04; reference:url,doc.emergingthreats.net/bin/view/Main/2001761; classtype:trojan-activity; sid:2001761; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Abcsearch.com Spyware Reporting"; flow:established,to_server; content:"/cgi-bin/search/mxml.fcgi?"; nocase; http_uri; content:"Terms="; nocase; http_uri; content:"&affiliate="; nocase; http_uri; content:"&subid="; nocase; http_uri; content:"&Hits_Per_Page="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003438; classtype:trojan-activity; sid:2003438; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET 20 -> $HOME_NET any (msg:"ET MALWARE Abox Download"; flow:established,to_server; content:"|5c 00 43 00 61 00 72 00 6d 00 65 00 6e 00 00 00 16 00 00 00 73 00 75 00 63|"; nocase; offset:160; depth:26; reference:url,doc.emergingthreats.net/bin/view/Main/2001440; classtype:trojan-activity; sid:2001440; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Abox Install Report"; flow: to_server,established; content:"&time="; nocase; http_uri; content:"/new_install?id="; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.adultbox.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001441; classtype:trojan-activity; sid:2001441; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advert-network.com Related Spyware Updating"; flow:established,to_server; content:"/cnconfig.gz?ct="; http_uri; content:"&bp="; http_uri; content:"&vs="; http_uri; content:"&country="; http_uri; content:"&grp="; http_uri; content:"&tcpc="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008419; classtype:trojan-activity; sid:2008419; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advert-network.com Related Spyware Checking for Updates"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/check.php?tcpc="; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008425; classtype:trojan-activity; sid:2008425; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertisementserver.com Spyware Initial Checkin"; flow:to_server,established; content:"?UID="; nocase; http_uri; content:"&DIST="; nocase; http_uri; content:"&NPR="; nocase; http_uri; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007601; classtype:trojan-activity; sid:2007601; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertisementserver.com Spyware Checkin"; flow:to_server,established; content:"monitor.php"; nocase; http_uri; content:"?UID="; nocase; http_uri; pcre:"/UID=\d/Ui"; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007602; classtype:trojan-activity; sid:2007602; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertising.com Data Post (villains)"; flow: to_server,established; content:"/Games/villains.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001228; classtype:policy-violation; sid:2001228; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertising.com Data Post (cakedeal)"; flow: to_server,established; content:"/Games/cakedeal.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001230; classtype:policy-violation; sid:2001230; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware Command Client Checkin"; flow: to_server,established; content:"/client.php?str="; nocase; http_uri; content:"User-Agent|3a| "; nocase; http_header; content:"Indy Library)"; nocase; http_header; reference:url,www.nuker.com/container/details/adware_command.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003446; classtype:policy-violation; sid:2003446; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Generic Adware Install Report"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/nsi_install.php?inst_result=success&aff_id="; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2010630; classtype:trojan-activity; sid:2010630; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wintools Download/Configure"; flow: to_server,established; content:"/WTools"; nocase; http_uri; content:".cab"; nocase; http_uri; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001450; classtype:trojan-activity; sid:2001450; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ak-networks.com Spyware Code Download"; flow: to_server,established; content:"/SyncAkSoft.da_"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001530; classtype:trojan-activity; sid:2001530; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ak-networks.com Spyware Code Install"; flow: to_server,established; content:"/akcore.dl_"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001737; classtype:trojan-activity; sid:2001737; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Reporting URL"; flow:established,to_server; content:"/image_server.cgi?size=small&url=http|3a|/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002349; classtype:trojan-activity; sid:2002349; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Reporting"; flow:established,to_server; content:"/data?"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"&dat="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&uid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003219; classtype:trojan-activity; sid:2003219; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Reporting URL Visited"; flow:established,to_server; content:"/data/"; nocase; http_uri; content:"cli="; nocase;  http_uri; content:"&ver=alxi"; nocase; http_uri; fast_pattern:only; content:"&url="; nocase; http_uri; content:"alexa.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003606; classtype:trojan-activity; sid:2003606; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Redirecting User"; flow:established,to_server; content:"/redirect?http"; nocase; http_uri; content:"Host|3a| redirect.alexa.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003619; classtype:trojan-activity; sid:2003619; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres Agent Receiving Instructions"; flow: to_server,established; content:"/ie/updatenew/"; http_uri; content:"CONFIG"; nocase; reference:url,www.avres.net; reference:url,ar.avres.net/ie/updatenew/; reference:url,doc.emergingthreats.net/bin/view/Main/2000903; classtype:trojan-activity; sid:2000903; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content:"adcontext="; nocase; http_uri; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; classtype:trojan-activity; sid:2001999; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Reporting"; flow:to_server,established; content:"/update/barcab/"; nocase; http_uri; metadata: former_category MALWARE; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003340; classtype:policy-violation; sid:2003340; rev:4; metadata:created_at 2010_07_30, updated_at 2017_04_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Pulling Content"; flow:to_server,established; content:"/update/cab/loadmovie.swf"; nocase; http_uri; content:"bar.baidu.com"; nocase; http_header; fast_pattern; metadata: former_category MALWARE; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003341; classtype:policy-violation; sid:2003341; rev:8; metadata:created_at 2010_07_30, updated_at 2017_04_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Pulling Data"; flow:to_server,established; content:"/cpro/ui/ui"; nocase; http_uri; content:"baidu.com"; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; metadata: former_category MALWARE; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003578; classtype:trojan-activity; sid:2003578; rev:9; metadata:created_at 2010_07_30, updated_at 2017_04_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Activity"; flow:to_server,established; content:"/n?cmd="; nocase; http_uri; content:"&class="; nocase; http_uri; content:"&pn="; nocase; http_uri; content:"&tn"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003605; classtype:trojan-activity; sid:2003605; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Sobar Bar Activity"; flow:to_server,established; content:"/sobar/sobar"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003630; classtype:trojan-activity; sid:2003630; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adaware.BarACE Checkin and Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|2E|php|3F|zone="; http_uri; nocase; content:"|26|name="; nocase; http_uri; content:"|26|bpid="; nocase; http_uri; content:"|26|bnum="; nocase; http_uri; content:"|26|pid="; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2; reference:url,doc.emergingthreats.net/bin/view/Main/2008318; classtype:trojan-activity; sid:2008318; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bargain Buddy"; flow: to_server,established; content:"/download/bargin_buddy"; nocase; http_uri; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000574; classtype:trojan-activity; sid:2000574; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Begin2Search.com Spyware"; flow: to_server,established; content:"/cgi-bin/fav_del.fcgi?id"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.begin2search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001885; classtype:policy-violation; sid:2001885; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Checkin"; flow:established,to_server; content:"/checkin.php?"; nocase; http_uri; content:"unq="; nocase; http_uri; content:"version="; nocase; http_uri; content:"User-Agent|3a| Opera "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003209; classtype:trojan-activity; sid:2003209; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Install"; flow:established,to_server; content:"/install.php?"; nocase; http_uri; content:"&pais="; nocase; http_uri; content:"unq="; nocase; http_uri; content:"User-Agent|3a| Opera "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003210; classtype:trojan-activity; sid:2003210; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Ping"; flow:established,to_server; content:"/ping.php?"; nocase; http_uri; content:"ul=http"; nocase; http_uri; content:"unq="; nocase; http_uri; content:"User-Agent|3a| Opera "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003211; classtype:trojan-activity; sid:2003211; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Tibs Checkin"; flow:established,to_server; content:"/adv/"; nocase; http_uri; content:".php?a1="; nocase; http_uri; content:"&a2=Type of Processor|3a|"; nocase; http_uri; content:"&a3=Windows version is "; nocase; http_uri; content:"&a4=Build|3a|"; nocase; http_uri; reference:md5,65448c8678f03253ef380c375d6670ce; classtype:trojan-activity; sid:2002955; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Downloading vxgame"; flow:established,to_server; content:"/vxgame1/vxv.php"; nocase; http_uri; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2002956; classtype:trojan-activity; sid:2002956; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Initial Infection Download"; flow:established,to_server; content:"/win32.exe"; nocase; http_uri; pcre:"/\/adv\/\d+\/win32\.exe/Ui"; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2002957; classtype:trojan-activity; sid:2002957; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Exploit Download"; flow:established,to_server; content:"/sploit.anr"; nocase; http_uri; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2003153; classtype:trojan-activity; sid:2003153; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Data Upload"; flow:established,to_server; content:"/objects/ocget.dll"; nocase; http_uri; content:"mybest"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2003154; classtype:trojan-activity; sid:2003154; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet (download complete)"; flow: to_server,established; content:"/download/cabs/"; nocase; http_uri; content:"download_complete.htm"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000366; classtype:trojan-activity; sid:2000366; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet (set_pix)"; flow: to_server,established; content:"/download/cabs/set_pix.php"; nocase; http_uri; content:"abetterinternet.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000367; classtype:trojan-activity; sid:2000367; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet (randreco.exe)"; flow: to_server,established; content:"/download/cabs/RANDRECO/randreco.exe"; nocase; http_uri; content:"abetterinternet.com|0d 0a|"; nocase; http_header; fast_pattern; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000371; classtype:trojan-activity; sid:2000371; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet Ad Retrieval"; flow: to_server,established; content:"/bba/flashimages/"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000593; classtype:trojan-activity; sid:2000593; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Twaintec Download Attempt"; flow: to_server,established; content:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001198; classtype:trojan-activity; sid:2001198; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Twaintec Ad Retrieval"; flow: to_server,established; content:"/twain/servlet/Twain?adcontext="; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001199; classtype:trojan-activity; sid:2001199; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Twaintec Reporting Data"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001216; classtype:trojan-activity; sid:2001216; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BInet Information Upload"; flow: to_server,established; content:"/bi/servlet/ThinstallPre"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001339; classtype:trojan-activity; sid:2001339; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BInet Information Install Report"; flow: to_server,established; content:"/bi/servlet/ThinstallPost"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001576; classtype:trojan-activity; sid:2001576; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bfast.com Spyware"; flow: to_server,established; content:"/bfast/serve?bfmid"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001398; classtype:policy-violation; sid:2001398; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bizconcept.info Spyware Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/zuzu.php?&r="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2005319; classtype:trojan-activity; sid:2005319; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bonziportal Traffic"; flow: to_server,established; content:"/bonziportal/bin/"; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; reference:url,doc.emergingthreats.net/bin/view/Main/2001345; classtype:trojan-activity; sid:2001345; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bravesentry.com Fake Antispyware Download"; flow:established,to_server; content:"/bravesentry.exe"; nocase; http_uri; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2002954; classtype:trojan-activity; sid:2002954; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bravesentry.com Fake Antispyware Updating"; flow:established,to_server; content:"/update.php?v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&vs="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; content:"Host|3a| "; http_header; content:".bravesentry.com"; nocase; http_header; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2003541; classtype:trojan-activity; sid:2003541; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host|3a| www.bullseye-network.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001501; classtype:trojan-activity; sid:2001501; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bundleware Spyware Download"; flow: to_server,established; content:"/app/InternetFuel/AppWrap.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001451; classtype:policy-violation; sid:2001451; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bundleware Spyware CHM Download"; flow: to_server,established; content:"Referer|3a| ms-its|3a|mhtml|3a|file|3a|//C|3a|counter.mht!http|3a|//"; nocase; content:"/counter/HELP3.CHM|3a 3a|/help.htm"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001452; classtype:trojan-activity; sid:2001452; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bundleware Spyware cab Download"; flow: to_server,established; content:"/counter/counter_v3.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001458; classtype:trojan-activity; sid:2001458; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE C4tdownload.com Spyware Activity"; flow: to_server,established; content:"/js.php?event_type=onload&recurrence="; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002088; classtype:trojan-activity; sid:2002088; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity"; flow:established,to_server; content:"/download/CnsMin"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003417; classtype:trojan-activity; sid:2003417; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity 2"; flow:established,to_server; content:"/download/CnsUp"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003418; classtype:trojan-activity; sid:2003418; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity 3"; flow:established,to_server; content:"/download/autolvsw.ini?"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003419; classtype:trojan-activity; sid:2003419; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS qck.cc Spyware Installer (in.php)"; flow:established,to_server; content:"/x/in.php?wm="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002089; classtype:trojan-activity; sid:2002089; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS qck.cc Spyware Installer (web.php)"; flow:established,to_server; content:"/x/tbd_web.php?wm="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002095; classtype:trojan-activity; sid:2002095; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS Trafcool.biz Related Installer"; flow:established,to_server; content:"/progs_traff/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002931; classtype:trojan-activity; sid:2002931; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS Spy-Sheriff.com Infeced Buy Page Request"; flow:established,to_server; content:"/?advid="; nocase; http_uri; content:"spy-sheriff.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002933; classtype:trojan-activity; sid:2002933; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spywaremover Activity"; flow: to_server,established; content:"/download/cabs/THNALL1L/thnall1l.exe"; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087903; reference:url,doc.emergingthreats.net/bin/view/Main/2001521; classtype:trojan-activity; sid:2001521; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casalemedia Spyware Reporting URL Visited 3"; flow: to_server,established; content:"/sd?"; nocase; http_uri; pcre:"/\/sd\?s=\d+&f=\d&C=\d/Ui"; reference:url,doc.emergingthreats.net/2009880; classtype:trojan-activity; sid:2009880; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casalemedia Spyware Reporting URL Visited 2"; flow: to_server,established; content:"/sd?"; nocase; http_uri; pcre:"/\/sd\?s=\d+&f=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2002196; classtype:trojan-activity; sid:2002196; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Install"; flow: to_server,established; content:"/newdownload/newsetup/"; nocase; http_uri; content:"casinone"; nocase; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001041; classtype:trojan-activity; sid:2001041; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Reporting Data"; flow: to_server,established; content:"/logs.asp?MSGID=100"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001031; classtype:trojan-activity; sid:2001031; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Ping Hit"; flow: to_server,established; content:"/Ping/Ping.txt"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001032; classtype:trojan-activity; sid:2001032; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Data Download"; flow: to_server,established; content:"/sdl/casinov"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001033; classtype:trojan-activity; sid:2001033; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Catchonlife.com Spyware"; flow: to_server,established; content:"/nw3/r1.txt?"; http_uri; content:"catchonlife"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003358; classtype:trojan-activity; sid:2003358; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting Successful Install"; flow: to_server,established; content:"/notify.php?pid=remupd&module=install&v="; nocase; http_uri; content:"&result=1&message=Success"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001494; classtype:trojan-activity; sid:2001494; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"/notify.php?pid=ctxad&module=NDrvExe&v="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001500; classtype:trojan-activity; sid:2001500; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Traffic"; flow: to_server,established; content:"/cc/"; http_uri; content:"Host|3a| update.cc.cometsystems.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2000931; classtype:policy-violation; sid:2000931; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CometSystems Spyware"; flow: to_server,established; content:"/comet/request"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001050; classtype:policy-violation; sid:2001050; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Traffic (context.xml)"; flow: to_server,established; content:"/context/1/up_context_1.xml"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083029; reference:url,doc.emergingthreats.net/bin/view/Main/2001655; classtype:policy-violation; sid:2001655; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Reporting"; flow: to_server,established; content:"Host|3a| log.cc.cometsystems.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001658; classtype:policy-violation; sid:2001658; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Update Download"; flow: to_server,established; content:"/cc/5/masterconfig/"; nocase; http_uri; content:"/update.xml?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002351; classtype:policy-violation; sid:2002351; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Context Report"; flow: to_server,established; content:"/context/1/up_context_1.xml?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002352; classtype:policy-violation; sid:2002352; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Cursor DL"; flow: to_server,established; content:"/czcontent/cursor"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003307; classtype:policy-violation; sid:2003307; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Conduit Connect Toolbar Message Download(Many report to be benign)"; flow: to_server,established; content:"/Message/"; http_uri; content:"User-Agent|3a| EI"; nocase; http_header; pcre:"/\/Message\/\S+\/\S+\.xml/Ui"; reference:url,www.conduit.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003218; classtype:trojan-activity; sid:2003218; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Content-loader.com Spyware Install"; flow: to_server,established; content:"/getexe/?wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003074; classtype:trojan-activity; sid:2003074; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Content-loader.com Spyware Install 2"; flow: to_server,established; content:"/getdata/getdata.php?wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003075; classtype:trojan-activity; sid:2003075; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Content-loader.com (ownusa.info) Spyware Install"; flow: to_server,established; content:"/fdial2.php?o="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003076; classtype:trojan-activity; sid:2003076; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Context Plus Spyware Install"; flow: established,to_server; content:"/AproposClientInstaller.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001704; classtype:trojan-activity; sid:2001704; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ContextPanel Reporting"; flow: to_server,established; content:"/cplog/?logtype="; nocase; http_uri; content:"contextpanel.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001456; classtype:policy-violation; sid:2001456; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CoolDeskAlert Spyware Activity"; flow:to_server,established; content:"/alert/get_xml"; nocase; http_uri; content:"deskbar_id={"; nocase; reference:url,cooldeskalert.com; reference:url,www.benedelman.org/spyware/images/bannerfarms-ad_w_a_r_e-globalstore-log-061006.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003462; classtype:trojan-activity; sid:2003462; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Coolsearch Spyware Install"; flow: to_server,established; content:"coolsearch.biz/united.htm"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001479; classtype:trojan-activity; sid:2001479; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net BlackList - pcpeek"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"pcpeek-webcam-sex.com"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002766; classtype:trojan-activity; sid:2002766; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Distribution - bos.biz"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"businessopportunityseeker.biz"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002767; classtype:trojan-activity; sid:2002767; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Distribution - studiolacase"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"studiolacase.com"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002769; classtype:trojan-activity; sid:2002769; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net - msits.exe access"; flow:to_server,established; content:"/msits.exe"; nocase; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002770; classtype:trojan-activity; sid:2002770; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net - msys.exe access"; flow:to_server,established; content:"/msys.exe"; nocase; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002771; classtype:trojan-activity; sid:2002771; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Couponage Download"; flow: to_server,established; content:".dl_"; nocase; http_uri; content:"couponage.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001453; classtype:policy-violation; sid:2001453; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Couponage Configure"; flow: to_server,established; content:".da_"; nocase; content:"couponage.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001454; classtype:policy-violation; sid:2001454; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001683; classtype:trojan-activity; sid:2001683; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .txt file with no Referer - Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; http_header; content:".txt"; nocase; http_uri; pcre:"/\.txt$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010500; classtype:trojan-activity; sid:2010500; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .cfg file with no Referer - Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; http_header; content:".cfg"; nocase; http_uri; pcre:"/\.cfg$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010501; classtype:trojan-activity; sid:2010501; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (payload)"; flow: established,to_server; content:"/in/payload/payload.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002816; classtype:trojan-activity; sid:2002816; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (setup)"; flow: established,to_server; content:"/in/defaults/setup.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002817; classtype:trojan-activity; sid:2002817; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (setup-alt)"; flow: established,to_server; content:"/in/defaults/setup-alt.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003472; classtype:trojan-activity; sid:2003472; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (payload-alt)"; flow: established,to_server; content:"/in/payload/payload-alt.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003473; classtype:trojan-activity; sid:2003473; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DesktopTraffic Toolbar Spyware"; flow: to_server,established; content:"cgi-bin/ezl_kws.fcgi?cat"; nocase; http_uri; reference:url,research.spysweeper.com/threat_library/threat_details.php?threat=desktoptraffic.net_hijack; reference:url,doc.emergingthreats.net/bin/view/Main/2001884; classtype:trojan-activity; sid:2001884; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deskwizz.com Spyware Install INI Download"; flow: to_server,established; content:"/GetAd/tekID"; nocase; http_uri; content:".ini"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003445; classtype:policy-violation; sid:2003445; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deskwizz.com Spyware Install Code Download"; flow: to_server,established; content:"/ax/acdt-pid"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003444; classtype:policy-violation; sid:2003444; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Direct-web.co.kr Related Spyware Checkin"; flow:established,to_server; content:".php?appname="; nocase; http_uri; content:"&appseq="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&type="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007978; classtype:trojan-activity; sid:2007978; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Mac Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/nchkmac.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006427; classtype:trojan-activity; sid:2006427; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open)"; flow:established,to_server; content:"/open.php?sn="; nocase; http_uri; pcre:"/sn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006428; classtype:trojan-activity; sid:2006428; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkblack.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006431; classtype:trojan-activity; sid:2006431; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret)"; flow:established,to_server; content:"/ret.php?"; nocase; http_uri; content:"mode="; nocase; http_uri; content:"&cname="; nocase; http_uri; content:"&cn="; nocase; http_uri; pcre:"/cn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006432; classtype:trojan-activity; sid:2006432; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/api_result.php?"; nocase; http_uri; content:"mode="; nocase; http_uri; content:"&PartID="; nocase; http_uri; content:"&mac="; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006433; classtype:trojan-activity; sid:2006433; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/chkvs.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007642; classtype:trojan-activity; sid:2007642; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dollarrevenue.com Spyware Code Download"; flow:established,to_server; content:"/bundle/drsmartload.exe"; nocase; http_uri; reference:url,dollarrevenue.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002967; classtype:trojan-activity; sid:2002967; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TROJAN_VB Microjoin"; flow:established,to_server; content:"/bundle/loader.exe"; nocase; http_uri; reference:url,de.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?VName=TROJ_VB.AWW; reference:url,doc.emergingthreats.net/bin/view/Main/2003084; classtype:trojan-activity; sid:2003084; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dropspam.com Spyware Reporting"; flow:established,to_server; content:"/reportaddon.cgi?"; nocase; http_uri; content:"report.cgi?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"software="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003440; classtype:trojan-activity; sid:2003440; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Reporting Install"; flow: to_server,established; content:"/count/count.php?&mm"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001416; classtype:trojan-activity; sid:2001416; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Receiving Config"; flow: to_server,established; content:"/config/?"; nocase; http_uri; content: "v=5"; nocase; http_uri;content: "n=mm2"; nocase; http_uri; content: "i="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001417; classtype:trojan-activity; sid:2001417; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Downloading Code"; flow: to_server,established; content:"/soft/unstall.exe"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001418; classtype:trojan-activity; sid:2001418; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Reporting"; flow: to_server,established; content:"/count/count.php?&mm2cpr"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001423; classtype:trojan-activity; sid:2001423; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Spyware Reporting (check url)"; flow: to_server,established; content:"/go/check?build="; nocase; http_uri; content:"&source="; nocase; http_uri; content:"&merchants="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2003504; classtype:trojan-activity; sid:2003504; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ESyndicate Spyware Install (esyndicateinst.exe)"; flow: to_server,established; content:"/files/eSyndicateInst.exe"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002009; classtype:trojan-activity; sid:2002009; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ESyndicate Spyware Install (sepinst.exe)"; flow: to_server,established; content:"/files/SEPInst.exe"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002010; classtype:trojan-activity; sid:2002010; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZSearch Spyware Reporting Search Strings"; flow:established,to_server; content:"/partner/rt.php?q="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002317; classtype:trojan-activity; sid:2002317; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZSearch Spyware Reporting Search Category"; flow:established,to_server; content:"/partner/rt.php?cat="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002318; classtype:trojan-activity; sid:2002318; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZSearch Spyware Reporting 2"; flow:established,to_server; content:"/partner/bom.php?e="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002319; classtype:trojan-activity; sid:2002319; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ebates Install"; flow: to_server,established; content:"/ebates.exe"; http_uri; reference:url,www.pestpatrol.com/PestInfo/e/ebates_moneymaker.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001038; classtype:policy-violation; sid:2001038; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Effectivebrands.com Spyware Checkin"; flow:established,to_server; content:"/iis2ebs.asp"; nocase; http_uri; content:"effectivebrands.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003304; classtype:trojan-activity; sid:2003304; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Effectivebrands.com Spyware Checkin 2"; flow:established,to_server; content:"/iis2ucms.asp"; nocase; http_uri; content:"effectivebrands.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003360; classtype:trojan-activity; sid:2003360; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Elitemediagroup.net Spyware Config Download"; flow:established,to_server; content:"/bundle.php?aff="; nocase; http_uri; reference:url,elitemediagroup.net; reference:url,doc.emergingthreats.net/bin/view/Main/2002966; classtype:trojan-activity; sid:2002966; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Epilot.com Spyware Reporting"; flow:established,to_server; content:"/getresults.aspx"; nocase; http_uri; content:"?aff="; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&keyword="; nocase; http_uri; content:"&source="; nocase; http_uri; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003414; classtype:trojan-activity; sid:2003414; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Epilot.com Spyware Reporting Clicks"; flow:established,to_server; content:"/click.aspx?"; nocase; http_uri; content:"?xp="; nocase; http_uri; content:"Host|3a| "; nocase; http_header; content:"epilot.com"; nocase; http_header; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003416; classtype:trojan-activity; sid:2003416; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE F1Organizer Install Attempt"; flow: to_server,established; content:"/f1/objects/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000585; classtype:trojan-activity; sid:2000585; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE F1Organizer Reporting"; flow: to_server,established; content:"/f1/audit/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000582; classtype:trojan-activity; sid:2000582; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE F1Organizer Config Download"; flow: to_server,established; content:"/F1/Cmd4F1"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001221; classtype:trojan-activity; sid:2001221; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Findwhat.com Spyware (clickthrough)"; flow: to_server,established; content:"/bin/findwhat.dll?clickthrough&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003579; classtype:trojan-activity; sid:2003579; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Findwhat.com Spyware (sendmedia)"; flow: to_server,established; content:"/bin/findwhat.dll?sendmedia&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003581; classtype:trojan-activity; sid:2003581; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE FlashTrack Agent Retrieving New App Code"; flow: to_server,established; content:"/apps/r.exe"; http_uri; reference:url,www.flashpoint.bm; reference:url,doc.emergingthreats.net/bin/view/Main/2000936; classtype:trojan-activity; sid:2000936; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Flingstone Spyware Install (cxtpls)"; flow: established,to_server; content:"/softwares/cxtpls_loader_ff.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001710; classtype:trojan-activity; sid:2001710; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Flingstone Spyware Install (sportsinteraction)"; flow: established,to_server; content:"/softwares/SportsInteraction.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001705; classtype:trojan-activity; sid:2001705; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Install)"; flow: to_server,established; content:"/checkhttp.htm"; nocase; http_uri; content:"User-Agent|3a| Wise"; nocase; http_header; content:"freeze.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002840; classtype:policy-violation; sid:2002840; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Install Registration)"; flow: to_server,established; content:"/ping/?shortname="; nocase; http_uri; content:"User-Agent|3a| Wise"; nocase; http_header; content:"freeze.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002841; classtype:policy-violation; sid:2002841; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Pulling Ads)"; flow: to_server,established; content:"/ToastMessage/"; nocase; http_uri; content:"/Toast.asp?ysaid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003362; classtype:policy-violation; sid:2003362; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W3i Related Adware/Spyware"; flow:established,to_server; content:"GET"; nocase; http_method; content:"shortname="; nocase; http_uri; content:"os="; nocase; http_uri; content:"v="; nocase; http_uri; content:"browsers="; nocase; http_uri; content:"readable="; nocase; http_uri; reference:url,www.tallemu.com/oasis2/vendor/w3i__llc/623302; reference:url,doc.emergingthreats.net/2009705; classtype:trojan-activity; sid:2009705; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Install"; flow: to_server,established; content:"/install_ie.jsp?product="; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000599; classtype:policy-violation; sid:2000599; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products SmileyCentral"; flow: to_server,established; content:"/images/smileycentral/"; nocase; http_uri; content:"FunWebProducts"; nocase; http_header; fast_pattern; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001013; classtype:policy-violation; sid:2001013; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Smileychooser Spyware"; flow: to_server,established; content:"/SmileyChooser.html?"; nocase; http_uri; content:"v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002305; classtype:policy-violation; sid:2002305; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Smileychooser Spyware"; flow: to_server,established; content:"/SmileyChooser.html?"; nocase; http_uri; content:"v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002310; classtype:policy-violation; sid:2002310; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Cursorchooser Spyware"; flow: to_server,established; content:"/CursorChooser.html?"; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002306; classtype:policy-violation; sid:2002306; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products StationaryChooser Spyware"; flow: to_server,established; content:"/StationeryChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002858; classtype:policy-violation; sid:2002858; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products SmileyCentral IEsp2 Install"; flow: to_server,established; content:"/download/install_ie_sp2.jhtml?"; nocase; http_uri; content:"product="; nocase; http_uri; content:"utmCall="; nocase; http_uri; content:"bOrganic="; nocase; http_uri; reference:url,www.myfuncards.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003151; classtype:trojan-activity; sid:2003151; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gamehouse.com Activity"; flow: to_server,established; content:"/game-quit-count.jsp?ghgamecode="; http_uri; reference:url,www.gamehouse.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003348; classtype:trojan-activity; sid:2003348; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator Cookie"; flow: to_server,established; content:"webpdpcookie"; content:".gator.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000025; classtype:policy-violation; sid:2000025; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator New Code Download"; flow: to_server,established; content:"/gatorcme/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000597; classtype:policy-violation; sid:2000597; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator/Claria Data Submission"; flow: to_server,established; content:"POST"; nocase;  http_method; content:"gs_trickler"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000596; classtype:policy-violation; sid:2000596; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator/Clarian Agent"; flow: to_server,established; content:"/gbsf/"; nocase; http_uri; content:"gtrg2ze"; nocase; http_uri; reference:url,malware.wikia.com/wiki/Claria_Corporation; reference:url,doc.emergingthreats.net/bin/view/Main/2001306; classtype:policy-violation; sid:2001306; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Likely Trojan/Spyware Installer Requested (1)"; flow: established,to_server; content:".scr"; nocase; http_uri; pcre:"/(cartao|mensagem|voxcards|humortadela|ouca|cartaovirtual|uol3171|embratel|yahoo|viewforhumor|humormenssagem|terra)\.scr/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2001850; classtype:trojan-activity; sid:2001850; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Likely Trojan/Spyware Installer Requested (2)"; flow: established,to_server; content:".exe"; nocase; http_uri; pcre:"/(discador|ocartao|msgav|extrato|correcao|extrato_tim|visualizar|cartas&cartoes|embratel|cartao|MSN_INSTALL|VirtualCards|atualizacaonorton|serasar|CobrancaEmbratel|ExtratoTim|FlashFotos|Vacina-Norton|CartaoIloves|Cobranca|fotos_ineditas|boletocobranca|saudades|wwwuolcartoescombr|cartaoanimado)\.exe/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2002093; classtype:trojan-activity; sid:2002093; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IE homepage hijacking"; flow: from_server,established; content:"wsh.RegWrite"; nocase; content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start Page"; nocase; reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000514; classtype:misc-attack; sid:2000514; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE shell browser vulnerability W9x/XP"; flow: from_server,established; content:"shell|3a|windows"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000519; classtype:misc-attack; sid:2000519; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE shell browser vulnerability NT/2K"; flow: from_server,established; content:"shell|3a|winnt"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000520; classtype:misc-attack; sid:2000520; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer"; flow: to_server,established; content:"Host|3a| www.globalphon.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001656; classtype:trojan-activity; sid:2001656; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer Download"; flow: to_server,established; content:"/dialer/internazionale_ver"; nocase; http_uri; content:".CAB"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001657; classtype:trojan-activity; sid:2001657; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer (no_pop)"; flow: to_server,established; content:"/no_pop.asp?"; nocase; http_uri; content: "id="; nocase; http_uri; content:"globalphon.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001659; classtype:trojan-activity; sid:2001659; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer (add_ocx)"; flow: to_server,established; content:"/add_ocx.asp?"; nocase; http_uri; content: "id="; nocase; http_uri; content:"globalphon.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001660; classtype:trojan-activity; sid:2001660; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gooochi Related Spyware Ad pull"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?z="; nocase; http_uri; content:"|26|ch="; nocase; http_uri; content:"|26|dim="; nocase; http_uri; content:"|26|abr="; nocase; http_uri; content:!"Referer|3a| "; nocase; http_header; reference:url,www.threatexpert.com/reports.aspx?find=ads.gooochi.biz; reference:url,doc.emergingthreats.net/bin/view/Main/2008375; classtype:trojan-activity; sid:2008375; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GrandstreetInteractive.com Install"; flow: to_server,established; content:"/tdtb.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002012; classtype:trojan-activity; sid:2002012; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GrandstreetInteractive.com Update"; flow: to_server,established; content:"/wupdsnff.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002013; classtype:trojan-activity; sid:2002013; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Guard-Center.com Fake AntiVirus Post-Install Checkin"; flow:established,to_server; content:".php?"; http_uri; content:"&advid="; http_uri; content:"&u="; http_uri; content:"&p="; http_uri; content:"HTTP/1."; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007744; classtype:trojan-activity; sid:2007744; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; content:"Host|3a| 0x"; http_header; pcre:"/^Host\x3a\x200x[0-9a-f]+\r?$/Hmi"; reference:url,doc.emergingthreats.net/bin/view/Main/2007951; classtype:trojan-activity; sid:2007951; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE host-domain-lookup.com spyware related Checkin"; flow:established,to_server; content:"?udata="; http_uri; content:"mission_supgrade|3a|"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007749; classtype:trojan-activity; sid:2007749; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE host-domain-lookup.com spyware related Start Report"; flow:established,to_server; content:"?udata="; http_uri; content:"program_started|3a|"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007750; classtype:trojan-activity; sid:2007750; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Install (1)"; flow: to_server,established; content:"/install/startInstallprocess.asp?"; nocase; http_uri; content: "Defau"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000920; classtype:trojan-activity; sid:2000920; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Install (2)"; flow: to_server,established; content:"/install/process/upsale/hotbar"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000921; classtype:trojan-activity; sid:2000921; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Install (3)"; flow: to_server,established; content:"/installs/hotbar/programs/"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000922; classtype:trojan-activity; sid:2000922; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Reporting Information"; flow: to_server,established; content:"POST"; nocase; http_method; content:"/reports/hotbar/"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000923; classtype:trojan-activity; sid:2000923; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Upgrading"; flow: to_server,established; content:"/updates/hotbar/"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000924; classtype:trojan-activity; sid:2000924; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Activity"; flow: to_server,established; content:"/dynamic/hotbar/"; nocase; http_uri; threshold: type limit, count 1, track by_src, seconds 360; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000929; classtype:trojan-activity; sid:2000929; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Partner Checkin"; flow: to_server,established; content:"/partners/"; nocase; http_uri; content:"partners.xip"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000925; classtype:trojan-activity; sid:2000925; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Subscription POST"; flow: to_server,established; content:"/hotbar/"; nocase; http_uri; content:"Subscription.dll?"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002820; classtype:trojan-activity; sid:2002820; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Adopt/Zango"; flow: to_server,established; content:"/adopt.jsp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"&sz="; nocase; http_uri; content:"cid="; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003364; classtype:trojan-activity; sid:2003364; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Keywords Download"; flow: to_server,established; content:"/keywords/kyfb."; nocase; http_uri; content:"partner_id="; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003388; classtype:trojan-activity; sid:2003388; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar.com Related Spyware Install Report"; flow:established,to_server; content:"/ciconfig.aspx?did="; http_uri; content:"&brandid="; http_uri; content:"&os="; http_uri; content:"&pkg_ver="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008917; classtype:trojan-activity; sid:2008917; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar.com Related Spyware Activity Report"; flow:established,to_server; content:"/trackedevent.aspx?eid="; http_uri; content:"&brand="; http_uri; content:"&os="; http_uri; content:"&mt="; http_uri; content:"&pkg_ver="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008918; classtype:trojan-activity; sid:2008918; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ICQ-Update.biz Reporting Install"; flow: to_server,established; content:"log.php?"; nocase; http_uri; content: "IP="; nocase; http_uri; content:"Port1="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001490; classtype:trojan-activity; sid:2001490; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IEHelp.net Spyware Installer"; flow:established,to_server; content:"/counter/help.chm"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002090; classtype:trojan-activity; sid:2002090; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IEHelp.net Spyware checkin"; flow:established,to_server; content:"/l/gpr.php?"; nocase; http_uri; content: "ID1="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002096; classtype:trojan-activity; sid:2002096; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Reporting"; flow: to_server,established; content:"/ist/scripts/log_downloads.php"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000927; classtype:trojan-activity; sid:2000927; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Activity (1)"; flow: to_server,established; content:"/ist/bars/"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000928; classtype:trojan-activity; sid:2000928; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Activity (2)"; flow: to_server,established; content:"/ist/softwares/"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001395; classtype:trojan-activity; sid:2001395; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech Toolbar Data Submission"; flow: to_server,established; content:"/ist/scripts/istsvc_ads_data.php?"; nocase; http_uri; content: "version="; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001697; classtype:trojan-activity; sid:2001697; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Incredisearch.com Spyware Ping"; flow: established,to_server; content:"/ping.asp"; nocase; http_uri; content:"incredisearch.com";  nocase;  http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001793; classtype:trojan-activity; sid:2001793; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Incredisearch.com Spyware Activity"; flow: established,to_server; content:"Host|3a| www.incredisearch.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001794; classtype:trojan-activity; sid:2001794; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Instafinder.com spyware"; flow: established,to_server; content:"/404/update/instafi"; nocase;  http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003376; classtype:trojan-activity; sid:2003376; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Fuel.com Install"; flow: to_server,established; content:"/cgi-bin/omnidirect.cgi?&debug_log="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002015; classtype:trojan-activity; sid:2002015; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Optomizer Reporting Data"; flow: to_server,established; content:"/io/downloads/"; nocase; http_uri; content:"/wsi8/optimize"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001308; classtype:policy-violation; sid:2001308; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Optimizer Spyware Install"; flow: to_server,established; content:"/internet-optimizer/"; nocase; http_uri; content:"/optimize"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001396; classtype:policy-violation; sid:2001396; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE jmnad1.com Spyware Install (1)"; flow: to_server,established; content:"/install.qg?"; nocase; http_uri; content: "ID="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002019; reference:url,wilderssecurity.com/threads/hijack-this-log-sandoxer-jmnad1.42146/; classtype:trojan-activity; sid:2002019; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE jmnad1.com Spyware Install (2)"; flow: to_server,established; content:"/download/mw_4s_stub.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002016; classtype:trojan-activity; sid:2002016; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Malicious Applet Access (justexploit kit)"; flow:to_server,established; content:"/sdfg.jar"; http_uri; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3570.0; reference:url,doc.emergingthreats.net/2010438; classtype:trojan-activity; sid:2010438; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Keenvalue Update Engine"; flow: to_server,established; content:"Host|3a|secure.keenvalue.com"; http_header; fast_pattern; content:"|0d0a|Extension|3a|Remote-Passphrase"; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24; reference:url,doc.emergingthreats.net/bin/view/Main/2000932; classtype:trojan-activity; sid:2000932; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Thespyguard.com Spyware Install"; flow:established,to_server; content:"/soft/installers/spyguardf.php"; nocase; http_uri; reference:url,www.thespyguard.com; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003201; classtype:trojan-activity; sid:2003201; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Thespyguard.com Spyware Update Check"; flow:established,to_server; content:"/soft/update/check_update.php"; nocase; http_uri; content:"Host|3a| www.kliksoftware.com"; nocase; http_header; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003202; classtype:trojan-activity; sid:2003202; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hitvirus Fake AV Install"; flow:established,to_server; content:"/soft/installers/hitvirusf.php"; nocase; http_uri; content:"get.hitvirus.com"; nocase; http_header; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003203; classtype:trojan-activity; sid:2003203; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Thespyguard.com Spyware Updating"; flow:established,to_server; content:"/soft/update/get.php"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"mail="; nocase; http_uri; content:"Host|3a| www.kliksoftware.com"; nocase; http_header; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003204; classtype:trojan-activity; sid:2003204; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE KMIP.net Spyware"; flow:established,to_server; content:"/iesocks?peer_id="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003298; classtype:trojan-activity; sid:2003298; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE KMIP.net Spyware 2"; flow:established,to_server; content:"/sp?c=N&i="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003526; classtype:trojan-activity; sid:2003526; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Kwsearchguide.com Related Spyware Checkin"; flow:established,to_server; content:"/statics.php?maddr="; nocase; http_uri; content:"&ipaddr="; nocase; http_uri; content:"&ovt="; nocase; http_uri; content:"&verno="; nocase; http_uri; content:"&action="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008067; classtype:trojan-activity; sid:2008067; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Kwsearchguide.com Related Spyware Keepalive"; flow:established,to_server; content:"/alive.php?ovt=new_link"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008069; classtype:trojan-activity; sid:2008069; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE LocalNRD Spyware Checkin"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content: "adcontext"; nocase; http_uri; reference:url,www.localnrd.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; classtype:trojan-activity; sid:2001340; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Look2me Spyware Activity (1)"; flow: to_server,established; content:"Referer|3a| Look2Me"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001499; classtype:trojan-activity; sid:2001499; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Look2Me Activity"; flow:established,to_server; content:"&ID={"; http_uri; fast_pattern:only; content:"&rand="; http_uri; content:"User-Agent|3a|Mozilla/4.0 (compatible|3b|"; http_header; pcre:"/&ID=\x7b[0-9A-F]{8}(?:-[A-F0-9]{4}){3}-[A-F0-9]{12}\x7d/U"; reference:url,doc.emergingthreats.net/bin/view/Main/2008474; classtype:trojan-activity; sid:2008474; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Updating"; flow:established,to_server; content:"/update.php?v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&vs="; nocase; http_uri; content:"Host|3a| www.MalwareAlarm.com"; nocase; http_header; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003611; classtype:trojan-activity; sid:2003611; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/madownload.php?&advid="; nocase; http_uri;  content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"Host|3a| download.MalwareAlarm.com"; nocase; http_header; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003612; classtype:trojan-activity; sid:2003612; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Configuration Access"; flow: to_server,established; content:"/oss/remoteconfig.asp"; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000902; classtype:policy-violation; sid:2000902; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Access"; flow: to_server,established; content:"proxyhttp|0b|marketscore|03|com"; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001359; classtype:policy-violation; sid:2001359; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE MarketScore.com Spyware SSL Access"; flow: to_server,established; content:"www.marketscore.com"; content:"InstantSSL1"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001563; classtype:policy-violation; sid:2001563; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore Spyware Uploading Data"; flow: to_server,established; content:"/scripts/contentidpost.dll"; nocase; http_uri; content:"OSS-Proxy"; nocase; http_header; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003253; classtype:policy-violation; sid:2003253; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Proxied Traffic (mitmproxy agent)"; flow: to_server,established; content:"Proxy-agent|3a| ManInTheMiddle-Proxy"; http_header; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001586; classtype:policy-violation; sid:2001586; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Upgrading"; flow: to_server,established; content:"/oss/upgrchk_2a.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001587; classtype:policy-violation; sid:2001587; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Activity (1)"; flow: to_server,established; content:"/oss/dittorules.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001588; classtype:policy-violation; sid:2001588; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Activity (2)"; flow: to_server,established; content:"/oss/routerrules2.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001589; classtype:policy-violation; sid:2001589; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,8080] (msg:"ET MALWARE Matcash Trojan Related Spyware Code Download"; flow:established,to_server; content:"User-Agent|3a| Windows 5.1 (2600)|3b| DMCP"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008759; classtype:trojan-activity; sid:2008759; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trinityacquisitions.com and Maximumexperience.com Spyware Activity"; flow:to_server,established; content:"/upd/check?version="; nocase; http_uri; content:"&localeId="; nocase; http_uri; content:"&affid="; nocase; http_uri; content:"&updatevalue="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003344; classtype:trojan-activity; sid:2003344; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Media Pass ActiveX Install"; flow: to_server,established; content:"/MediaPassK.exe"; nocase; http_uri; reference:url,www.benedelman.org/news/010205-1.html; reference:url,static.windupdates.com/Release/v19/Info.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2001783; classtype:policy-violation; sid:2001783; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MediaTickets Download"; flow: to_server,established; content:"MediaTicketsInstaller.cab"; http_uri; content:"Host|3a| www.mt-download.com"; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001448; classtype:trojan-activity; sid:2001448; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MediaTickets Spyware Install"; flow: to_server,established; content:"/mtrslib2.js"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001481; classtype:trojan-activity; sid:2001481; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Config"; flow: to_server,established; content:"/dw/cgi/download.cgi?"; nocase; http_uri; content:"sn="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001503; classtype:trojan-activity; sid:2001503; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Reporting (register.cgi)"; flow: to_server,established; content:"/dw/cgi/register.cgi?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001509; classtype:trojan-activity; sid:2001509; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Identifying Country of Origin"; flow: to_server,established; content:"/dw/cgi/country.cgi"; nocase; http_uri; content:"User-Agent|3a|"; nocase; http_header; content:"NSISDL"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001507; classtype:trojan-activity; sid:2001507; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Metarewards Spyware Activity"; flow: to_server,established; content:"Host|3a| www.metareward.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001666; classtype:policy-violation; sid:2001666; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Installation (dlhelper)"; flow: established,to_server; content:"/dlhelper.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001641; classtype:trojan-activity; sid:2001641; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Installation (2)"; flow: established,to_server; content:"/DownloadHNew.asp?"; nocase; http_uri; content:"btag="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001643; classtype:trojan-activity; sid:2001643; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Reporting Installation"; flow: established,to_server; content:"/dlhelper/downloadlogger2.asp?"; nocase; http_uri; content:"time="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001644; classtype:trojan-activity; sid:2001644; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Casino App Install"; flow: established,to_server; content:"/viper/thunderluck/00"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001645; classtype:trojan-activity; sid:2001645; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mindset Interactive Install (1)"; flow: to_server,established; content:"/mindset5/data"; nocase; http_uri; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000583; classtype:trojan-activity; sid:2000583; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mindset Interactive Install (2)"; flow: to_server,established; content:"/mindset/data"; nocase; http_uri; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000584; classtype:trojan-activity; sid:2000584; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirarsearch.com Spyware Posting Data"; flow:established,to_server; content:"/v70match.cgi?"; nocase; http_uri; content:"key1="; nocase; http_uri; content:"&key2="; nocase; http_uri; content:"&match="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003577; classtype:trojan-activity; sid:2003577; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware-Mirar Reporting (BAR)"; flow:to_server,established; content:"download.cgi?BUILDNAME="; nocase; http_uri; content:"&AFFILIATE="; http_uri; content:"&ID="; http_uri; content:"&ERROR=0"; http_uri; content:"User-Agent|3a| BAR"; http_header; reference:url,doc.emergingthreats.net/2009234; classtype:policy-violation; sid:2009234; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE My-Stats.com Spyware Checkin"; flow: established,to_server; content:"/ad-partner/SelectConfirm.php?"; nocase; http_uri; content:"dummy="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001747; classtype:misc-activity; sid:2001747; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update"; flow:established,to_server; content:"/images/mysearchbar/highlight"; http_uri; content:" MySearch)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003351; classtype:trojan-activity; sid:2003351; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update 2"; flow:established,to_server; content:"/images/mysearchbar/customize"; http_uri; content:" MySearch)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003352; classtype:trojan-activity; sid:2003352; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sears.com/Kmart.com My SHC Community spyware download"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/CSetup_xp.cab"; http_uri; reference:url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx; reference:url,www.benedelman.org/news/010108-1.html; reference:url,doc.emergingthreats.net/bin/view/Main/2007996; classtype:trojan-activity; sid:2007996; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySearchNow.com Spyware"; flow: to_server,established; content:"exe/dns.html"; nocase; http_uri; content:"User-Agent|3a| TPSystem"; nocase; http_header; reference:url,www.mysearchnow.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003221; classtype:trojan-activity; sid:2003221; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySideSearch.com Spyware Install"; flow:established,to_server; content:".php?aff=mysidesearch&act=install"; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008915; classtype:trojan-activity; sid:2008915; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySideSearch Browser Optimizer"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)"; nocase; http_header; content:".php?aff="; nocase; http_uri; content:"&act="; nocase; http_uri; reference:url,www.spywareremove.com/removeMySideSearch.html; reference:url,www.threatexpert.com/threats/adware-win32-mysidesearch.html; reference:url,www.pctools.com/mrc/infections/id/Adware.MySideSearch/; reference:url,doc.emergingthreats.net/2009524; classtype:trojan-activity; sid:2009524; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE My Search Spyware Config Download"; flow: to_server,established; content:"/ms"; nocase; http_uri; content:"cfg.jsp?"; http_uri; content:"v="; nocase; http_uri; pcre:"/\/ms\d\d\dcfg\.jsp/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2002839; classtype:trojan-activity; sid:2002839; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Receiving Configuration"; flow: to_server,established; content:"/speedbar/mySpeedbarCfg"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000600; classtype:trojan-activity; sid:2000600; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Traffic (bar config download)"; flow: to_server,established; content:"/barcfg.jsp?"; nocase; http_uri; content:"MyWebSearchWB"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002836; classtype:trojan-activity; sid:2002836; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Receiving Config 2"; flow: to_server,established; content:"/mySpeedbarCfg2.jsp"; nocase; http_uri; content:"MyWebSearch"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003222; classtype:trojan-activity; sid:2003222; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Posting Activity Report"; flow:to_server,established; content:"/jsp/cfg_redir2.jsp?id="; nocase; http_uri; content:"url=http"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003617; classtype:trojan-activity; sid:2003617; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE New.net Spyware updating"; flow:established,to_server; content:"/download/NewDotNet/"; nocase; http_uri; content:"/upgrade.cab?"; nocase; http_uri; content:"upg="; nocase; http_uri; content:"ec="; nocase; http_uri; reference:url,www.new.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003240; classtype:trojan-activity; sid:2003240; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE New.net Spyware Checkin"; flow:established,to_server; content:"/?version="; nocase; http_uri; content:"discard_tag="; nocase; http_uri; content:"source="; nocase; http_uri; content:"ptr="; nocase; http_uri; content:"br=NewDotNet"; nocase; http_uri; content:"ec="; nocase; http_uri; reference:url,www.new.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003241; classtype:trojan-activity; sid:2003241; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Oenji.com Install"; flow: to_server,established; content:"/Bundled/OemjiInstall"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001538; classtype:trojan-activity; sid:2001538; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyspotter.com Access Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".oemji.com"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2001539; classtype:trojan-activity; sid:2001539; rev:10; metadata:created_at 2010_07_30, updated_at 2017_05_11;)
+
+#alert tcp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; flowbits:isnotset,ET.pdf.in.http; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:19; metadata:created_at 2010_07_30, updated_at 2017_09_08;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OfferOptimizer.com Spyware"; flow: to_server,established; content:"/ctx/keyword_context.php?"; nocase; http_uri; content:"urlContext=http"; nocase; http_uri; reference:url,www.offeroptimizer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001341; classtype:policy-violation; sid:2001341; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OneStepSearch Host Activity"; flow: to_server,established; content:"GET"; nocase; http_method; content:"host|3a| upgrade.onestepsearch.net"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007855; classtype:trojan-activity; sid:2007855; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OutBlaze.com Spyware Activity"; flow: to_server,established; content:"/scripts/adpopper/webservice.main"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002044; classtype:trojan-activity; sid:2002044; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Install"; flow: to_server,established; content:"/ctxad-"; nocase; http_uri; pcre:"/ctxad-\d+\.sig/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2001495; classtype:trojan-activity; sid:2001495; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Advertising Campaign Download"; flow: to_server,established; content:"/campaigns"; nocase; http_uri; content:"outerinfo.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001496; classtype:trojan-activity; sid:2001496; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Activity"; flow: to_server,established; content:"Host|3a| campaigns.outerinfo.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001497; classtype:trojan-activity; sid:2001497; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Checkin"; flow: to_server,established; content:"/notify.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"&module="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&result="; nocase; http_uri; content:"&message="; nocase; http_uri; content:"outerinfo.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003426; classtype:trojan-activity; sid:2003426; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Overpro Spyware Bundle Install"; flow: to_server,established; content:"Host|3a| download.overpro.com"; nocase; http_header; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WildApp\.cab/i"; reference:url,www.wildarcade.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001444; classtype:trojan-activity; sid:2001444; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Overpro Spyware Games"; flow: to_server,established; content:"/blocks/blasterblocks"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001459; classtype:trojan-activity; sid:2001459; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Overpro Spyware Install Report"; flow: to_server,established; content:"/processInstall.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002017; classtype:trojan-activity; sid:2002017; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EMO/PCPrivacyCleaner Rougue Secuirty App GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"action="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"pc|5F|id="; nocase; http_uri; content:"abbr="; nocase; http_uri; reference:url,www.spywaresignatures.com/details/pcprivacycleaner.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2008456; classtype:trojan-activity; sid:2008456; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pacimedia Spyware 1"; flow:to_server,established; content:"/mcp/mcp.cgi"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002083; classtype:trojan-activity; sid:2002083; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCDoc.co.kr Fake AV User-Agent (PCDoc11)"; flow:established,to_server; content:"User-Agent|3a| PCDoc"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007786; classtype:trojan-activity; sid:2007786; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCDoc.co.kr Fake AV User-Agent (mypcdoctor)"; flow:established,to_server; content:"User-Agent|3a| mypcdoc"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007804; classtype:trojan-activity; sid:2007804; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware PlusDream - GET Config Download/Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?kind="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&addresses="; nocase; http_uri; content:"&hdmacid="; nocase; reference:url,doc.emergingthreats.net/2009712; classtype:trojan-activity; sid:2009712; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Privacyprotector.com Fake Anti-Spyware Install"; flow: to_server,established; content:"/privacyprotectorfreesetup.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003547; classtype:trojan-activity; sid:2003547; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AVSystemcare.com.com Fake Anti-Virus Product"; flow:established,to_server; content:"?proto="; nocase; http_uri; content:"&rc="; nocase; http_uri;content:"&v="; nocase; http_uri; content:"&abbr="; nocase; http_uri; content:"&platform="; nocase; http_uri; content:"&os_version="; nocase; http_uri;content:"&ac="; nocase; http_uri; content:"&appid="; nocase; http_uri; content:"&em="; nocase; http_uri; content:"&pcid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007664; classtype:trojan-activity; sid:2007664; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET MALWARE Pynix.dll BHO Activity"; flow: established,to_server; content:"ABETTERINTERNET.EXE"; nocase; http_uri; content:"bho=PYNIX.DLL"; nocase; http_uri; reference:url,www.pynix.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001748; classtype:trojan-activity; sid:2001748; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio Spyware/Adware Initial Registration"; flow:established,to_server; dsize:<200; content:"POST"; nocase; http_method; content:"REGISTER|7c|"; depth:9; http_client_body; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d/P"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; classtype:trojan-activity; sid:2007820; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio.com Related Adware/Spyware User-Agent (HTTP_CONNECT_2)"; flow:established,to_server; content:"User-Agent|3a| HTTP_Connect_"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007821; classtype:trojan-activity; sid:2007821; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rdxrp.com Traffic"; flow: to_server,established; content:"/rdxr020304.dat"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001311; classtype:trojan-activity; sid:2001311; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET MALWARE Realtimegaming.com Online Casino Spyware Gaming Checkin"; flow:established,to_server; dsize:<30; content:"|43 01 00|"; depth:4; content:"Casino"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008402; classtype:trojan-activity; sid:2008402; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Regnow.com Access"; flow: to_server,established; content:"/softsell/visitor.cgi?"; nocase; http_uri; content:"affiliate="; nocase; http_uri; reference:url,www.regnow.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001223; classtype:trojan-activity; sid:2001223; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Regnow.com Gamehouse.com Access"; flow: to_server,established; content:"/affiliates/template.jsp?"; nocase; http_uri; content:"AID="; nocase; http_uri; reference:url,www.gamehouse.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001224; classtype:trojan-activity; sid:2001224; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Salongas Infection"; flow: to_server,established; content:"/sp.htm?id="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000601; classtype:trojan-activity; sid:2000601; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Relevancy Spyware"; flow: established,to_server; content:"/SearchRelevancy/SearchRelevancy.dll"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.relevancy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001696; classtype:trojan-activity; sid:2001696; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 1"; flow: to_server,established; content:"/rd/Clk.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002296; classtype:trojan-activity; sid:2002296; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 2"; flow: to_server,established; content:"/rd/feed/TextFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002297; classtype:trojan-activity; sid:2002297; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 3"; flow: to_server,established; content:"/rd/feed/XMLFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002298; classtype:trojan-activity; sid:2002298; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 4"; flow: to_server,established; content:"/rd/feed/JavaScriptFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002299; classtype:trojan-activity; sid:2002299; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 5"; flow: to_server,established; content:"/rd/feed/JavaScriptFeedSE.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002300; classtype:trojan-activity; sid:2002300; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 6"; flow: to_server,established; content:"/rd/SearchResults.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002301; classtype:trojan-activity; sid:2002301; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 7"; flow: to_server,established; content:"/rd/jsp/BidRank/index.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002302; classtype:trojan-activity; sid:2002302; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 8"; flow: to_server,established; content:"/SFToolBar.html"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002303; classtype:trojan-activity; sid:2002303; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (prog)"; flow: to_server,established; content:"/dkprogs/dktibs.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001474; classtype:trojan-activity; sid:2001474; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Receiving Commands"; flow: to_server,established; content:"/xpsystem/commands.ini"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001475; classtype:trojan-activity; sid:2001475; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (systime)"; flow: to_server,established; content:"/dkprogs/systime.txt"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001480; classtype:trojan-activity; sid:2001480; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (mstask)"; flow: to_server,established; content:"/dkprogs/mstasks3.txt"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001483; classtype:trojan-activity; sid:2001483; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (d.exe)"; flow: to_server,established; content:"/x30/d.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001484; classtype:trojan-activity; sid:2001484; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (v3cab)"; flow: to_server,established; content:"/cab/v3cab.cab"; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001540; classtype:trojan-activity; sid:2001540; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Searchmiracle.com Spyware Installer silent.exe Download"; flow: from_server,established; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; reference:url,doc.emergingthreats.net/bin/view/Main/2001533; classtype:trojan-activity; sid:2001533; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (silent_install)"; flow: to_server,established; content:"/silent_install.exe"; nocase; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001534; classtype:trojan-activity; sid:2001534; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (protector.exe)"; flow: to_server,established; content:"/protector.exe"; http_uri; content:"Host|3a| install.searchmiracle.com"; nocase; http_header; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001535; classtype:trojan-activity; sid:2001535; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (install)"; flow: to_server,established; content:"/sideb.exe"; content:"Host|3a| install.searchmiracle.com"; nocase; http_header; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001744; classtype:trojan-activity; sid:2001744; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install - silent.exe"; flow: to_server,established; content:"/silent.exe"; nocase; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002091; classtype:trojan-activity; sid:2002091; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Scout Related Spyware (content)"; flow: established,to_server; content:"Host|3a| content.searchscout.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001650; classtype:policy-violation; sid:2001650; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Scout Related Spyware (results)"; flow: established,to_server; content:"Host|3a| results.searchscout.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001653; classtype:policy-violation; sid:2001653; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Security-updater.com Spyware Posting Data"; flow:established,to_server; content:"/SA/receive_data.php3?tcpc="; http_uri; content:"security-updater.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003576; classtype:trojan-activity; sid:2003576; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Seekmo.com Spyware Data Upload"; flow:established,to_server; content:".aspx?"; http_uri; content:"eid="; http_uri; content:"&pkg_ver="; http_uri; content:"&ver="; http_uri; content:"&brand="; http_uri; content:"&mt="; http_uri; content:"&partid="; content:"&altdid="; http_uri; content:"&os="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008356; classtype:trojan-activity; sid:2008356; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Servicepack.kr Fake Patch Software Checkin"; flow:established,to_server; content:".php?kind="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&ver2="; nocase; http_uri; content:"&ver3="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&supportid="; nocase; http_uri; content:"&uniq="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008016; classtype:trojan-activity; sid:2008016; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sexmaniack Install Tracking"; flow: to_server,established; content:"/counted.php?ref="; nocase; http_uri; content:"Host|3a| counter.sexmaniack.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001460; classtype:trojan-activity; sid:2001460; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop At Home Select.com Install Attempt"; flow: to_server,established; content:"/mindset/bunsetup.cab"; nocase; http_uri; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000580; classtype:policy-violation; sid:2000580; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Shop At Home Select.com Install Download"; flow: from_server,established; content:"|ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41|"; fast_pattern:only; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000581; classtype:policy-violation; sid:2000581; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop at Home Select Spyware Heartbeat"; flow: established,to_server; content:"/s.dll?MfcISAPICommand=heartbeat¶m="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001708; classtype:policy-violation; sid:2001708; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop at Home Select Spyware Install"; flow: established,to_server; content:"/arcadecash/setup"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002037; classtype:policy-violation; sid:2002037; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shopnav Spyware Install"; flow: to_server,established; content:"/toolbarv3.cgi?UID="; nocase; http_uri; content:"&version="; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002000; classtype:trojan-activity; sid:2002000; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shopcenter.co.kr Spyware Install Report"; flow:established,to_server; content:"/RewardInstall.php?mac=0"; http_uri; content:"&hdd="; http_uri;content:"&ver="; http_uri; content:"&ie="; http_uri; content:"&win="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008370; classtype:trojan-activity; sid:2008370; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SideStep Bar Install"; flow: to_server,established; content:"/servlet/sbinstservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001016; classtype:policy-violation; sid:2001016; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SideStep Bar Reporting Data"; flow: to_server,established; content:"/servlet/sblogservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001017; classtype:policy-violation; sid:2001017; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SideStep Bar Reporting Data (sbstart)"; flow: to_server,established; content:"/servlet/SbStartservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002821; classtype:policy-violation; sid:2002821; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Simbar Spyware User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"|3b| SIMBAR={"; http_header; fast_pattern; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805; reference:url,vil.nai.com/vil/content/v_131206.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2009005; classtype:policy-violation; sid:2009005; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smartpops.com Spyware Install rh.exe"; flow: to_server,established; content:"/install/RH/rh.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001505; classtype:trojan-activity; sid:2001505; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smartpops.com Spyware Install"; flow: to_server,established; content:"/install/SE/sed.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001516; classtype:trojan-activity; sid:2001516; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smartpops.com Spyware Update"; flow: to_server,established; content:"/data/spv15.dat?v="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001513; classtype:trojan-activity; sid:2001513; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Snoopstick.net Related Spyware User-Agent (SnoopStick Updater)"; flow:established,to_server; content:"User-Agent|3a| SnoopStick "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007956; classtype:trojan-activity; sid:2007956; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Soft-Show.cn Related Fake AV Install"; flow:established,to_server; content:"/setup/setup.asp?id="; nocase; http_uri; content:"&pcid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&taday="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008135; classtype:trojan-activity; sid:2008135; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Soft-Show.cn Related Fake AV Install Ad Pull"; flow:established,to_server; content:"/setup/adClick.asp?Id="; nocase; http_uri; content:"&WebId="; nocase; http_uri; content:"&sDate="; nocase; http_uri; content:"&ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008148; classtype:trojan-activity; sid:2008148; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Softcashier.com Spyware Install Checkin"; flow:established,to_server; content:".php?wmid="; nocase; http_uri; content:"&subid="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&lid="; nocase; http_uri; content:"&hs="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007861; classtype:trojan-activity; sid:2007861; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Softwarereferral.com Adware Checkin"; flow:established,to_server; content:"wmid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&lid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007696; classtype:trojan-activity; sid:2007696; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot Checking in to Spam"; flow:established,to_server; content:"/devrandom/"; nocase; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002988; classtype:trojan-activity; sid:2002988; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot Pulling IP List to Spam"; flow:established,to_server; content:"/devrandom/access.php"; nocase; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible)"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002990; classtype:trojan-activity; sid:2002990; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot getting new exe"; flow:established,to_server; content:"/traff/ppiigg.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002991; classtype:trojan-activity; sid:2002991; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Specificclick.net Spyware Activity"; flow: to_server,established; content:"/adopt.sm?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"&sz="; nocase; http_uri; content:"&redir="; nocase; http_uri; content:"&nmv="; nocase; http_uri; content:"&nrsz="; nocase; http_uri; content:"&r="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003450; classtype:policy-violation; sid:2003450; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speedera Agent (Specific)"; flow: to_server,established; content:"/io/downloads/3/wsem302.dl"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001321; classtype:trojan-activity; sid:2001321; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spy-Not.com Spyware Updating"; flow:to_server,established; content:"/updates1/SKVersion.ini"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003377; classtype:trojan-activity; sid:2003377; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spy-Not.com Spyware Pulling Fake Sigs"; flow:to_server,established; content:"/updates1/SKSignatures.zip"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003375; classtype:trojan-activity; sid:2003375; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpySherriff Spyware Activity"; flow: to_server,established; content:"/progs_exe/jbsrak/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002984; classtype:trojan-activity; sid:2002984; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Jupitersatellites.biz Spyware Download"; flow: to_server,established; content:"/traff/ppiigg.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002987; classtype:trojan-activity; sid:2002987; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpySheriff Intial Phone Home"; flow:established,to_server; content:"trial.php?rest="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"trial.php"; nocase; content:!"User-Agent|3a| "; http_header; reference:url,vil.nai.com/vil/content/v_135033.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003251; classtype:trojan-activity; sid:2003251; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpyShredder Fake Anti-Spyware Install Download"; flow:established,to_server; content:"&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"?=______"; http_uri; content:"&vs="; nocase; http_uri; content:"&YZYYYYYYYYYYYYYYYYYYYYYYYYYY"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007593; classtype:trojan-activity; sid:2007593; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware DB Update"; flow: to_server,established; content:"/updates/database/dbver.php"; nocase; http_uri; content:"spywareaxe"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002804; classtype:trojan-activity; sid:2002804; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware DB Version Check"; flow: to_server,established; content:"/updates/database/dbver.dat"; nocase; http_uri; content:"spywareaxe"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002805; classtype:trojan-activity; sid:2002805; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware Checkin"; flow: to_server,established; content:"/download.php?sid="; nocase; http_uri; content:"spyaxe"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002806; classtype:trojan-activity; sid:2002806; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spygalaxy.ws Spyware Checkin"; flow: to_server,established; content:"/install.php?id="; nocase; http_uri; content:"Host|3a| spygalaxy.ws|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001489; classtype:trojan-activity; sid:2001489; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyspotter.com Install"; flow: to_server,established; content:"/SpySpotterInstall.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001536; classtype:trojan-activity; sid:2001536; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyspotter.com Access"; flow: to_server,established; content:"Host|3a| "; http_header; content:"spyspotter.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001537; classtype:trojan-activity; sid:2001537; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpywareLabs VirtualBouncer Seeking Instructions"; flow: to_server,established; content:"instructions"; nocase; pcre:"/instructions\/\d{2}\.xml/mi"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.virtualbouncer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000587; classtype:trojan-activity; sid:2000587; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpywareLabs Application Install"; flow: to_server,established; content:"/DistID/BaseInstalls/V"; nocase; http_uri; content:"User-Agent|3a|"; nocase; http_header; content:"Wise"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001522; classtype:trojan-activity; sid:2001522; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware Stormer Reporting Data"; flow: established,to_server; content:"/showme.aspx?keyword="; nocase; http_uri; content:"ecomdata1="; nocase; http_client_body; reference:url,www.spywarestormer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001570; classtype:trojan-activity; sid:2001570; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware Stormer/Error Guard Activity"; flow: established,to_server; content:"/sell.cgi?errorguard/1/errorguard"; nocase; http_uri; reference:url,www.spywarestormer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001571; classtype:trojan-activity; sid:2001571; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster Receiving New configuration (update)"; flow: to_server,established; content:"/updatestats/update"; nocase; http_uri; content:".xml"; nocase; http_uri; content:"User-Agent|3a| update|0d|"; http_header; content:"statblaster"; http_header; fast_pattern:only; pcre:"/\/updatestats\/update\d+?\.xml$/U"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001225; classtype:policy-violation; sid:2001225; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster.MemoryWatcher Download"; flow: to_server,established; content:"/memorywatcher.exe"; http_uri; reference:url,www.memorywatcher.com/eula.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001442; classtype:trojan-activity; sid:2001442; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity"; flow: established,to_server; content:"/Bundling/SskUpdater"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001731; classtype:trojan-activity; sid:2001731; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Download"; flow: established,to_server; content:"/requestimpression.aspx?ver="; nocase; http_uri; content:"host="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001992; classtype:trojan-activity; sid:2001992; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity (ipixel)"; flow: established,to_server; content:"/ipixel.htm?cid="; nocase; http_uri; content:"&pck_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001994; classtype:trojan-activity; sid:2001994; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity (rinfo)"; flow: established,to_server; content:"/rinfo.htm?"; nocase; http_uri; content:"host="; nocase; http_uri; content:"action="; nocase; http_uri; content:"client=SSK"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002738; classtype:trojan-activity; sid:2002738; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAccuracy.com Spyware Updating"; flow:to_server,established; content:"/sacc/sacc.cfg.php?"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003390; classtype:trojan-activity; sid:2003390; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAccuracy.com Spyware Pulling Ads"; flow:to_server,established; content:"/sacc/popup.php"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003391; classtype:trojan-activity; sid:2003391; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAssistant.com Spyware Install"; flow: to_server,established; content:"/distribution/questmod-1.dll"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001510; classtype:trojan-activity; sid:2001510; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAssistant.com Spyware Reporting"; flow: to_server,established; content:"/sa/?a="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001514; classtype:trojan-activity; sid:2001514; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE System-defender.com Fake AV Install Checkin"; flow:established,to_server; content:"?wmid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&lndid="; nocase; http_uri; reference:url,www.system-defender.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007856; classtype:trojan-activity; sid:2007856; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008)"; flow:established,to_server; content:"User-Agent|3a| gh20"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007944; classtype:trojan-activity; sid:2007944; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php)"; flow:established,to_server; content:"/victim.php?"; http_uri; pcre:"/victim\.php\?\d\d\d\d\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007945; classtype:trojan-activity; sid:2007945; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sytes.net Related Spyware Reporting"; flow:to_server,established; content:"/Reporting/admin/upload.php"; nocase; http_uri; content:"POST"; nocase; http_method; content:"sytes.net"; nocase; http_header; reference:url,www.sophos.com/security/analyses/w32forbotdv.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003533; classtype:trojan-activity; sid:2003533; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TargetNetworks.net Spyware Reporting (req)"; flow: to_server,established; content:"/request/req.cgi?gu="; nocase; http_uri; content:"&sid="; nocase; http_uri; content:"&kw="; nocase; http_uri; reference:url,www.targetnetworks.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001997; classtype:trojan-activity; sid:2001997; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TargetNetworks.net Spyware Reporting (tn)"; flow: to_server,established; content:"/data/tn.dat?v="; nocase; http_uri; content:"&sid="; nocase; http_uri; reference:url,www.targetnetworks.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002046; classtype:trojan-activity; sid:2002046; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE thebestsoft4u.com Spyware Install (1)"; flow: to_server,established; content:"/pa/glx.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001482; classtype:trojan-activity; sid:2001482; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE thebestsoft4u.com Spyware Install (2)"; flow: to_server,established; content:"/pa/proxyrnd.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001485; classtype:trojan-activity; sid:2001485; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Theinstalls.com Initial Checkin"; flow:established,to_server; content:"/plist.php?uid="; http_uri; content:"Host|3a| "; http_header; content:"theinstalls.com"; http_header; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007788; classtype:trojan-activity; sid:2007788; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibsystems Spyware Download"; flow: to_server,established; content:"/d4.fcgi?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001488; classtype:trojan-activity; sid:2001488; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibsystems Spyware Install (1)"; flow: to_server,established; content:"/fcgi-bin/iza2.fcgi?m="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001729; classtype:trojan-activity; sid:2001729; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibsystems Spyware Install (2)"; flow: to_server,established; content:"/tb/loader2.ocx"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001734; classtype:trojan-activity; sid:2001734; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Agent Download (1)"; flow: established,to_server; content:"/ldr.exe"; nocase; http_uri; reference:url,toolbarpartner.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001890; classtype:trojan-activity; sid:2001890; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Spambot Retrieving Target Emails"; flow: established,to_server; content:"/mailz.php?id="; nocase; http_uri; reference:url,toolbarpartner.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001895; classtype:trojan-activity; sid:2001895; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopMoxie Reporting Data to External Host"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/downloads\/record_download\.asp/i"; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000588; classtype:trojan-activity; sid:2000588; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopMoxie Retrieving Data (downloads)"; flow: to_server,established; uricontent:"/external/builds/downloads2/"; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000589; classtype:trojan-activity; sid:2000589; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopMoxie Retrieving Data (common)"; flow: to_server,established; uricontent:"/external/builds/common/"; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000590; classtype:trojan-activity; sid:2000590; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toprebates.com Install (1)"; flow: established,to_server; content:"/acti.asp?cl=1&gd=1&clpid="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001646; classtype:trojan-activity; sid:2001646; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toprebates.com Install (2)"; flow: established,to_server; content:"/builds/"; nocase; http_uri; content:"AutoTrack_Install.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001647; classtype:trojan-activity; sid:2001647; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toprebates.com User Confirming Membership"; flow: established,to_server; content:"/cgi/account.plx?pid="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001648; classtype:trojan-activity; sid:2001648; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ezula Install .exe"; flow: to_server,established; content:"/install/eZinstall.exe"; nocase; http_uri; content:"User-Agent|3a| eZula"; http_header; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001334; classtype:trojan-activity; sid:2001334; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Ezula Installer Download"; flow: from_server,established; content:"|65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|"; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001335; classtype:trojan-activity; sid:2001335; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spywaremover Activity"; flow: to_server,established; content:"/spywareremovers.php?"; http_uri; content:"Host|3a| topantispyware.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topantispyware.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001520; classtype:trojan-activity; sid:2001520; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Topconverting Spyware Install"; flow: to_server,established; content:"/activex/weirdontheweb_topc.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002004; classtype:trojan-activity; sid:2002004; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Topconverting Spyware Reporting"; flow: to_server,established; content:"/trigger.php?partner="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002040; classtype:trojan-activity; sid:2002040; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Topgame-online.com Ruch Casino Install User-Agent (RichCasino)"; flow:established,to_server; content:"User-Agent|3a| RichCasino"; nocase; http_header; reference:url,doc.emergingthreats.net/2009831; classtype:trojan-activity; sid:2009831; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Traffic Syndicate Add/Remove"; flow: to_server,established; content:"/Support/AddRemove.aspx?id="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001313; classtype:policy-violation; sid:2001313; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Traffic Syndicate Agent Updating (1)"; flow: to_server,established; content:"/TbLinkConfig.asmx"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001315; classtype:policy-violation; sid:2001315; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Traffic Syndicate Agent Updating (2)"; flow: to_server,established; content:"/TbInstConfig.asmx"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001316; classtype:policy-violation; sid:2001316; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trafficsector.com Spyware Install"; flow: to_server,established; content:"/install.php?"; nocase; http_uri; content:"afid="; nocase; http_uri; content:"&user_id="; http_uri; content:"trafficsector"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002736; classtype:policy-violation; sid:2002736; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Transponder Spyware Activity"; flow:established,to_server; content:"/sendROIcookie.cfm?refer="; nocase; http_uri; reference:url,www.doxdesk.com/parasite/Transponder.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002320; classtype:trojan-activity; sid:2002320; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Travel Update Spyware"; flow:established,to_server; content:"/abt?data="; nocase; http_uri; pcre:"/\/abt\?data=\S{150}/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2003297; classtype:trojan-activity; sid:2003297; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware/Spyware Trymedia.com EXE download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".exe?nva="; http_uri; content:"&aff="; http_uri; content:"&token="; http_uri; content:"User-Agent|3a| Macrovision_DM"; nocase; http_header; reference:url,www.browserdefender.com/site/trymedia.com; reference:url,www.threatexpert.com/reports.aspx?find=Adware.Trymedia; reference:url,doc.emergingthreats.net/2009091; classtype:policy-violation; sid:2009091; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware Reporting"; flow: to_server,established; content:"/iis2ucms.asp"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; reference:url,doc.emergingthreats.net/bin/view/Main/2001995; classtype:trojan-activity; sid:2001995; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware Downloading Ads"; flow: to_server,established; content:"/clientsetupfinish.html?sponsor_id="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; reference:url,doc.emergingthreats.net/bin/view/Main/2001998; classtype:trojan-activity; sid:2001998; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE /jk/exp.wmf Exploit Code Load Attempt"; flow:to_server,established; content:"/jk/exp.wmf"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002999; classtype:trojan-activity; sid:2002999; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PopupSh.ocx Access Attempt"; flow:to_server,established; content:"/PopupSh.ocx"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003000; classtype:trojan-activity; sid:2003000; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Checkin"; flow:established,to_server; content:"/Pro/pro.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; pcre:"/\/Pro\/pro\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008157; classtype:trojan-activity; sid:2008157; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Count"; flow:established,to_server; content:"/Pro/cnt.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; content:"&pid="; nocase; http_uri; pcre:"/\/Pro\/cnt\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008158; classtype:trojan-activity; sid:2008158; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE V-Clean.com Fake AV Checkin"; flow:established,to_server; content:"/bill_mod/bill_count.php?C_FLAG="; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.5|3b| Windows 98)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008180; classtype:trojan-activity; sid:2008180; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware"; flow:established,to_server; content:"/DittoIA.jsh?pid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002348; classtype:trojan-activity; sid:2002348; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware Reporting URL"; flow:established,to_server; content:"/js.vppimage?key="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002350; classtype:trojan-activity; sid:2002350; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vaccine-program.co.kr Related Spyware Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/version/controllerVersion"; fast_pattern:only; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007995; classtype:trojan-activity; sid:2007995; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Spyware Code Download mmdom.exe"; flow: to_server,established; content:"/mmdom.exe"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001525; classtype:trojan-activity; sid:2001525; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Spyware Code Download bkinst.exe"; flow: to_server,established; content:"/bkinst.exe"; nocase; http_uri; content:"virtumonde.com"; http_header; reference:url,www.lurhq.com/iframeads.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001526; classtype:trojan-activity; sid:2001526; rev:22; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vombanetworks.com Spyware Installer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/scripts/get_cookie.php"; nocase; http_uri; content:"vomba="; http_client_body; depth:6; content:"&ff="; content:"&vombashots="; content:"&vombashots_ff="; content:"&hwd="; content:"&ver="; content:"&vinfo=Windows"; reference:url,doc.emergingthreats.net/bin/view/Main/2007870; classtype:trojan-activity; sid:2007870; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webbuying.net Spyware Installing"; flow:established,to_server; content:"/inst.php?"; nocase; http_uri; content:"d="; nocase; http_uri; content:"&cl="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&e="; nocase; http_uri; content:"&v=wbi_v"; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&win="; nocase; http_uri; content:"&un=0"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003442; classtype:trojan-activity; sid:2003442; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Webhancer Data Upload"; flow: from_server,established; content:"WebHancer Authority Server"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001317; classtype:trojan-activity; sid:2001317; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webhancer Data Post"; flow: to_server,established; content:"POST"; nocase; http_method; content:"http|3a|//prime.webhancer.com"; nocase; content:"AgentTag|3a|"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001677; classtype:trojan-activity; sid:2001677; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webhancer Agent Activity"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:"webhancer.com"; nocase; http_header; within:32; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001678; classtype:trojan-activity; sid:2001678; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Websearch.com Spyware"; flow: to_server,established; content:"/sitereview.asmx/GetReview"; nocase; http_uri; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001325; classtype:trojan-activity; sid:2001325; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Websearch.com Outbound Dialer Retrieval"; flow: to_server,established; content:"/1/rdgUS10.exe"; nocase; http_uri; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001517; classtype:trojan-activity; sid:2001517; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weird on the Web /180 Solutions Checkin"; flow: to_server,established; content:"/notifier/config.ini?v="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002036; classtype:trojan-activity; sid:2002036; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com App and Search Bar Install (1)"; flow: to_server,established; content:"/vsn/ISA/"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000908; classtype:policy-violation; sid:2000908; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com App and Search Bar Install (2)"; flow: to_server,established; content:"/Appinstall?app=VVSN"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000909; classtype:policy-violation; sid:2000909; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=clock"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000910; classtype:policy-violation; sid:2000910; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Weather App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=weather"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000911; classtype:policy-violation; sid:2000911; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin (1)"; flow: to_server,established; content:"/clock?id="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000912; classtype:policy-violation; sid:2000912; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin (2)"; flow: to_server,established; content:"/clockDB"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000913; classtype:policy-violation; sid:2000913; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Weather App Checkin (1)"; flow: to_server,established; content:"/weatherDB"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000914; classtype:policy-violation; sid:2000914; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Weather App Checkin (2)"; flow: to_server,established; content:"/weather?id="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000915; classtype:policy-violation; sid:2000915; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=whenusave"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000916; classtype:policy-violation; sid:2000916; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (offersdata)"; flow: to_server,established; content:"/OffersDataGZ?update="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000917; classtype:policy-violation; sid:2000917; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Desktop Bar Install"; flow: to_server,established; content:"/Appinstall?app=desktop"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000918; classtype:policy-violation; sid:2000918; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (Searchdb)"; flow: to_server,established; content:"/SearchDB?update="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000919; classtype:policy-violation; sid:2000919; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Application Version Check"; flow: to_server,established; content:"/versions.html"; nocase; http_uri; content:"whenu.com"; nocase; http_header; fast_pattern; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2003389; classtype:policy-violation; sid:2003389; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (DataChunksGZ)"; flow: to_server,established; content:"/DataChunksGZ?update="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"svr="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2003404; classtype:policy-violation; sid:2003404; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent Installation"; flow: to_server,established; content:"/Recovery/Checkin.aspx?version"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001307; classtype:trojan-activity; sid:2001307; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent Checking In"; flow: to_server,established; content:"/CDADeliveries/Checkin.aspx"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001309; classtype:trojan-activity; sid:2001309; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent Traffic"; flow: to_server,established; content:"/CDAFiles/DP/SysConfig"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001310; classtype:trojan-activity; sid:2001310; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent"; flow: to_server,established; content:"/CDAFiles/"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001314; classtype:trojan-activity; sid:2001314; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent New Install"; flow: to_server,established; content:"/NewUser/Checkin.aspx"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001322; classtype:trojan-activity; sid:2001322; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Install"; flow: to_server,established; content:"/updatestats/AI_Euro.exe"; nocase; http_uri; reference:mcafee,122249; reference:url,doc.emergingthreats.net/bin/view/Main/2002008; classtype:trojan-activity; sid:2002008; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Windupdates.com Spyware Install"; flow: established,to_server; content:"/cab/CDTInc/ie/"; nocase; http_uri; content:".cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001700; classtype:trojan-activity; sid:2001700; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Windupdates.com Spyware Loggin Data"; flow: established,to_server; content:"/logging.php?p="; nocase; http_uri; content:"Host|3a| public.windupdates.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001701; classtype:trojan-activity; sid:2001701; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winfixmaster.com Fake Anti-Spyware Install"; flow: to_server,established; content:"/dispatcher.php?action="; nocase; http_uri; content:"Host|3a| www.winfix"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003543; classtype:trojan-activity; sid:2003543; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winferno Registry Fix Spyware Download"; flow: to_server,established; content:"/freeze_rpc6bundle_us/REGISTRYFIXDLL.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003353; classtype:trojan-activity; sid:2003353; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware Download"; flow: to_server,established; content:"/WebServices/DesktopManager/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003356; classtype:trojan-activity; sid:2003356; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winxdefender.com Fake AV Package Post Install Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/checkupdate.php"; nocase; http_uri; content:"User-Agent|3a| Opera"; http_header; content:"Computer ID|3a| "; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008197; classtype:trojan-activity; sid:2008197; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (1)"; flow: to_server,established; content:"/fa/evil.html"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001461; classtype:trojan-activity; sid:2001461; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs Occuring"; flow: to_server,established; content:"/fa/?d=get"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001462; classtype:trojan-activity; sid:2001462; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (2)"; flow: to_server,established; content:"src=http|3a|//xpire.info/i.exe"; nocase; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2001463; classtype:trojan-activity; sid:2001463; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (3)"; flow: to_server,established; content:"/i.exe"; nocase; http_uri; content:"xpire.info"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001464; classtype:trojan-activity; sid:2001464; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (4)"; flow: to_server,established; content:"/dl/adv121.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001466; classtype:trojan-activity; sid:2001466; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (5)"; flow: to_server,established; content:"/dl/adv121/x.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001467; classtype:trojan-activity; sid:2001467; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs CHM Exploit"; flow: to_server,established; content:"/fa/ied_s7m.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001468; classtype:trojan-activity; sid:2001468; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (6)"; flow: to_server,established; content:"/fa/x.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001469; classtype:trojan-activity; sid:2001469; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (7)"; flow: to_server,established; content:"/fa/xpl3.htm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001470; classtype:trojan-activity; sid:2001470; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Spyware Exploit"; flow: to_server,established; content:"/2DimensionOfExploitsEnc.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001471; classtype:trojan-activity; sid:2001471; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Spyware Install Reporting"; flow: to_server,established; content:"/report.php?user_id="; fast_pattern; http_uri; content:"&status="; http_uri; content:"&country_id="; http_uri; content:"User-Agent|3a| Windows Internet|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001472; reference:md5,17c204bb156dd7f6a3ebd1547129f347; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FZdesnado.AD&ThreatID=-2147454482; classtype:trojan-activity; sid:2001472; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Spyware Checkin"; flow: to_server,established; content:"/install.gz"; nocase; http_uri; content:"Host|3a| xpire.info|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001491; classtype:trojan-activity; sid:2001491; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Install Report"; flow: to_server,established; content:"counter.htm"; nocase; pcre:"//user\d+/counter\.htm/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2001541; classtype:trojan-activity; sid:2001541; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Yourscreen.com Spyware Download"; flow: to_server,established; content:"/data/yourscreen_data.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003354; classtype:trojan-activity; sid:2003354; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yupsearch.com Spyware Install - protector.exe"; flow: to_server,established; content:"/protector.exe"; nocase; http_uri; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002092; classtype:trojan-activity; sid:2002092; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yupsearch.com Spyware Install - sideb.exe"; flow: to_server,established; content:"/sideb.exe"; nocase; http_uri; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002098; classtype:trojan-activity; sid:2002098; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Adware"; flow: to_server,established; content:"/cl/clientdump"; http_uri; content:"zenotecnico"; nocase; http_header; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001947; classtype:policy-violation; sid:2001947; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Adware 2"; flow: to_server,established; content:"/cl/clienthost"; http_uri; content:"zenotecnico"; nocase; http_header; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002735; classtype:policy-violation; sid:2002735; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Spyware Install Report"; flow: to_server,established; content:"/instreport"; http_uri; content:"zenotecnico"; nocase; http_header; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002737; classtype:policy-violation; sid:2002737; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenosearch Malware Checkin HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"uid="; http_client_body; depth:4; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&commode="; http_client_body; content:"&cmd="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008757; classtype:trojan-activity; sid:2008757; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenosearch Malware Checkin HTTP POST (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".asp?rnd="; http_uri; content:"uid="; http_client_body; depth:4; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&umode="; http_client_body; content:"&cn="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008798; classtype:trojan-activity; sid:2008798; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Supergames.aavalue.com Spyware"; flow: established,to_server; content:"/toolbars/msg/msg_serverside.xml"; nocase; http_uri; content:"aavalue.com"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,doc.emergingthreats.net/bin/view/Main/2003525; classtype:trojan-activity; sid:2003525; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE adservs.com Spyware"; flow: to_server,established; content:"/binaries/relevance.dat"; http_uri; content:"adservs"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002740; classtype:policy-violation; sid:2002740; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - sploit.anr"; flow:established,to_server; content:"GET";  nocase; http_method; content:"/sploit.anr"; nocase; http_uri; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002708; classtype:trojan-activity; sid:2002708; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - loaderadv***.jar"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/loaderadv"; nocase; http_uri; pcre:"/loaderadv\d+\.jar/Ui"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002709; classtype:trojan-activity; sid:2002709; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - loadadv***.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/loadadv"; nocase; http_uri; pcre:"/loadadv\d+\.exe/Ui"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002710; classtype:trojan-activity; sid:2002710; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php"; flow:established,to_server; content:"/qwertyuiyw12ertyuytre"; nocase; http_uri; reference:url,iframecash.biz; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T; reference:url,doc.emergingthreats.net/bin/view/Main/2008681; classtype:trojan-activity; sid:2008681; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE K8l.info Spyware Activity"; flow: to_server,established; content:"/media/servlet/view/dynamic/url/zone?"; nocase; http_uri; content:"zid="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&DHWidth="; nocase; http_uri; content:"&DHHeight="; nocase; http_uri; content:"Ref="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003451; classtype:policy-violation; sid:2003451; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 404Search Spyware User-Agent (404search)"; flow:established,to_server; content:"User-Agent|3a| 404search"; http_header; reference:url,doc.emergingthreats.net/2001852; classtype:trojan-activity; sid:2001852; rev:27; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adload.Generic Spyware User-Agent (91castInstallKernel)"; flow:to_server,established; content:"User-Agent|3a| 91cast"; nocase; http_header; reference:url,doc.emergingthreats.net/2003640; classtype:trojan-activity; sid:2003640; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pigeon.AYX/AVKill Related User-Agent (CTTBasic)"; flow: established,to_server; content:"User-Agent|3a| CTT"; http_header; reference:url,doc.emergingthreats.net/2009236; classtype:trojan-activity; sid:2009236; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adwave.com Related Spyware User-Agent (STBHOGet)"; flow:to_server,established; content:"User-Agent|3a| STBHOGet"; nocase; http_header; reference:url,doc.emergingthreats.net/2003500; classtype:trojan-activity; sid:2003500; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alawar Toolbar Spyware User-Agent (Alawar Toolbar)"; flow:to_server,established; content:"User-Agent|3a| Alawar Toolbar"; nocase; http_header; reference:url,www.bleepingcomputer.com/uninstall/68/Alawar-Toolbar.html; reference:url,doc.emergingthreats.net/2003506; classtype:trojan-activity; sid:2003506; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Search Toolbar User-Agent 2 (Alexa Toolbar)"; flow: to_server,established; content:"Alexa Toolbar"; http_header; fast_pattern:only; threshold: type limit, count 2, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2008085; classtype:trojan-activity; sid:2008085; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AntiVermins.com Fake Antispyware Package User-Agent (AntiVerminser)"; flow:to_server,established; content:"AntiVerminser"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2003336; classtype:trojan-activity; sid:2003336; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Antivermins.com Spyware/Adware User-Agent (AntiVermeans)"; flow:to_server,established; content:"User-Agent|3a| AntiVermeans"; nocase; http_header; reference:url,www.bleepingcomputer.com/forums/topic69886.htm; reference:url,doc.emergingthreats.net/2003531; classtype:trojan-activity; sid:2003531; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toplist.cz Related Spyware Checkin"; flow:to_server,established; content:"User-Agent|3a| BWL"; http_header; pcre:"/BWL(\sToplist|\d_UPDATE)/H"; classtype:trojan-activity; sid:2003505; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Better Internet Spyware User-Agent (thnall)"; flow: to_server,established; content:"THNALL"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+THNALL[^\n]+\.EXE/iH"; reference:url,doc.emergingthreats.net/2002002; classtype:trojan-activity; sid:2002002; rev:34; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CoolWebSearch Spyware User-Agent (iefeatsl)"; flow:to_server,established; content:"User-Agent|3a| iefeatsl"; nocase; http_header; reference:url,www.applicationsignatures.com/backend/index.php; reference:url,doc.emergingthreats.net/2003570; classtype:trojan-activity; sid:2003570; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CoolWebSearch Spyware (Feat)"; flow: to_server,established; content:"User-Agent|3a| Feat"; nocase; http_header; pcre:"/^User-Agent\x3a\x20+Feat[^\r\n]+(?:Install|Updat)er/Hmi"; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference:url,www.doxdesk.com/parasite/CoolWebSearch.html; reference:url,doc.emergingthreats.net/2002160; classtype:trojan-activity; sid:2002160; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE chnsystem.com Spyware User-Agent (Update1.0)"; flow:established,to_server; content:"User-Agent|3a| Update1.0"; http_header; reference:url,doc.emergingthreats.net/2010680; classtype:trojan-activity; sid:2010680; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE clickspring.com Spyware Install User-Agent (CS Fingerprint Module)"; flow:to_server,established; content:"User-Agent|3a| CS Fingerprint Module"; nocase; http_header; reference:url,doc.emergingthreats.net/2003425; classtype:trojan-activity; sid:2003425; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Surfaccuracy.com Spyware Install User-Agent (SF Installer)"; flow:to_server,established; content:"SF Installer"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2003428; classtype:trojan-activity; sid:2003428; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE xxxtoolbar.com Spyware Install User-Agent"; flow:to_server,established; content:"User-Agent|3a 32 8b 86 85 86 8e 85 86 8c 0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003429; classtype:trojan-activity; sid:2003429; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CommonName.com Spyware/Adware User-Agent (CommonName Agent)"; flow:to_server,established; content:"User-Agent|3a| CommonName"; nocase; http_header; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453078618; reference:url,doc.emergingthreats.net/2003532; classtype:trojan-activity; sid:2003532; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Context Plus Spyware User-Agent (Apropos)"; flow: established,to_server; content:"Apropos"; http_header; pcre:"/User-Agent\:[^\n]+Apropos/Hi"; reference:url,doc.emergingthreats.net/2001703; classtype:trojan-activity; sid:2001703; rev:38; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Context Plus Spyware User-Agent (Envolo)"; flow: established,to_server; content:"Envolo"; http_header; pcre:"/User-Agent\:[^\n]+Envolo/Hi"; reference:url,doc.emergingthreats.net/2001706; classtype:trojan-activity; sid:2001706; rev:38; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Context Plus User-Agent (PTS)"; flow: to_server,established; content:"User-Agent|3a| PTS"; http_header; reference:url,www.contextplus.net; reference:url,doc.emergingthreats.net/2002403; classtype:trojan-activity; sid:2002403; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Cpushpop.com Spyware User-Agent (CPUSH_UPDATER)"; flow:established,to_server; content:"User-Agent|3a| CPUSH_"; http_header; reference:url,doc.emergingthreats.net/2006553; classtype:trojan-activity; sid:2006553; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (CustomSpy)"; flow:to_server,established; content:"User-Agent|3a| |28|CustomSpy|29 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011271; classtype:trojan-activity; sid:2011271; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deepdo Toolbar User-Agent (FavUpdate)"; flow:established,to_server; content:"User-Agent|3a| FavUpdate"; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Deepdo%20Toolbar&threatid=129378; reference:url,doc.emergingthreats.net/2008457; classtype:trojan-activity; sid:2008457; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deepdo.com Toolbar/Spyware User Agent (DeepdoUpdate)"; flow:established,to_server; content:"User-Agent|3a| DeepdoUpdate/"; nocase; http_header; reference:url,doc.emergingthreats.net/2006386; classtype:trojan-activity; sid:2006386; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE dialno Dialer User-Agent (dialno)"; flow:to_server,established; content:"dialno"; http_header; threshold: type limit, count 5, seconds 60, track by_src; pcre:"/User-Agent\:[^\n]+dialno/Hi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347; reference:url,doc.emergingthreats.net/2003387; classtype:trojan-activity; sid:2003387; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dropspam.com Spyware Install User-Agent (DSInstall)"; flow:to_server,established; content:"DSInstall"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+DSInstall/iH"; reference:url,doc.emergingthreats.net/2003439; classtype:trojan-activity; sid:2003439; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EELoader Malware Packages User-Agent (EELoader)"; flow:to_server,established; content:"User-Agent|3a| EELoader"; nocase; http_header; reference:url,doc.emergingthreats.net/2003613; classtype:trojan-activity; sid:2003613; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZULA Spyware User Agent"; flow: established,to_server; content:"User-Agent|3a| ezula"; nocase; http_header; reference:url,doc.emergingthreats.net/2001854; classtype:trojan-activity; sid:2001854; rev:24; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ezula Related User-Agent (mez)"; flow: to_server,established; content:"User-Agent|3a| mez|0d 0a|"; nocase; http_header; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/2000586; classtype:trojan-activity; sid:2000586; rev:30; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Easy Search Bar Spyware User-Agent (ESB)"; flow: established,to_server; content:"User-Agent|3a| ESB"; http_header; reference:url,doc.emergingthreats.net/2001853; classtype:trojan-activity; sid:2001853; rev:24; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ErrorNuker FakeAV User-Agent (ERRN2004 (Windows XP))"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| ERRN200"; http_header; reference:url,doc.emergingthreats.net/2009861; classtype:trojan-activity; sid:2009861; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Errorsafe.com Fake antispyware User-Agent (ErrorSafe)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:"ErrorSafe "; http_header; fast_pattern; within:150; pcre:"/^User-Agent\x3a\x20[^\n]+ErrorSafe/Hmi"; reference:url,doc.emergingthreats.net/2003346; classtype:trojan-activity; sid:2003346; rev:14; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER)"; flow:to_server,established; content:"User-Agent|3a| EVNUKER"; nocase; http_header; reference:url,doc.emergingthreats.net/2003567; classtype:trojan-activity; sid:2003569; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (FaceCooker)"; flow:to_server,established; content:"User-Agent|3a| FaceCooker"; nocase; http_header; reference:url,doc.emergingthreats.net/2010717; classtype:trojan-activity; sid:2010717; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet-antivirus.com Related Fake AV User-Agent (Update Internet Antivirus)"; flow:established,to_server; content:"User-Agent|3a| Update Internet Antivirus"; http_header; reference:url,doc.emergingthreats.net/2008647; classtype:trojan-activity; sid:2008647; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE malwarewipeupdate.com Spyware User-Agent (MalwareWipe)"; flow:to_server,established; content:"User-Agent|3a| MalwareWipe|0d 0a|"; nocase; http_header; reference:url,www.malwarewipeupdate.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=MalwareWipe&threatid=43086; reference:url,doc.emergingthreats.net/2003489; classtype:trojan-activity; sid:2003489; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virusblast.com Fake AV/Anti-Spyware User-Agent (ad-protect)"; flow:to_server,established; content:"User-Agent|3a| ad-protect"; nocase; http_header; reference:url,spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.virusblast.com; reference:url,doc.emergingthreats.net/2003476; classtype:trojan-activity; sid:2003476; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Terminexor.com Spyware User-Agent (DInstaller2)"; flow:to_server,established; content:"User-Agent|3a| DInstaller"; nocase; http_header; reference:url,www.terminexor.com; reference:url,netrn.net/spywareblog/archives/2004/12/23/more-rip-off-ware-terminexor; reference:url,doc.emergingthreats.net/2003477; classtype:trojan-activity; sid:2003477; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Errornuker.com Fake Anti-Spyware User-Agent (ERRORNUKER)"; flow:to_server,established; content:"User-Agent|3a| ERRORNUKER"; nocase; http_header; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.errornuker.com; reference:url,doc.emergingthreats.net/2003478; classtype:trojan-activity; sid:2003478; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP)"; flow:established,to_server; content:"Antivir"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+\;\sAntivir/H"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.wiki-security.com/wiki/Parasite/Antivirus2008; reference:url,doc.emergingthreats.net/2008549; classtype:trojan-activity; sid:2008549; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Cleancop.co.kr Fake AV User-Agent (CleancopUpdate)"; flow:established,to_server; content:"User-Agent|3a| Cleancop"; http_header; reference:url,doc.emergingthreats.net/2008484; classtype:trojan-activity; sid:2008484; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchtool.co.kr Fake Product User-Agent (searchtoolup)"; flow:established,to_server; content:"User-Agent|3a| searchtool"; http_header; reference:url,doc.emergingthreats.net/2008485; classtype:trojan-activity; sid:2008485; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AntiSpywareMaster.com Fake AV User-Agent (AsmUpdater)"; flow:to_server,established; content:"User-Agent|3a| AsmUpdater"; http_header; reference:url,doc.emergingthreats.net/2008294; classtype:trojan-activity; sid:2008294; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dokterfix.com Fake AV User-Agent (Magic NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| Magic NetInstaller|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007977; classtype:trojan-activity; sid:2007977; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Easydownloadsoft.com Fake Anti-Virus User-Agent (IM Downloader)"; flow:established,to_server; content:"User-Agent|3a| IM Downloader|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2008000; classtype:trojan-activity; sid:2008000; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mycomclean.com Spyware User-Agent (HTTP_GET_COMM)"; flow:to_server,established; content:"User-Agent|3a| HTTP_GET_COMM|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007881; classtype:trojan-activity; sid:2007881; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mycomclean.com Spyware User-Agent (SHINI)"; flow:to_server,established; content:"User-Agent|3a| SHINI|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007882; classtype:trojan-activity; sid:2007882; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virusheat.com Fake Anti-Spyware User-Agent (VirusHeat 4.3)"; flow:to_server,established; content:"User-Agent|3a| VirusHeat"; http_header; reference:url,doc.emergingthreats.net/2007883; classtype:trojan-activity; sid:2007883; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Antivirgear.com Fake Anti-Spyware User-Agent (AntiVirGear)"; flow:established,to_server; content:"User-Agent|3a| AntiVirGear"; nocase; http_header; reference:url,doc.emergingthreats.net/2007697; classtype:trojan-activity; sid:2007697; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alfaantivirus.com Fake Anti-Virus User-Agent (IM Download)"; flow:established,to_server; content:"User-Agent|3a| IM Download|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2007759; classtype:trojan-activity; sid:2007759; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Drpcclean.com Related Spyware User-Agent (DrPCClean Transmit)"; flow:to_server,established; content:"User-Agent|3a| DrPCClean"; http_header; reference:url,doc.emergingthreats.net/2007839; classtype:trojan-activity; sid:2007839; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Errclean.com Related Spyware User-Agent (Locus NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| Locus "; http_header; reference:url,doc.emergingthreats.net/2007845; classtype:trojan-activity; sid:2007845; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avsystemcare.com Fake AV User-Agent (LocusSoftware NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| LocusSoftware, NetInstaller"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2008150; classtype:trojan-activity; sid:2008150; rev:8; metadata:created_at 2010_07_30, updated_at 2017_05_11;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IEDefender (iedefender.com) Fake Antispyware User Agent (IEDefender 2.1)"; flow:established,to_server; content:"User-Agent|3a| IEDefender "; nocase; http_header; reference:url,doc.emergingthreats.net/2007690; classtype:trojan-activity; sid:2007690; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winxpperformance.com Related Spyware User-Agent (Microsoft Internet Browser)"; flow:established,to_server; content:"User-Agent|3a| Microsoft Internet Browser|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2007660; classtype:trojan-activity; sid:2007660; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VirusProtectPro Spyware User-Agent (VirusProtectPro)"; flow:established,to_server; content:"User-Agent|3a| VirusProtectPro"; http_header; reference:url,doc.emergingthreats.net/2007617; classtype:trojan-activity; sid:2007617; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ufixer.com Fake Antispyware User-Agent (Ultimate Fixer)"; flow: established,to_server; content:"User-Agent|3a| Ultimate Fixer"; nocase; http_header; reference:url,doc.emergingthreats.net/2007645; classtype:trojan-activity; sid:2007645; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vikiller.com Fake Antispyware User-Agent (vikiller ctrl...)"; flow: established,to_server; content:"User-Agent|3a| vikiller ctrl"; nocase; http_header; reference:url,doc.emergingthreats.net/2007582; classtype:trojan-activity; sid:2007582; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Fast Browser Search)"; flow:to_server,established; content:"User-Agent|3a| Fast Browser Search"; nocase; http_header; reference:url,doc.emergingthreats.net/2010676; classtype:trojan-activity; sid:2010676; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Likely Hostile User-Agent (Forthgoer)"; flow:to_server,established; content:"User-Agent|3a| Forthgoer"; http_header; reference:url,doc.emergingthreats.net/2011247; classtype:trojan-activity; sid:2011247; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Yourscreen.com Spyware User-Agent (FreezeInet)"; flow:to_server,established; content:"FreezeInet"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+FreezeInet/iH"; reference:url,doc.emergingthreats.net/2003355; classtype:trojan-activity; sid:2003355; rev:14; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware User-Agent (YourScreen123)"; flow:to_server,established; content:"User-Agent|3a| YourScreen"; http_header; reference:url,doc.emergingthreats.net/2003405; classtype:trojan-activity; sid:2003405; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Spyware User-Agent (MyWay)"; flow:established,to_server; content:"MyWay|3b|"; http_header; pcre:"/User-Agent\x3a[^\n]+MyWay/iH"; threshold:type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001864; classtype:trojan-activity; sid:2001864; rev:13; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Spyware User-Agent (FunWebProducts)"; flow: established,to_server; content:"FunWebProducts"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+FunWebProducts/Hi"; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001855; classtype:trojan-activity; sid:2001855; rev:32; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Grandstreet Interactive Spyware User-Agent (IEP)"; flow: to_server,established; content:"User-Agent|3a| IEP"; nocase; http_header; reference:url,doc.emergingthreats.net/2002021; classtype:trojan-activity; sid:2002021; rev:26; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gamehouse.com User-Agent (GAMEHOUSE.NET.URL)"; flow:to_server,established; content:"GAMEHOUSE"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+GAMEHOUSE/iH"; reference:url,doc.emergingthreats.net/2003347; classtype:trojan-activity; sid:2003347; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gamehouse.com Related Spyware User-Agent (Sprout Game)"; flow:to_server,established; content:"User-Agent|3a| Sprout Game|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003498; classtype:trojan-activity; sid:2003498; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adsincontext.com Related Spyware User-Agent (Connector v1.2)"; flow: established; content:"User-Agent|3a| Connector v"; http_header; reference:url,doc.emergingthreats.net/2008372; classtype:trojan-activity; sid:2008372; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ask.com Toolbar/Spyware User-Agent (AskPBar)"; flow:established,to_server; content:"AskPBar"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+AskPBar/Hi"; reference:url,doc.emergingthreats.net/2006381; classtype:trojan-activity; sid:2006381; rev:15; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AskSearch Spyware User-Agent (AskSearchAssistant)"; flow:to_server,established; content:"AskSearch"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+AskSearch/iH"; threshold:type limit, count 2, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2003493; classtype:trojan-activity; sid:2003493; rev:15; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AskSearch Toolbar Spyware User-Agent (AskBar)"; flow:to_server,established; content:"|3b| AskBar"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+AskBar/iH"; reference:url,doc.emergingthreats.net/2003496; classtype:trojan-activity; sid:2003496; rev:16; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestoffersnetwork.com Related Spyware User-Agent (TBONAS)"; flow:to_server,established; content:"User-Agent|3a| TBONAS|0d 0a|"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BestOffersNetworks&threatid=43670; reference:url,doc.emergingthreats.net/2003501; classtype:trojan-activity; sid:2003501; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CoolStreaming Toolbar (Conduit related) User-Agent (Coolstreaming Tool-Bar)"; flow:to_server,established; content:"User-Agent|3a| Coolstreaming"; nocase; http_header; reference:url,doc.emergingthreats.net/2003652; classtype:trojan-activity; sid:2003652; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE debelizombi.com (Rizo) related Spyware User-Agent (mc_v1.2.6)"; flow:to_server,established; content:"User-Agent|3a| mc_v1"; nocase; http_header; reference:url,www.f-secure.com/v-descs/rizo.shtml; reference:url,doc.emergingthreats.net/2003656; classtype:trojan-activity; sid:2003656; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Debelizombi.com Spyware User-Agent (blahrx)"; flow:established,to_server; content:"User-Agent|3a| blahrx"; http_header; reference:url,doc.emergingthreats.net/2006778; classtype:trojan-activity; sid:2006778; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Effectivebrands.com Spyware User-Agent (atsu)"; flow:to_server,established; content:"User-Agent|3a| atsu|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006370; classtype:trojan-activity; sid:2006370; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Effectivebrands.com Spyware User-Agent (GTBank)"; flow:to_server,established; content:"User-Agent|3a| GTBank"; nocase; http_header; reference:url,doc.emergingthreats.net/2003654; classtype:trojan-activity; sid:2003654; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirage.ru Related Spyware User-Agent (szNotifyIdent)"; flow:established,to_server; content:"User-Agent|3a| szNotifyIdent"; http_header; reference:url,doc.emergingthreats.net/2006782; classtype:trojan-activity; sid:2006782; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Popads123.com Related Spyware User-Agent (LmaokaazLdr)"; flow:established,to_server; content:"User-Agent|3a| LmaokaazLdr"; nocase; http_header; reference:url,doc.emergingthreats.net/2007694; classtype:trojan-activity; sid:2007694; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0)"; flow:to_server,established; content:"User-Agent|3a| Internet 1."; nocase; http_header; reference:url,doc.emergingthreats.net/2003655; classtype:trojan-activity; sid:2003655; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zredirector.com Related Spyware User-Agent (BndDriveLoader)"; flow:established,to_server; content:"User-Agent|3a| BndDriveLoader"; nocase; http_header; reference:url,doc.emergingthreats.net/2007693; classtype:trojan-activity; sid:2007693; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trojan.Win32.InternetAntivirus User-Agent (General Antivirus)"; flow:to_server,established; content:"User-Agent|3a| General Antivirus"; nocase; http_header; reference:url,doc.emergingthreats.net/2010679; classtype:trojan-activity; sid:2010679; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UbrenQuatroRusDldr Downloader User-Agent (UbrenQuatroRusDldr 096044)"; flow:established,to_server; content:"User-Agent|3a| UbrenQuatroRusDldr"; http_header; reference:url,doc.emergingthreats.net/2008202; classtype:trojan-activity; sid:2008202; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BndVeano4GetDownldr Downloader User-Agent (BndVeano4GetDownldr)"; flow:established,to_server; content:"User-Agent|3a| BndVeano4GetDownldr"; http_header; reference:url,doc.emergingthreats.net/2008203; classtype:trojan-activity; sid:2008203; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Geopia.com Fake Anti-Spyware/AV User-Agent (fs3update)"; flow:to_server,established; content:"User-Agent|3a| fs3update|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007935; classtype:trojan-activity; sid:2007935; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Geopia.com Fake Anti-Spyware/AV User-Agent (fian3manager)"; flow:to_server,established; content:"User-Agent|3a| fian3manager|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007938; classtype:trojan-activity; sid:2007938; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Qcbar/Adultlinks Spyware User-Agent (IBSBand)"; flow:to_server,established; content:"User-Agent|3a| IBSBand-"; http_header; reference:url,doc.emergingthreats.net/2006362; classtype:trojan-activity; sid:2006362; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IE Toolbar User-Agent (IEToolbar)"; flow:established,to_server; content:"User-Agent|3a| IEToolbar"; http_header; reference:url,doc.emergingthreats.net/2009766; classtype:trojan-activity; sid:2009766; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE YourSiteBar User-Agent (istsvc)"; flow: to_server,established; content:"User-Agent|3a| istsvc|0d 0a|"; nocase; http_header; reference:url,www.ysbweb.com; reference:url,doc.emergingthreats.net/2001699; classtype:trojan-activity; sid:2001699; rev:259; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (InTeRNeT)"; flow:to_server,established; content:"User-Agent|3a| |5f|InTeRNeT"; http_header; reference:url,doc.emergingthreats.net/2011127; classtype:trojan-activity; sid:2011127; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Infobox3 Spyware User-Agent (InfoBox)"; flow:established,to_server; content:"User-Agent|3a| InfoBox"; http_header; reference:url,doc.emergingthreats.net/2010934; classtype:trojan-activity; sid:2010934; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Movies-etc User-Agent (IOInstall)"; flow: to_server,established; content:"User-Agent|3a| IOInstall"; nocase; http_header; reference:url,www.movies-etc.com; reference:url,doc.emergingthreats.net/2002404; classtype:trojan-activity; sid:2002404; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Optimizer Activity User-Agent (IOKernel)"; flow: to_server,established; content:" IOKernel/"; http_header; pcre:"/User-Agent\:[^\n]+IOKernel/iH"; reference:url,doc.emergingthreats.net/2001498; classtype:trojan-activity; sid:2001498; rev:34; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet-optimizer.com Related Spyware User-Agent (SexTrackerWSI)"; flow:to_server,established; content:"User-Agent|3a| SexTrackerWSI"; nocase; http_header; reference:url,doc.emergingthreats.net/2003627; classtype:trojan-activity; sid:2003627; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/InternetAntivirus User-Agent (Internet Antivirus Pro)"; flow:to_server,established; content:"User-Agent|3a| Internet Antivirus"; nocase; http_header; reference:url,doc.emergingthreats.net/2010218; classtype:trojan-activity; sid:2010218; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE dns-look-up.com Spyware User-Agent (KRSystem)"; flow:to_server,established; content:"User-Agent|3a| KRSystem"; nocase; http_header; reference:url,doc.emergingthreats.net/2003625; classtype:trojan-activity; sid:2003625; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE No-ad.co.kr Fake AV Related User-Agent (U2Clean)"; flow: established,to_server; content:"User-Agent|3a| U2Clean"; http_header; reference:url,doc.emergingthreats.net/2009289; classtype:trojan-activity; sid:2009289; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Viruskill.co.kr Fake AV User-Agent Detected (virus_kill)"; flow:to_server,established; content:"User-Agent|3a| virus_kill"; http_header; reference:url,doc.emergingthreats.net/2009150; classtype:trojan-activity; sid:2009150; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fake AV User-Agent (N1)"; flow:to_server,established; content:"User-Agent|3a| N1|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009157; classtype:trojan-activity; sid:2009157; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ezday.co.kr Related Spyware User-Agent (Ezshop)"; flow:established,to_server; content:"User-Agent|3a| Ezshop"; http_header; reference:url,doc.emergingthreats.net/2008594; classtype:trojan-activity; sid:2008594; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Viruscheck.co.kr Fake Antispyware User-Agent (viruscheck)"; flow: established,to_server; content:"User-Agent|3a| viruscheck"; nocase; http_header; reference:url,doc.emergingthreats.net/2007643; classtype:trojan-activity; sid:2007643; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mycashbank.co.kr Spyware User-Agent (pint_agency)"; flow:established,to_server; content:"User-Agent|3a| pint_agency"; http_header; reference:url,doc.emergingthreats.net/2006413; classtype:trojan-activity; sid:2006413; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Platinumreward.co.kr Spyware User-Agent (WT_GET_COMM)"; flow:established,to_server; content:"User-Agent|3a| WT_GET_COMM"; http_header; reference:url,doc.emergingthreats.net/2006422; classtype:trojan-activity; sid:2006422; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vaccineprogram.co.kr Related Spyware User-Agent (anycleaner)"; flow:established,to_server; content:"User-Agent|3a| anycleaner"; http_header; reference:url,doc.emergingthreats.net/2006419; classtype:trojan-activity; sid:2006419; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorvaccine.co.kr Related Spyware User-Agent (DoctorVaccine)"; flow:established,to_server; content:"User-Agent|3a| DoctorVaccine"; http_header; reference:url,doc.emergingthreats.net/2006421; classtype:trojan-activity; sid:2006421; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorvaccine.co.kr Related Spyware-User Agent (ers)"; flow:established,to_server; content:"User-Agent|3a| ers|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007809; classtype:trojan-activity; sid:2007809; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Spyware User-Agent (doctorpro1)"; flow:established,to_server; content:"User-Agent|3a| doctorpro"; http_header; reference:url,doc.emergingthreats.net/2006423; classtype:trojan-activity; sid:2006423; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Karine.co.kr Related Spyware User Agent (chk Profile)"; flow:established,to_server; content:"User-Agent|3a| chk Profile|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006429; classtype:trojan-activity; sid:2006429; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Karine.co.kr Related Spyware User-Agent (Access down)"; flow:established,to_server; content:"User-Agent|3a| Access down|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006430; classtype:trojan-activity; sid:2006430; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pcclear.co.kr/Pcclear.com Fake AV User-Agent (PCClearPlus)"; flow:to_server,established; content:"User-Agent|3a| PCClear"; http_header; reference:url,www.pcclear.com; reference:url,www.pcclear.co.kr; reference:url,doc.emergingthreats.net/2008198; classtype:trojan-activity; sid:2008198; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE vaccine-program.co.kr Related Spyware User-Agent (vaccine)"; flow:established,to_server; content:"User-Agent|3a| vaccine"; http_header; reference:url,doc.emergingthreats.net/2008200; classtype:trojan-activity; sid:2008200; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yeps.co.kr Related User-Agent (ISecu)"; flow:established,to_server; content:"User-Agent|3a| ISecu"; http_header; reference:url,doc.emergingthreats.net/2008204; classtype:trojan-activity; sid:2008204; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yeps.co.kr Related User-Agent (ISUpd)"; flow:established,to_server; content:"User-Agent|3a| ISUpd"; http_header; reference:url,doc.emergingthreats.net/2008205; classtype:trojan-activity; sid:2008205; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Nguide.co.kr Fake Security Tool User-Agent (nguideup)"; flow:to_server,established; content:"User-Agent|3a| nguideup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007947; classtype:trojan-activity; sid:2007947; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Msconfig.co.kr Related User Agent (BACKMAN)"; flow:to_server,established; content:"User-Agent|3a| BACKMAN|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007958; classtype:trojan-activity; sid:2007958; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Msconfig.co.kr Related User-Agent (GLOBALx)"; flow:to_server,established; content:"User-Agent|3a| GLOBAL"; http_header; reference:url,doc.emergingthreats.net/2007959; classtype:trojan-activity; sid:2007959; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Kpang.com Spyware User-Agent (auctionplusup)"; flow:to_server,established; content:"User-Agent|3a| auctionplusup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007900; classtype:trojan-activity; sid:2007900; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchspy.co.kr Spyware User-Agent (HTTPGETDATA)"; flow:to_server,established; content:"User-Agent|3a| HTTPGETDATA|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007908; classtype:trojan-activity; sid:2007908; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchspy.co.kr Spyware User-Agent (HTTPFILEDOWN)"; flow:to_server,established; content:"User-Agent|3a| HTTPFILEDOWN|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007909; classtype:trojan-activity; sid:2007909; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchspy.co.kr Spyware User-Agent (HTTP_FILEDOWN)"; flow:to_server,established; content:"User-Agent|3a| HTTP_FILEDOWN|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007910; classtype:trojan-activity; sid:2007910; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Donkeyhote.co.kr Spyware User-Agent (UDonkey)"; flow:to_server,established; content:"User-Agent|3a| UDonkey|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007927; classtype:trojan-activity; sid:2007927; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gcashback.co.kr Spyware User-Agent (InvokeAd)"; flow:to_server,established; content:"User-Agent|3a| InvokeAd|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007928; classtype:trojan-activity; sid:2007928; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Live Enterprise Suite)"; flow:to_server,established; content:"User-Agent|3a| Live Enterprise Suite"; http_header; nocase; reference:url,doc.emergingthreats.net/2010727; classtype:trojan-activity; sid:2010727; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE NewWeb User-Agent (Lobo Lunar)"; flow: established,to_server; content:"User-Agent|3a| Lobo Lunar"; http_header; reference:url,doc.emergingthreats.net/2009222; classtype:trojan-activity; sid:2009222; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MalwareWiped.com Spyware User-Agent (MalwareWiped)"; flow:to_server,established; content:"User-Agent|3a| MalwareWiped"; nocase; http_header; reference:url,doc.emergingthreats.net/2003582; classtype:trojan-activity; sid:2003582; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adwave/MarketScore User-Agent (WTA)"; flow: to_server,established; content:"User-Agent|3a| WTA_"; http_header; reference:url,www.adwave.com/our_mission.aspx; reference:url,www.marketscore.com; reference:url,doc.emergingthreats.net/2002394; classtype:trojan-activity; sid:2002394; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Megaupload Spyware User-Agent (Megaupload)"; flow:to_server,established; content:"User-Agent|3a| Megaupload|0d 0a|"; http_header; reference:url,www.budsinc.com; reference:url,doc.emergingthreats.net/2003224; classtype:trojan-activity; sid:2003224; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Microgaming Install Program|0d 0a|"; nocase; http_header; reference:url,vil.nai.com/vil/content/v_151034.htm; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25; reference:url,www.threatexpert.com/reports.aspx?find=mgsmup.com; reference:url,doc.emergingthreats.net/2009783; classtype:trojan-activity; sid:2009783; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirar Bar Spyware User-Agent (Mbar)"; flow:to_server,established; content:"User-Agent|3a| Mbar|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003928; classtype:trojan-activity; sid:2003928; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirar Bar Spyware User-Agent (Mirar_Toolbar)"; flow:to_server,established; content:"User-Agent|3a| Mirar_Toolbar"; nocase; http_header; reference:url,doc.emergingthreats.net/2003929; classtype:trojan-activity; sid:2003929; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirar Spyware User-Agent (Mirar_KeywordContent)"; flow:to_server,established; content:"User-Agent|3a| Mirar_KeywordContent|0d 0a|"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078818; reference:url,doc.emergingthreats.net/2003490; classtype:trojan-activity; sid:2003490; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Miva User-Agent (TPSystem)"; flow: to_server,established; content:"User-Agent|3a| TPSystem"; nocase; http_header; reference:url,www.miva.com; reference:url,www.findwhat.com; reference:url,doc.emergingthreats.net/2002395; classtype:trojan-activity; sid:2002395; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Miva Spyware User-Agent (Travel Update)"; flow: to_server,established; content:"User-Agent|3a| Travel Update|0d 0a|"; http_header; reference:url,www.miva.com; reference:url,doc.emergingthreats.net/2002396; classtype:trojan-activity; sid:2002396; rev:11; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Morpheus Spyware Install User-Agent (SmartInstaller)"; flow:to_server,established; content:"SmartInstaller"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+SmartInstaller/iH"; reference:url,doc.emergingthreats.net/2003398; classtype:trojan-activity; sid:2003398; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Msgplus.net Spyware/Adware User-Agent (MsgPlus3)"; flow:to_server,established; content:"User-Agent|3a| MsgPlus3"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Messenger%20Plus!&threatid=14931; reference:url,doc.emergingthreats.net/2003529; classtype:trojan-activity; sid:2003529; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySearch Products Spyware User-Agent (MySearch)"; flow:established,to_server; content:" MySearch"; http_header; fast_pattern; pcre:"/User-Agent\x3a[^\n]+MySearch/iH"; reference:url,doc.emergingthreats.net/2002080; classtype:trojan-activity; sid:2002080; rev:26; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Enhance My Search Spyware User-Agent (HelperH)"; flow: established,to_server; content:"HelperH"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+HelperH/iH"; reference:url,doc.emergingthreats.net/2001746; classtype:trojan-activity; sid:2001746; rev:38; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mysearch.com/Morpheus Bar Spyware User-Agent (Morpheus)"; flow:to_server,established; content:" Morpheus"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+Morpheus/iH"; reference:url,doc.emergingthreats.net/2003396; classtype:trojan-activity; sid:2003396; rev:15; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE searchenginebar.com Spyware User-Agent (RX Bar)"; flow:to_server,established; content:"User-Agent|3a| RX Bar"; nocase; http_header; reference:url,doc.emergingthreats.net/2003407; classtype:trojan-activity; sid:2003407; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mysearch.com Spyware User-Agent (iMeshBar)"; flow:to_server,established; content:"iMeshBar"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+iMeshBar/iH"; reference:url,doc.emergingthreats.net/2003406; classtype:trojan-activity; sid:2003406; rev:14; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (My Session)"; flow:to_server,established; content:"User-Agent|3a| My Session"; nocase; http_header; content:!".windows.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010677; classtype:trojan-activity; sid:2010677; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_02_17;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Spyware User-Agent (MyWebSearch)"; flow: established,to_server; content:"MyWebSearch"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+MyWebSearch/Hi"; reference:url,doc.emergingthreats.net/2001865; classtype:trojan-activity; sid:2001865; rev:29; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE NavExcel Spyware User-Agent (NavHelper)"; flow:to_server,established; content:"User-Agent|3a| NavHelper"; nocase; http_header; reference:url,doc.emergingthreats.net/2005321; classtype:trojan-activity; sid:2005321; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE NewWeb/Sudui.com Spyware User-Agent (B Register)"; flow:established,to_server; content:"User-Agent|3a| B Register"; nocase; http_header; reference:url,doc.emergingthreats.net/2007597; classtype:trojan-activity; sid:2007597; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE NewWeb/Sudui.com Spyware User-Agent (updatesodui)"; flow:established,to_server; content:"User-Agent|3a| updatesodui"; nocase; http_header; reference:url,doc.emergingthreats.net/2007598; classtype:trojan-activity; sid:2007598; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE NewWeb/Sudui.com Spyware User-Agent (aaaabbb)"; flow:established,to_server; content:"User-Agent|3a| aaaabbb"; nocase; http_header; reference:url,doc.emergingthreats.net/2007599; classtype:trojan-activity; sid:2007599; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Oemji Spyware User-Agent (Oemji)"; flow:to_server,established; content:" Oemji"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Oemji/iH"; reference:url,doc.emergingthreats.net/2003468; classtype:trojan-activity; sid:2003468; rev:12; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Recuva User-Agent (OpenPage) - likely trojan dropper"; flow:to_server,established; content:"User-Agent|3a| OpenPage"; http_header; reference:url,doc.emergingthreats.net/2011101; classtype:trojan-activity; sid:2011101; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Personalweb Spyware User-Agent (PWMI/1.0)"; flow:to_server,established; content:"User-Agent|3a| PWMI/"; nocase; http_header; reference:url,doc.emergingthreats.net/2003926; classtype:trojan-activity; sid:2003926; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pivim Multibar User-Agent (Pivim Multibar)"; flow:established,to_server; content:"User-Agent|3a| Pivim"; http_header; reference:url,doc.emergingthreats.net/2009765; classtype:trojan-activity; sid:2009765; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg)"; flow:established,to_server; content:"User-Agent|3a| PopupBlockade"; http_header; reference:url,doc.emergingthreats.net/2008894; classtype:trojan-activity; sid:2008894; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Privacyprotector Related Spyware User-Agent (Ssol NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| Ssol NetInstaller"; http_header; reference:url,doc.emergingthreats.net/2008040; classtype:trojan-activity; sid:2008040; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adload.Generic Spyware User-Agent (ProxyDown)"; flow:to_server,established; content:"User-Agent|3a| ProxyDown"; nocase; http_header; reference:url,doc.emergingthreats.net/2003639; classtype:trojan-activity; sid:2003639; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE qq.com related Spyware User-Agent (QQGame)"; flow:to_server,established; content:"User-Agent|3a| QQGame"; nocase; http_header; reference:url,doc.emergingthreats.net/2003658; classtype:trojan-activity; sid:2003658; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE QVOD Related Spyware/Malware User-Agent (Qvod)"; flow:established,to_server; content:"User-Agent|3a| Qvod"; nocase; http_header; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; classtype:trojan-activity; sid:2009785; rev:9; metadata:created_at 2010_07_30, updated_at 2016_09_29;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp)"; flow:established,to_server; content:"User-Agent|3a| Releasexp|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2009796; classtype:trojan-activity; sid:2009796; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AV2010 Rogue Security Application User-Agent (AV2010)"; flow:to_server,established; content:"User-Agent|3a| AV2010"; http_header; reference:url,doc.emergingthreats.net/2008656; classtype:trojan-activity; sid:2008656; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop at Home Select Spyware User-Agent (Bundle)"; flow: established,to_server; content:"User-Agent|3a| Bundle"; http_header; reference:url,doc.emergingthreats.net/2001702; classtype:policy-violation; sid:2001702; rev:35; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop at Home Select Spyware User-Agent (SAH)"; flow: established,to_server; content:"SAH Agent"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2001707; classtype:policy-violation; sid:2001707; rev:35; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shopathomeselect.com Spyware User-Agent (WebDownloader)"; flow: to_server,established; content:"WebDownloader"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+WebDownloader/iH"; reference:url,doc.emergingthreats.net/2002038; classtype:trojan-activity; sid:2002038; rev:250; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Save)"; flow:to_server,established; content:"User-Agent|3a| Save|0d 0a|"; http_header; reference:url,poweredbysave.com; classtype:trojan-activity; sid:2011120; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Engine 2000 Spyware User-Agent (searchengine)"; flow: established,to_server; content:" searchengine"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+searchengine/iH"; reference:url,doc.emergingthreats.net/2001867; classtype:trojan-activity; sid:2001867; rev:28; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Generic.Malware.dld User-Agent (Sickloader)"; flow:to_server,established; content:"User-Agent|3a| Sickloader"; nocase; http_header; reference:url,doc.emergingthreats.net/2003644; classtype:trojan-activity; sid:2003644; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (Sidesearch)"; flow: established,to_server; content:"User-Agent|3a| Sidesearch"; http_header; reference:url,doc.emergingthreats.net/2001869; classtype:trojan-activity; sid:2001869; rev:26; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidebar Related Spyware User-Agent (Sidebar Client)"; flow:established,to_server; content:"User-Agent|3a| Sidebar"; http_header; reference:url,doc.emergingthreats.net/2008201; classtype:trojan-activity; sid:2008201; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smileware Connection Spyware Related User-Agent (Smileware Connection)"; flow:established,to_server; content:"User-Agent|3a| Smileware"; http_header; reference:url,doc.emergingthreats.net/2008892; classtype:trojan-activity; sid:2008892; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sogou.com Spyware User-Agent (SogouIMEMiniSetup)"; flow:established,to_server; content:"User-Agent|3a| SogouIME"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2008500; classtype:trojan-activity; sid:2008500; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2017_04_04;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (SogouExplorerMiniSetup)"; flow:to_server,established; content:"User-Agent|3a| SogouExplorerMiniSetup"; nocase; http_header; reference:url,doc.emergingthreats.net/2010675; classtype:trojan-activity; sid:2010675; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpamBlockerUtility Fake Anti-Spyware User-Agent (SpamBlockerUtility x.x.x)"; flow:to_server,established; content:"SpamBlockerUtility "; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+SpamBlockerUtility \d/iH"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003384; classtype:trojan-activity; sid:2003384; rev:13; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SRInstaller)"; flow:to_server,established; content:"User-Agent|3a| SRInstaller|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008145; classtype:trojan-activity; sid:2008145; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SpeedRunner)"; flow:to_server,established; content:"User-Agent|3a| SpeedRunner|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008146; classtype:trojan-activity; sid:2008146; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SRRecover)"; flow:to_server,established; content:"User-Agent|3a| SRRecover|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008151; classtype:trojan-activity; sid:2008151; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iDownloadAgent Spyware User-Agent (iDownloadAgent)"; flow:to_server,established; content:"iDownloadAgent"; http_header; pcre:"/User-Agent\:[^\n]+iDownloadAgent/H"; reference:url,doc.emergingthreats.net/2002739; classtype:trojan-activity; sid:2002739; rev:13; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware User-Agent (spywareaxe)"; flow:to_server,established; content:"spywareaxe"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+spywareaxe/H"; reference:url,doc.emergingthreats.net/2002808; classtype:trojan-activity; sid:2002808; rev:13; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpyDawn.com Fake Anti-Spyware User-Agent (SpyDawn)"; flow:to_server,established; content:"User-Agent|3a| SpyDawn|0d 0a|"; nocase; http_header; reference:url,www.spywareguide.com/spydet_3366_spydawn.html; reference:url,doc.emergingthreats.net/2003499; classtype:trojan-activity; sid:2003499; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyhealer Fake Anti-Spyware Install User-Agent (SpyHealer)"; flow:to_server,established; content:"User-Agent|3a| SpyHeal"; nocase; http_header; reference:url,doc.emergingthreats.net/2003399; classtype:trojan-activity; sid:2003399; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spylocked Fake Anti-Spyware User-Agent (SpyLocked)"; flow:to_server,established; content:"User-Agent|3a| SpyLocked"; nocase; http_header; classtype:trojan-activity; sid:2005322; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster.com Spyware User-Agent (fetcher)"; flow:to_server,established; content:"User-Agent|3a| fetcher|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2005318; classtype:trojan-activity; sid:2005318; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (sureseeker)"; flow: established,to_server; content:"sureseeker"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+sureseeker\.com/iH"; reference:url,doc.emergingthreats.net/2001868; classtype:trojan-activity; sid:2001868; rev:27; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Surfplayer Spyware User-Agent (SurferPlugin)"; flow: established,to_server; content:"SurferPlugin"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+SurferPlugin/iH"; reference:url,doc.emergingthreats.net/2001870; classtype:trojan-activity; sid:2001870; rev:24; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware Related User-Agent (UtilMind HTTPGet)"; flow: to_server,established; content:"UtilMind HTTPGet"; http_header; fast_pattern:only; content:!"Host|3a| www.blueocean.com"; nocase; http_header; content:!"Host|3a 20|www.backupmaker.com"; http_header; nocase; threshold: type limit, count 1, track by_src, seconds 360; reference:url,www.websearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002402; classtype:trojan-activity; sid:2002402; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Informer from RBC)"; flow:to_server,established; content:"Informer from RBC"; http_header; fast_pattern:only;  reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003205; classtype:trojan-activity; sid:2003205; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Download Agent) Possibly Related to TrinityAcquisitions.com"; flow:to_server,established; content:"User-Agent|3a| Download Agent"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003243; classtype:trojan-activity; sid:2003243; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Autoupdate)"; flow:to_server,established; content:"User-Agent|3a| Autoupdate"; nocase; http_header; content:!"Host|3a| update.nai.com"; nocase; http_header; content:!"McAfeeAutoUpdate"; nocase; http_header; content:!"nokia.com"; nocase; http_header; content:!"sophosupd.com"; nocase; http_header; content:!"sophosupd.net"; nocase; http_header; content:!" Creative AutoUpdate v"; http_header; content:!"wholetomato.com"; http_header; content:!".acclivitysoftware.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003337; classtype:trojan-activity; sid:2003337; rev:16; metadata:created_at 2010_07_30, updated_at 2017_01_05;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (Toolbar) Possibly Malware/Spyware"; flow:to_server,established; content:"User-Agent|3a| Toolbar"; http_header; content:!"cf.icq.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003463; classtype:trojan-activity; sid:2003463; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (ms)"; flow:to_server,established; content:"User-Agent|3a| ms|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003497; classtype:trojan-activity; sid:2003497; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (DIALER)"; flow:to_server,established; content:"User-Agent|3a| DIALER"; nocase; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003566; classtype:trojan-activity; sid:2003566; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (update)"; flow:to_server,established; content:"User-Agent|3a| update|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003583; classtype:trojan-activity; sid:2003583; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trojan User-Agent (Windows Updates Manager)"; flow:to_server,established; content:"User-Agent|3a| Windows Updates Manager"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003585; classtype:trojan-activity; sid:2003585; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Double User-Agent (User-Agent User-Agent)"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; content:!"User-Agent|3A| SogouMobileTool"; nocase; http_header; content:!".lge.com|3a|80|0d 0a|"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:10; metadata:created_at 2010_07_30, updated_at 2017_11_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User Agent (TEST) - Likely Webhancer Related Spyware"; flow:to_server,established; content:"User-Agent|3a| TEST|0d 0a|"; http_header; content:!"Host|3a 20|messagecenter.comodo.com"; content:!"symantec.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2006357; classtype:trojan-activity; sid:2006357; rev:9; metadata:created_at 2010_07_30, updated_at 2017_01_05;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (Huai_Huai)"; flow:to_server,established; content:"User-Agent|3a| Huai_Huai|0d 0a|"; http_header; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,91b9aa25563ae524d3ca4582630eb8eb; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:trojan-activity; sid:2006361; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (006)"; flow:established,to_server; content:"User-Agent|3a| 00"; http_header; pcre:"/User-Agent\: 00\d+\x0d\x0a/H"; reference:url,doc.emergingthreats.net/bin/view/Main/2006388; classtype:trojan-activity; sid:2006388; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Dummy)"; flow: established,to_server; content:"User-Agent|3a| Dummy"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007570; classtype:trojan-activity; sid:2007570; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (AntiSpyware) - Likely 2squared.com related"; flow: established,to_server; content:"User-Agent|3a| AntiSpyware"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007575; classtype:trojan-activity; sid:2007575; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (XXX)"; flow:established,to_server; content:"User-Agent|3a| XXX|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007648; classtype:trojan-activity; sid:2007648; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (QdrBi Starter)"; flow:established,to_server; content:"User-Agent|3a| QdrBi Starter|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007659; classtype:trojan-activity; sid:2007659; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (install_s)"; flow:established,to_server; content:"User-Agent|3a| install_"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007666; classtype:trojan-activity; sid:2007666; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (count)"; flow:established,to_server; content:"User-Agent|3a| count|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007667; classtype:trojan-activity; sid:2007667; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Internet Explorer (compatible))"; flow:to_server,established; content:"User-Agent|3a| Internet Explorer (compatible)|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007772; classtype:trojan-activity; sid:2007772; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla) - Possible Spyware Related"; flow:to_server,established; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; content:!"smartcom.com|0d 0a|"; http_header; content:!"iscoresports.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007854; classtype:trojan-activity; sid:2007854; rev:10; metadata:created_at 2010_07_30, updated_at 2017_01_24;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (microsoft) - Possible Trojan Downloader"; flow:to_server,established; content:"User-Agent|3a| microsoft|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007859; classtype:trojan-activity; sid:2007859; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Internet Explorer 6.0) - Possible Trojan Downloader"; flow:to_server,established; content:"User-Agent|3a| Internet Explorer 6.0|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007860; classtype:trojan-activity; sid:2007860; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Firefox) - Possible Trojan Downloader"; flow:to_server,established; content:"User-Agent|3a| Firefox|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007868; classtype:trojan-activity; sid:2007868; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Example)"; flow:to_server,established; content:"User-Agent|3a| Example|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007884; classtype:trojan-activity; sid:2007884; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (downloader)"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007885; classtype:trojan-activity; sid:2007885; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (HTTP_CONNECT)"; flow:to_server,established; content:"User-Agent|3a| HTTP_CONNECT|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007899; classtype:trojan-activity; sid:2007899; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Explorer)"; flow:to_server,established; content:"User-Agent|3a| Explorer|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007921; classtype:trojan-activity; sid:2007921; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (User-Agent Mozilla/4.0 (compatible ))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| )|0d 0a|"; fast_pattern:19,20; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007929; classtype:trojan-activity; sid:2007929; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (HTTP)"; flow:to_server,established; content:"User-Agent|3a| HTTP|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; classtype:trojan-activity; sid:2007943; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (popup)"; flow:to_server,established; content:"User-Agent|3a| popup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007946; classtype:trojan-activity; sid:2007946; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (single dash)"; flow:to_server,established; content:"User-Agent|3a| |2d 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007880; classtype:trojan-activity; sid:2007880; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (double dashes)"; flow:to_server,established; content:"User-Agent|3a| |2d 2d 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007948; classtype:trojan-activity; sid:2007948; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (2 spaces)"; flow:to_server,established; content:"User-Agent|3a 20 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007993; classtype:trojan-activity; sid:2007993; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; content:!".sketchup.com|0d 0a|"; http_header; content:!".yieldmo.com|0d 0a|"; http_header; content:!"ping-start.com|0d 0a|"; http_header; content:!".bluekai.com"; http_header; content:!".stockstracker.com"; http_header; content:!".doubleclick.net"; http_header; content:!".pingstart.com"; http_header; content:!".colis-logistique.com"; http_header; content:!"android-lrcresource.wps.com"; http_header; content:!"track.package-buddy.com"; http_header; content:!"talkgadget.google.com"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:20; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2018_04_03;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Internet)"; flow:to_server,established; content:"User-Agent|3a| Internet|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008013; classtype:trojan-activity; sid:2008013; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Win95)"; flow:to_server,established;  content:"Win95"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Win95/H"; reference:url,doc.emergingthreats.net/bin/view/Main/2008015; classtype:trojan-activity; sid:2008015; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (Mozilla/4.0 (compatible ICS))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| ICS)"; http_header; fast_pattern:21,20; content:!".iobit.com|0d 0a|"; http_header; content:!".microsoft.com|0d 0a|"; http_header; content:!".cnn.com|0d 0a|"; http_header; content:!".wunderground.com"; http_header; content:!".weatherbug.com"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2008038; classtype:trojan-activity; sid:2008038; rev:12; metadata:created_at 2010_07_30, updated_at 2017_12_14;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Internet Explorer)"; flow:to_server,established; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:!"Host|3a| pnrws.skype.com|0d 0a|"; http_header; content:!"iecvlist.microsoft.com"; http_header; content:!".lenovo.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008052; classtype:trojan-activity; sid:2008052; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Blank User-Agent (descriptor but no string)"; flow:to_server,established; content:"User-Agent|3a 0d 0a|"; http_header; content:!"check.googlezip.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008066; classtype:trojan-activity; sid:2008066; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Misspelled Mozilla User-Agent (Mozila)"; flow:to_server,established; content:"User-Agent|3a| Mozila"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008210; classtype:trojan-activity; sid:2008210; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (FTP)"; flow: to_server,established; content:"User-Agent|3a| Ftp|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008735; classtype:trojan-activity; sid:2008735; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Admoke/Adload.AFB!tr.dldr Checkin"; flow: to_server,established; content:"/keyword.html"; http_uri; content:"User-Agent|3a| bdwinrun"; nocase; http_header; reference:md5,6085f2ff15282611fd82f9429d82912b; classtype:trojan-activity; sid:2008742; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (bdsclk) - Possible Admoke Admware"; flow: to_server,established; content:"User-Agent|3a| bdsclk"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008743; classtype:trojan-activity; sid:2008743; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> [!208.87.232.0/21,!216.115.208.0/20,!216.219.112.0/20,!66.151.158.0/24,!66.151.150.160/27,!66.151.115.128/26,!64.74.80.0/24,!202.173.24.0/21,!67.217.64.0/19,!78.108.112.0/20,!68.64.0.0/19,!206.183.100.0/22,!173.199.0.0/18,!103.15.16.0/22,!180.153.30.0/23,!140.207.108.0/23,!23.239.224.0/19,!185.36.20.0/22,!8.28.150.0/24,!54.208.0.0/15,!54.248.0.0/15,!70.42.29.0/27,!72.5.190.0/24,!104.129.194.0/24,!104.129.200.0/24,!199.168.148.0/24,!199.168.151.0/24,!216.52.207.64/26,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (compatible))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|29 0d 0a|"; fast_pattern:18,20; http_header; content:!"citrixonline.com"; http_header; content:!"/?rnd="; depth:6; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:trojan-activity; sid:2008974; rev:14; metadata:created_at 2010_07_30, updated_at 2017_01_24;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (IE_6.0)"; flow:to_server,established; content:"User-Agent|3a| IE_6.0"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2009021; classtype:trojan-activity; sid:2009021; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (FileDownloader)"; flow:to_server,established; content:"User-Agent|3a| FileDownloader"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2009027; classtype:trojan-activity; sid:2009027; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (get_site1)"; flow:to_server,established; content:"User-Agent|3a| get_site"; http_header; reference:url,doc.emergingthreats.net/2009111; classtype:trojan-activity; sid:2009111; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (GETJOB)"; flow:to_server,established; content:"User-Agent|3a| GETJOB"; http_header; reference:url,doc.emergingthreats.net/2009124; classtype:trojan-activity; sid:2009124; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.8 ru)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.8 [ru] (Windows NT 6.0|3b| U)|0d 0a|"; fast_pattern:12,17; http_header; reference:url,doc.emergingthreats.net/2009438; classtype:trojan-activity; sid:2009438; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (HelpSrvc)"; flow:established,to_server; content:"User-Agent|3a| HelpSrvc|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009439; classtype:trojan-activity; sid:2009439; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (AgavaDwnl) - Possibly Xema"; flow:established,to_server; content:"User-Agent|3a| AgavaDwnl|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009445; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (_TEST_)"; flow: to_server,established; content:"User-Agent|3a| _TEST_"; nocase; http_header; reference:url,doc.emergingthreats.net/2009545; classtype:trojan-activity; sid:2009545; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (User Agent) - Likely Hostile"; flow:established,to_server; content:"User-Agent|3a| User Agent"; http_header; reference:url,doc.emergingthreats.net/2009930; classtype:trojan-activity; sid:2009930; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (MyIE/1.0)"; flow:established,to_server; content:"User-Agent|3a| MyIE/"; http_header; reference:url,doc.emergingthreats.net/2009991; classtype:trojan-activity; sid:2009991; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (ONANDON)"; flow:established,to_server; content:"User-Agent|3a| ONANDON|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2009995; classtype:trojan-activity; sid:2009995; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fake Wget User-Agent (wget 3.0) - Likely Hostile"; flow:to_server,established; content:"User-Agent|3a| wget 3.0|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007961; classtype:trojan-activity; sid:2007961; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (Sme32)"; flow: established, to_server; content:"User-Agent|3a| Sme32|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010137; classtype:trojan-activity; sid:2010137; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (M0zilla)"; flow:established,to_server; content:"User-Agent|3A 20|M0zilla/4.0|20|(compatible)"; http_header;  reference:url,doc.emergingthreats.net/2010265; classtype:trojan-activity; sid:2010265; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (CrazyBro)"; flow:established,to_server; content:"User-Agent|3a| CrazyBro"; nocase; http_header; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934; reference:url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7; reference:url,anubis.iseclab.org/?action=result&task_id=14118b80c1b346124c183394d5b3004b1&format=html; reference:url,doc.emergingthreats.net/2010333; classtype:trojan-activity; sid:2010333; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (ie) - Possible Trojan Downloader"; flow:established,to_server; content:"User-Agent|3a| ie|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007827; classtype:trojan-activity; sid:2007827; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (MSIE7 na)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| na|3b| )"; http_header; fast_pattern:37,14; reference:url,doc.emergingthreats.net/2010461; classtype:trojan-activity; sid:2010461; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (???)"; flow:established,to_server; content:"User-Agent|3a| ???"; http_header; content:!"|20|Sparkle|2f|"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2010595; classtype:trojan-activity; sid:2010595; rev:5; metadata:created_at 2010_07_30, updated_at 2017_05_25;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent Mozilla/3.0"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Internet Explorer)"; http_header; fast_pattern:12,20; reference:url,doc.emergingthreats.net/2010599; classtype:trojan-activity; sid:2010599; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET MALWARE Fake Mozilla User-Agent (Mozilla/0.xx) Inbound"; flow:established,to_server; content:"User-Agent|3a| Mozilla/0."; http_header; fast_pattern:11,11; reference:url,doc.emergingthreats.net/2010904; classtype:bad-unknown; sid:2010904; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fake Mozilla UA Outbound (Mozilla/0.xx)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/0."; fast_pattern:11,11; http_header; reference:url,doc.emergingthreats.net/2010905; classtype:bad-unknown; sid:2010905; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Download Master) - Possible Malware Downloader"; flow:established,to_server; content:"User-Agent|3a| Download Master"; http_header; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.httpuseragent.org/list/Download+Master-n727.htm; reference:url,www.westbyte.com/dm/; reference:url,doc.emergingthreats.net/2011146; classtype:policy-violation; sid:2011146; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (webcount)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| webcount"; http_header; reference:url,doc.emergingthreats.net/2011149; classtype:trojan-activity; sid:2011149; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (HTTP_Query)"; flow:to_server,established; content:"User-Agent|3a| HTTP_Query|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011678; classtype:trojan-activity; sid:2011678; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (dbcount)"; flow:to_server,established; content:"User-Agent|3a| dbcount|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011679; classtype:trojan-activity; sid:2011679; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET MALWARE User-Agent (RangeCheck/0.1)"; flow:established,to_server; content:"User-Agent|3a| RangeCheck/0.1|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011718; classtype:trojan-activity; sid:2011718; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sogou Toolbar Checkin"; flow:to_server,established; content:"/seversion.txt"; http_uri; content:"User-Agent|3a| SeFastSetup"; http_header; reference:url,doc.emergingthreats.net/2011225; classtype:trojan-activity; sid:2011226; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Suggestion)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| Suggestion|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011229; classtype:trojan-activity; sid:2011229; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (SP3 WINLD))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 |28|SP3 WINLD|29 0d 0a|"; http_header; fast_pattern:23,14; reference:url,doc.emergingthreats.net/2011238; classtype:trojan-activity; sid:2011238; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Target Saver Spyware User-Agent (TSA)"; flow: established,to_server; content:"User-Agent|3a| TSA/"; http_header; reference:url,doc.emergingthreats.net/2001871; classtype:trojan-activity; sid:2001871; rev:22; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TryMedia Spyware User-Agent (TryMedia_DM_2.0.0)"; flow:established,to_server; content:"User-Agent|3a| TryMedia_DM_"; nocase; http_header; reference:url,doc.emergingthreats.net/2007600; classtype:trojan-activity; sid:2007600; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware User-Agent (UCmore) "; flow: to_server,established; content:" UCmore"; http_header; pcre:"/User-Agent\:[^\n]+UCmore/iH"; reference:url,doc.emergingthreats.net/2001736; classtype:trojan-activity; sid:2001736; rev:271; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware User-Agent (EI)"; flow: to_server,established; content:"User-Agent|3a| EI|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2001996; classtype:trojan-activity; sid:2001996; rev:14; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE www.vaccinekiller.com Related Spyware User-Agent (VaccineKillerIU)"; flow:established,to_server; content:"User-Agent|3a| VaccineKiller"; http_header; reference:url,doc.emergingthreats.net/2009993; classtype:trojan-activity; sid:2009993; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Visicom Spyware User-Agent (Visicom)"; flow: established,to_server; content:"Visicom"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Visicom/iH"; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001872; classtype:trojan-activity; sid:2001872; rev:31; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vombanetwork Spyware User-Agent (VombaProductsInstaller)"; flow:to_server,established; content:"User-Agent|3a| Vomba"; http_header; reference:url,doc.emergingthreats.net/2007869; classtype:trojan-activity; sid:2007869; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webbuying.net Spyware Install User-Agent (wbi_v0.90)"; flow:to_server,established; content:" wbi_v0."; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+wbi_v\d/iH"; reference:url,doc.emergingthreats.net/2003441; classtype:trojan-activity; sid:2003441; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win-touch.com Spyware User-Agent (WTRecover)"; flow:established,to_server; content:"User-Agent|3a| WTRecover"; http_header; reference:url,doc.emergingthreats.net/2006392; classtype:trojan-activity; sid:2006392; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win-touch.com Spyware User-Agent (WTInstaller)"; flow:established,to_server; content:"User-Agent|3a| WTInstaller"; http_header; reference:url,doc.emergingthreats.net/2006393; classtype:trojan-activity; sid:2006393; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win-touch.com Spyware User-Agent (WinTouch)"; flow:established,to_server; content:"User-Agent|3a| WinTouch"; http_header; reference:url,doc.emergingthreats.net/2008141; classtype:trojan-activity; sid:2008141; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WinButler User-Agent (WinButler)"; flow:to_server,established; content:"User-Agent|3a| WinButler|0d 0a|"; http_header; reference:url,www.winbutler.com; reference:url,www.prevx.com/filenames/239975745155427649-0/WINBUTLER.EXE.html; reference:url,doc.emergingthreats.net/2008190; classtype:trojan-activity; sid:2008190; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster)"; flow:to_server,established; content:"User-Agent|3a| WinFixMaster"; nocase; http_header; reference:url,doc.emergingthreats.net/2003544; classtype:trojan-activity; sid:2003544; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winsoftware.com Fake AV User-Agent (DNS Extractor)"; flow:to_server,established; content:"User-Agent|3a| DNS Extractor"; nocase; http_header; reference:url,doc.emergingthreats.net/2003567; classtype:trojan-activity; sid:2003567; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (Updater)"; flow:to_server,established; content:"User-Agent|3a| Updater|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003470; classtype:trojan-activity; sid:2003470; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WinSoftware.com Spyware User-Agent (WinSoftware)"; flow:to_server,established; content:"User-Agent|3a| WinSoftware"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003527; classtype:trojan-activity; sid:2003527; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WinSoftware.com Spyware User-Agent (NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| NetInstaller"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003528; classtype:trojan-activity; sid:2003528; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (XieHongWei-HttpDown/2.0)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| XieHongWei"; http_header; reference:url,doc.emergingthreats.net/2011248; classtype:trojan-activity; sid:2011248; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE XupiterToolbar Spyware User-Agent (XupiterToolbar)"; flow: to_server,established; content:"XupiterToolbar"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+XupiterToolbar/iH"; reference:url,castlecops.com/tk781-Xupitertoolbar_dll_t_dll.html; reference:url,doc.emergingthreats.net/2002071; classtype:trojan-activity; sid:2002071; rev:17; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Yodao Desktop Dict)"; flow:to_server,established; content:"User-Agent|3a| Yodao"; http_header; reference:url,doc.emergingthreats.net/2011123; classtype:trojan-activity; sid:2011123; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Spyware User-Agent (Hotbar)"; flow: established,to_server; content:"|3b| Hotbar"; http_header; pcre:"/User-Agent\:[^\n]+Hotbar/iH"; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001858; classtype:trojan-activity; sid:2001858; rev:29; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Spyware User-Agent (host)"; flow: to_server,established; content:"User-Agent|3a| host"; nocase; http_header; pcre:"/User-Agent\:[^\n]+host(ie|oe|oi|ol)/iH"; reference:url,www.doxdesk.com/parasite/Hotbar.html; reference:url,www.pchell.com/support/hotbar.shtml; reference:url,doc.emergingthreats.net/2002164; classtype:trojan-activity; sid:2002164; rev:13; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar )"; flow:to_server,established; content:"ZangoToolbar"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a.+ZangoToolbar.+\r$/Hmi"; reference:url,doc.emergingthreats.net/2003365; classtype:trojan-activity; sid:2003365; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Tools Spyware User-Agent (hbtools)"; flow:to_server,established; content:"User-Agent|3a|"; http_header; content:"|3b| HbTools"; http_header; fast_pattern; within:80; reference:url,doc.emergingthreats.net/2003383; classtype:trojan-activity; sid:2003383; rev:12; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Seekmo Bar Spyware User-Agent (Seekmo Toolbar)"; flow:to_server,established; content:"Seekmo"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Seekmo/iH"; threshold:type both, count 1, seconds 300, track by_src; classtype:trojan-activity; sid:2003397; rev:13; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Cash Spyware User-Agent (ZC-Bridgev26)"; flow:established,to_server; content:"User-Agent|3a| ZC-Bridgev"; http_header; reference:url,doc.emergingthreats.net/2006780; classtype:trojan-activity; sid:2006780; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Cash Spyware User-Agent (ZC XML-RPC C++ Client)"; flow:established,to_server; content:"User-Agent|3a| ZC XML-RPC"; http_header; reference:url,doc.emergingthreats.net/2006781; classtype:trojan-activity; sid:2006781; rev:37; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent User-Agent (PinballCorp)"; flow:to_server,established; content:"User-Agent|3a| PinballCorp"; nocase; http_header; reference:url,doc.emergingthreats.net/2011691; classtype:trojan-activity; sid:2011691; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ZenoSearch Spyware User-Agent"; flow:to_server,established; content:"User-Agent|3a| ["; http_header; pcre:"/User-Agent\: \[.*\][A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}/iH"; reference:url,doc.emergingthreats.net/2008279; classtype:trojan-activity; sid:2008279; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (gomtour)"; flow:to_server,established; content:"User-Agent|3a| gomtour|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011087; classtype:trojan-activity; sid:2011087; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (i-scan)"; flow:to_server,established; content:"User-Agent|3a| i-scan"; nocase; http_header; reference:url,doc.emergingthreats.net/2011105; classtype:trojan-activity; sid:2011105; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iWon Spyware (iWonSearchAssistant)"; flow:to_server,established; content:"User-Agent|3a| iWonSearch"; http_header; reference:url,www.spywareguide.com/product_show.php?id=461; reference:url,doc.emergingthreats.net/2002169; classtype:trojan-activity; sid:2002169; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET MALWARE User-Agent (iexplore)"; flow:established,to_server; content:"User-Agent|3a| iexplore|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2000466; classtype:attempted-recon; sid:2000466; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper)"; flow:established,to_server; content:"User-Agent|3a| iWin "; http_header; reference:url,doc.emergingthreats.net/2008558; classtype:trojan-activity; sid:2008558; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (lineguide)"; flow:to_server,established; content:"User-Agent|3a| lineguide"; nocase; http_header; reference:url,doc.emergingthreats.net/2011106; classtype:trojan-activity; sid:2011106; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Download UBAgent) - lop.com and other spyware"; flow:to_server,established; content:"Download UBAgent"; http_header; fast_pattern:only; reference:url,www.spywareinfo.com/articles/lop/; reference:url,doc.emergingthreats.net/2003345; classtype:trojan-activity; sid:2003345; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; content:"User-Agent|3a| ZCOM"; http_header; classtype:policy-violation; sid:2008503; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MSIL.Amiricil.gen HTTP Checkin"; flow:established,to_server; content:"/registerSession.py?"; http_uri; nocase; content:"proj="; http_uri; nocase; content:"&country="; http_uri; nocase; content:"&lang="; http_uri; nocase; content:"&channel="; http_uri; nocase; content:"source="; http_uri; nocase; content:"User-Agent|3a| NSIS_Inetc (Mozilla)"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=af0bbdf6097233e8688c5429aa97bbed; reference:url,doc.emergingthreats.net/2011677; classtype:trojan-activity; sid:2011677; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Antispywaremaster.com/Privacyprotector.com Fake AV Checkin"; flow:established,to_server; content:"?action="; http_uri; content:"&pc_id="; http_uri; content:"&abbr="; fast_pattern:only; http_uri; content:"&err="; http_uri; reference:url,doc.emergingthreats.net/2008282; classtype:trojan-activity; sid:2008282; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader Checkin - Downloads Rogue Adware "; flow:established,to_server; content:"GET"; nocase; http_method; content:"AreaID="; nocase; http_uri; content:"MediaID="; nocase; http_uri; content:"AdNo="; nocase; http_uri; content:"OriginalityID="; nocase; http_uri; content:"Url"; nocase; http_uri; content:"Mac="; nocase; http_uri; content:"Version="; nocase; http_uri; content:"ValidateCode="; nocase; http_uri; content:"ParentName="; nocase; http_uri; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009526; classtype:trojan-activity; sid:2009526; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2010_07_30, updated_at 2017_09_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.MWGuide checkin"; flow:established,to_server; content:"/sidebar_load.php?maddr="; http_uri; content:"ipaddr="; http_uri; content:"aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008839; classtype:trojan-activity; sid:2008839; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.MWGuide keepalive"; flow:established,to_server; content:"/alive.php?aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008840; classtype:trojan-activity; sid:2008840; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sality Virus User Agent Detected (KUKU)"; flow:established,to_server; content:"User-Agent|3a| KUKU"; nocase; http_header; reference:url,doc.emergingthreats.net/2003636; classtype:trojan-activity; sid:2003636; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trojan.FakeAV.SystemDefender Checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".php?"; nocase; http_uri; content:"action=stat&wmid="; nocase; http_uri; content:"&event="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&i1"; nocase; http_uri; content:"&i2"; nocase; http_uri; reference:url,doc.emergingthreats.net/2008732; reference:md5,4d1df7240837832853c8b87606f3dfc2; classtype:trojan-activity; sid:2008732; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Adware/Antivirus360 Config to client"; flow:established,to_client; content:"[InstallerIni]"; nocase; depth:300; content:"|0d 0a|Pid="; nocase; within:6; content:"|0d 0a|Product="; nocase; content:"|0d 0a|FID="; nocase; content:"|0d 0a|Title="; nocase; reference:url,doc.emergingthreats.net/2009809; classtype:trojan-activity; sid:2009809; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.Yokbar User-Agent Detected (YOK Agent)"; flow:established,to_server; content:"User-Agent|3a| YOK Agent|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008752; classtype:trojan-activity; sid:2008752; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2010_07_30, updated_at 2017_09_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.Yokbar Checkin URL"; flow:established,to_server; content:"?p="; http_uri; content:"&v="; http_uri; content:"&m="; http_uri; content:"&d=200"; http_uri; content:"&x="; http_uri; content:"&t="; http_uri; reference:url,doc.emergingthreats.net/2008753; classtype:trojan-activity; sid:2008753; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Worm.Pyks HTTP C&C Traffic User-Agent (skw00001)"; flow:established,to_server; content:"User-Agent|3a| skw000"; http_header; reference:url,doc.emergingthreats.net/2003588; classtype:trojan-activity; sid:2003588; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE UPX encrypted file download possible malware"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|00|code|00|"; content:"|00 C0|text|00|"; reference:url,doc.emergingthreats.net/2001047; classtype:misc-activity; sid:2001047; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET MALWARE Inbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)"; http_header; nocase; fast_pattern:48,20; classtype:trojan-activity; sid:2011517; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)"; http_header; nocase; fast_pattern:48,20; classtype:trojan-activity; sid:2011518; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (browserbob.com)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Made with www.browserbob.com|29|"; fast_pattern:68,20; http_header; classtype:trojan-activity; sid:2011279; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (TALWinInetHTTPClient)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| TALWinInetHTTPClient)|0d 0a|"; fast_pattern:17,20; http_header; classtype:trojan-activity; sid:2011283; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (GabPath)"; flow:to_server,established; content:"User-Agent|3a| GabPath"; http_header; classtype:trojan-activity; sid:2011293; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (KRMAK) Butterfly Bot download"; flow:to_server,established; content:"User-Agent|3a| KRMAK"; http_header; classtype:trojan-activity; sid:2011297; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (C\\WINDOWS\\system32\\NetLogom.exe)"; flow:established,to_server; content:"User-Agent|3a| C|3a 5c|WINDOWS|5c|system32|5c|NetLogom.exe"; http_header; classtype:bad-unknown; sid:2011334; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE web shell detected"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a 0d 0a|command="; fast_pattern; content:"&result="; within:12; classtype:trojan-activity; sid:2011391; rev:6; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (http-get-demo) Possible Reverse Web Shell"; flow:established,to_server; content:"User-Agent|3a| http-get-demo"; http_header; classtype:trojan-activity; sid:2011392; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Microsoft Internet Explorer 6.0) Possible Reverse Web Shell"; flow:established,to_server; content:"User-Agent|3a| Microsoft Internet Explorer 6.0"; http_header; classtype:trojan-activity; sid:2011393; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.Kraddare Checkin"; flow:established,to_server; content:".php?"; http_uri; content:"strID="; http_uri; content:"strPC="; http_uri; metadata: former_category TROJAN; classtype:trojan-activity; sid:2011492; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2010_09_28, updated_at 2017_09_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE HTML.Psyme.Gen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/channelCode.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=de1adb1df396863e7e3967271e7db734; classtype:trojan-activity; sid:2011856; rev:3; metadata:created_at 2010_10_26, updated_at 2010_10_26;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Gbot)"; flow:established,to_server; content:"User-Agent|3a| gbot"; http_header; classtype:trojan-activity; sid:2011872; rev:2; metadata:created_at 2010_10_29, updated_at 2010_10_29;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.0"; flow:established,to_server; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; fast_pattern; content:"Host|3a 20|"; http_header; distance:0; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; classtype:trojan-activity; sid:2011938; rev:2; metadata:created_at 2010_11_19, updated_at 2010_11_19;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.1"; flow:established,to_server; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; fast_pattern; content:"Host|3a 20|"; http_header; distance:0; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; content:!"Connection|3a| "; http_header; classtype:trojan-activity; sid:2011939; rev:3; metadata:created_at 2010_11_19, updated_at 2010_11_19;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ASKTOOLBAR.DLL Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/toolbarv/askBarCfg?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"e="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=3f6413475b1466964498c8450de4062f; classtype:trojan-activity; sid:2012000; rev:3; metadata:created_at 2010_12_07, updated_at 2010_12_07;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (AdVantage)"; flow:established,to_server; content:"User-Agent|3A| AdVantage"; http_header; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:trojan-activity; sid:2012104; rev:3; metadata:created_at 2011_12_27, updated_at 2011_12_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdVantage Malware URL Infection Report"; flow:established,to_server; content:"cfg_ver="; http_uri; nocase; content:"hwd="; http_uri; nocase; content:"campaign="; http_uri; nocase; content:"ver="; http_uri; nocase; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:trojan-activity; sid:2012105; rev:2; metadata:created_at 2011_12_27, updated_at 2011_12_27;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (mrgud)"; flow:established,to_server; content:"User-Agent|3a| mrgud"; http_header; nocase; classtype:trojan-activity; sid:2012172; rev:3; metadata:created_at 2011_01_12, updated_at 2011_01_12;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Lookup of Malware Domain twothousands.cm Likely Infection"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|twothousands|02|cm"; fast_pattern; distance:0; nocase; classtype:misc-activity; sid:2012176; rev:1; metadata:created_at 2011_01_12, updated_at 2011_01_12;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; fast_pattern:only; classtype:misc-activity; sid:2012228; rev:1; metadata:created_at 2011_01_25, updated_at 2011_01_25;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware Related"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; http_header; fast_pattern:only; classtype:misc-activity; sid:2012229; rev:5; metadata:created_at 2011_01_25, updated_at 2011_01_25;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (0xa10xa1HttpClient)"; flow:established,to_server; content:"User-Agent|3a 20 a1 a1|HttpClient|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2012298; rev:3; metadata:created_at 2011_02_06, updated_at 2011_02_06;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE All Numerical .cn Domain Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0; nocase; fast_pattern; content:!"|03|360"; distance:-8; within:4; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02cn\x00/i"; classtype:misc-activity; sid:2012327; rev:4; metadata:created_at 2011_02_21, updated_at 2011_02_21;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE All Numerical .ru Domain Lookup Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru|00|"; fast_pattern; distance:0; nocase; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02ru\x00/i"; content:!"|03|101|02|ru"; content:!"|07|9366858|02|ru"; classtype:misc-activity; sid:2012328; rev:6; metadata:created_at 2011_02_21, updated_at 2011_02_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mozilla 3.0 and Indy Library User-Agent Likely Hostile"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; classtype:trojan-activity; sid:2012536; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malware PUTLINK Command Message"; flow:established,from_server; content:"CMD PUTLINK http|3A|//"; nocase; content:"Inject|3A|"; nocase; distance:0; classtype:trojan-activity; sid:2012615; rev:2; metadata:created_at 2011_03_31, updated_at 2011_03_31;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Lowercase mozilla/2.0 User-Agent Likely Malware"; flow:established,to_server; content:"User-Agent|3a 20|mozilla/2.0"; http_header; fast_pattern:11,12; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FCycbot.B; classtype:trojan-activity; sid:2012642; rev:5; metadata:created_at 2011_04_06, updated_at 2011_04_06;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE All Numerical .ru Domain HTTP Request Likely Malware Related"; flow:established,to_server; content:"Host|3a| "; http_header; content:".ru|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*?[0-9]{2,30}\x2Eru\x0d\x0a/Hi"; content:!"101.ru"; http_header; content:!"9366858.ru"; http_header; metadata: former_category MALWARE; classtype:misc-activity; sid:2012649; rev:4; metadata:created_at 2011_04_08, updated_at 2017_06_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE overtls.com adware request"; flow:to_server,established; content:"/sidebar.asp?bn=0&qy="; http_uri; content:"EmbeddedWB"; http_header; classtype:trojan-activity; sid:2012693; rev:2; metadata:created_at 2011_04_19, updated_at 2011_04_19;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible FakeAV Binary Download"; flow:established,to_client; content:"filename=|22|"; http_header; nocase; content:"antiv"; fast_pattern; nocase; http_header; within:50; pcre:"/filename\x3D\x22[^\r\n]*antiv[^\n]+\.exe/Hi"; classtype:trojan-activity; sid:2012753; rev:3; metadata:created_at 2011_04_29, updated_at 2011_04_29;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent ASCII-hex-encoded"; flow:established,from_server; content:"ascii"; http_header; nocase; file_data; content:"4d5a"; within:4; nocase; reference:url,www.xanalysis.blogspot.com/2008/11/cve-2008-2992-adobe-pdf-exploitation.html; reference:url,www.threatexpert.com/report.aspx?md5=513077916da4e86827a6000b40db95d5; classtype:trojan-activity; sid:2012804; rev:3; metadata:created_at 2011_05_13, updated_at 2011_05_13;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Known Malicious User-Agent (x) Win32/Tracur.A or OneStep Adware Related"; flow:to_server,established; content:"User-Agent|3a| x|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2; reference:url,doc.emergingthreats.net/2009987; classtype:trojan-activity; sid:2013017; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2011_06_13, updated_at 2017_09_21;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE RogueAntiSpyware.AntiVirusPro Checkin"; flow:established,to_server; content:"php?type=stats&affid="; http_uri; content:"&subid="; http_uri; content:"&version="; http_uri; content:"&adwareok"; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35; classtype:trojan-activity; sid:2013149; rev:1; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidetab or Related Trojan Checkin"; flow:established,to_server; content:"/install.asp?"; http_uri; content:"version="; http_uri; content:"&id="; http_uri; content:"&mac="; http_uri; content:".co.kr|0d 0a|"; http_header; classtype:trojan-activity; sid:2013182; rev:2; metadata:created_at 2011_07_04, updated_at 2011_07_04;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.EZula Adware Reporting Successful Install"; flow:established,to_server; content:"/installer.cfc?res=success&hwid="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FEzula.F; classtype:trojan-activity; sid:2013195; rev:2; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Unknown Malware patchlist.xml Request"; flow:established,to_server; content:"/update/patchlist.xml"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2013200; rev:1; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SweetIM Install in Progress"; flow:established,to_server; content:"/download/install/silent/SSweetIMSetup.CIS"; nocase; http_uri; classtype:trojan-activity; sid:2013243; rev:1; metadata:created_at 2011_07_11, updated_at 2011_07_11;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zugo.com SearchToolbar User-Agent (SearchToolbar)"; flow:established,to_server; content:"User-Agent|3a| Search Toolbar"; http_header; reference:url,www.zugo.com/faq/; reference:url,plus.google.com/109412257237874861202/posts/FXL1y8qG7YF; classtype:trojan-activity; sid:2013333; rev:4; metadata:created_at 2011_07_28, updated_at 2011_07_28;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adrevmedia Related Media Manager Spyware Checkin"; flow:established,to_server; content:"User-Agent|3A| MM "; http_header; pcre:"/User-Agent\x3a MM \d\.\d+\x0d\x0a/H"; classtype:trojan-activity; sid:2013388; rev:3; metadata:created_at 2011_08_10, updated_at 2011_08_10;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware/CommonName Reporting"; flow:established,to_server; content:"/report.asp?TB="; http_uri; content:"&status="; http_uri; content:"&data="; http_uri; content:"&BABE="; http_uri; content:"&BATCH="; http_uri; content:"&UDT="; http_uri; content:"&GRP="; http_uri; classtype:trojan-activity; sid:2013389; rev:1; metadata:created_at 2011_08_10, updated_at 2011_08_10;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Baigoo User Agent"; flow:established,to_server; content:"User-Agent|3A 20|BaiGoo Agent"; http_header; classtype:trojan-activity; sid:2013405; rev:2; metadata:created_at 2011_08_11, updated_at 2011_08_11;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE HTTP Connection to go2000.cn - Common Malware Checkin Server"; flow:established,to_server; content:"go2000.cn"; nocase; http_header; pcre:"/Host\x3A[^\r\n]*go2000\x2Ecn/Hi"; reference:url,www.mywot.com/en/scorecard/go2000.cn; classtype:trojan-activity; sid:2013422; rev:1; metadata:created_at 2011_08_18, updated_at 2011_08_18;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSideKick Activity (iinfo)"; flow:established,to_server; content:"/iinfo.htm?host="; http_uri; content:"&action=update"; http_uri; content:"&ver="; http_uri; content:"&bundle="; http_uri; content:"&client="; http_uri; content:"&bp_id="; http_uri; content:"&prmerr="; http_uri; content:"&ir="; http_uri; classtype:trojan-activity; sid:2013448; rev:4; metadata:created_at 2011_08_22, updated_at 2011_08_22;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (go-diva)"; flow:to_server,established; content:"User-Agent|3a| go-diva"; http_header; reference:url,pcthreat.com/parasitebyid-8835en.html; classtype:trojan-activity; sid:2013452; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_08_23, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Kraddare.FJ Checkin"; flow:to_server,established; content:".php?pi="; fast_pattern:only; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 6.0)|0d 0a|"; http_header; classtype:trojan-activity; sid:2013540; rev:7; metadata:created_at 2011_09_06, updated_at 2011_09_06;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UBar Trojan/Adware Checkin 1"; flow:established,to_server; content:"?gname="; http_uri; content:"&pid="; http_uri; content:"&m="; http_uri; content:" from|3a| http|3a|//www.bsalsa.com/ EmbeddedWB "; http_header; metadata: former_category TROJAN; reference:url,www.threatexpert.com/report.aspx?md5=81a119f7f47663c03053e76146f54fe9; classtype:trojan-activity; sid:2013556; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2011_09_09, updated_at 2017_09_21;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UBar Trojan/Adware Checkin 2"; flow:established,to_server; content:"inst.php?"; http_uri; content:"pcode="; http_uri; content:"&ucode="; http_uri; content:" from|3a| http|3a|//www.bsalsa.com/ EmbeddedWB "; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013557; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2011_09_10, updated_at 2017_09_21;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UBar Trojan/Adware Checkin 3"; flow:established,to_server; content:"size.php?"; http_uri; content:"file="; http_uri; content:" from|3a| http|3a|//www.bsalsa.com/ EmbeddedWB "; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013558; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2011_09_10, updated_at 2017_09_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zugo Toolbar Spyware/Adware download request"; flow:established,to_server; content:".exe?filename="; http_uri; content:"&dddno="; http_uri; fast_pattern; content:"&channel="; http_uri; content:"&go="; http_uri; reference:url,zugo.com/privacy-policy/; classtype:bad-unknown; sid:2013658; rev:1; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware/Helpexpress User Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:trojan-activity; sid:2013729; rev:1; metadata:created_at 2011_09_30, updated_at 2011_09_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Winggo.AB Checkin"; flow:established,to_server; content:"/LogProc.php?"; fast_pattern:only; http_uri; content:"mac="; http_uri; content:"mode="; http_uri; content:"&pCode="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=2700d3fcdd4b8a7c22788db1658d9163; reference:url,www.threatcenter.crdf.fr/?More&ID=46606&D=CRDF.Malware.Win32.PEx.Delphi.307674628; classtype:trojan-activity; sid:2013797; rev:4; metadata:created_at 2011_10_24, updated_at 2011_10_24;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5217 (msg:"ET MALWARE W32/SmartPops Adware Outbound Off-Port MSSQL Communication"; flow:established,to_server; content:"S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; content:"D|00|B|00|_|00|S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; distance:0; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013956; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2011_11_23, updated_at 2017_09_21;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware-Win32/EoRezo Reporting"; flow:established,to_server;  content:"/advert/get"; nocase; http_uri; pcre:"/\/advert\/get(?:ads|kws)(?:\.cgi)?\?(?:d|[ex]_dp_)id=/Ui"; reference:url,threatexpert.com/report.aspx?md5=b5708efc8b478274df4b03d8b7dbbb26; classtype:trojan-activity; sid:2013983; rev:5; metadata:created_at 2011_12_02, updated_at 2011_12_02;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/SWInformer.B Checkin"; flow:to_server,established; content:"log.php?"; http_uri; content:"User-Agent|3a| FDMuiless|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=0f90568d86557d62f7d4e1c0f7167431; classtype:trojan-activity; sid:2014004; rev:3; metadata:created_at 2011_12_08, updated_at 2011_12_08;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Adware.Ibryte User-Agent (ic Windows NT 5.1 MSIE 6.0 Firefox/ Def)"; flow:established,to_server; content:"User-Agent|3A 20|ic Windows NT 5.1 MSIE 6.0 Firefox/ Def"; http_header; classtype:trojan-activity; sid:2013999; rev:1; metadata:created_at 2011_12_08, updated_at 2011_12_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tool.InstallToolbar.24 Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/cr_confirm.asmx/GetXMLLog?"; nocase; http_uri; content:"TbId="; nocase; http_uri; content:"TUID="; nocase; http_uri; content:"Action_Type="; nocase; http_uri; reference:url,virustotal.com/file-scan/report.html?id=1439d4061659a8534435352274b72dc2fe03c3deeb84e32fc90d40380c35cab1-1322189076; classtype:trojan-activity; sid:2014060; rev:3; metadata:created_at 2012_01_02, updated_at 2012_01_02;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32-Adware.Hotclip.A Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/filetadak/app_check.php?"; nocase; http_uri; content:"kind="; nocase; http_uri; content:"pid=donkeys"; nocase; http_uri; reference:url,spydig.com/spyware-info/Win32-Adware-Hotclip-A.html; classtype:trojan-activity; sid:2014069; rev:3; metadata:created_at 2012_01_02, updated_at 2012_01_02;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Gen5 Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/cmd/report.php?"; nocase; http_uri; content:"PartnerId="; nocase; http_uri; content:"OfferId="; nocase; http_uri; content:"action="; nocase; http_uri; content:"program="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=90410d783f6321c8684ccb9ff0613a51; classtype:trojan-activity; sid:2014071; rev:3; metadata:created_at 2012_01_02, updated_at 2012_01_02;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/SmartTab PUP Install Activity"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ins_proc.asp?kind="; http_uri; fast_pattern; content:"&ist_yn="; http_uri; content:"&ptn_name="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8eaf3b7b72a9af5a85d01b674653ccac; reference:url,camas.comodo.com/cgi-bin/submit?file=31c027c13105e23af64b1b02882fb2b8300fdf7f511bb4c63c71f9b09c75dd6c; classtype:trojan-activity; sid:2014117; rev:3; metadata:created_at 2012_01_12, updated_at 2012_01_12;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Eorezo-B Adware Checkin"; flow:established,to_server; content:"x-company|3a| "; http_header; content:"User-Agent|3A 20|EoAgence-"; http_header; reference:md5,6631bb8d95906decc7e6f7c51f6469e6; classtype:trojan-activity; sid:2014120; rev:3; metadata:created_at 2012_01_12, updated_at 2012_01_12;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OpenCandy Adware Checkin"; flow:established,to_server; content:"clientv="; http_uri; content:"&cltzone="; http_uri; content:"&mstime="; http_uri; content:"&os="; http_uri; content:"&product_key="; http_uri; content:"opencandy.com"; fast_pattern; http_header; classtype:trojan-activity; sid:2014122; rev:2; metadata:created_at 2012_01_12, updated_at 2012_01_12;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Common Adware Library ISX User Agent Detected"; flow:established,to_server; content:"User-Agent|3A 20|ISX Download DLL"; fast_pattern:12,16; http_header; reference:url,www.dateiliste.com/d3files/tools/mphider/isxdl.htm; classtype:trojan-activity; sid:2014137; rev:2; metadata:created_at 2012_01_18, updated_at 2012_01_18;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.Sushi.au Checkin"; flow:to_server,established; content:"/inst.php?"; http_uri; content:"User-Agent|3a| psi"; http_header; reference:md5,3aad2075e00d5169299a0a8889afa30b; reference:url,www.securelist.com/en/descriptions/24412036/not-a-virus%3aAdWare.Win32.Sushi.au; classtype:trojan-activity; sid:2014262; rev:3; metadata:created_at 2012_01_21, updated_at 2012_01_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious ad_track.php file Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad_track.php"; nocase; http_uri; content:"etekey="; nocase; http_uri; content:"track.ete.cn"; nocase; http_header; classtype:trojan-activity; sid:2014183; rev:3; metadata:created_at 2012_02_06, updated_at 2012_02_06;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OpenTrio User-Agent (Open3)"; flow:established,to_server; content:"User-Agent|3A 20|Open3"; http_header; classtype:trojan-activity; sid:2014190; rev:1; metadata:created_at 2012_02_06, updated_at 2012_02_06;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/MediaGet Checkin"; flow:established,to_server; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/PlaySushi User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|psi "; http_header; reference:md5,039815a7cb0b7ee52b753a9b79006f97; classtype:trojan-activity; sid:2014261; rev:1; metadata:created_at 2012_02_21, updated_at 2012_02_21;)
+
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Carder Card Checking Tool try2check.me SSL Certificate"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; classtype:policy-violation; sid:2014286; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_02_27, updated_at 2016_07_01;)
+
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Carder Card Checking Tool try2check.me SSL Certificate on Off Port"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; classtype:policy-violation; sid:2014287; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_02_27, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/GameVance Adware Checkin"; flow:established,to_server; content:"/inst.asp?d="; http_uri; content:"&cl="; http_uri; content:"&l="; http_uri; content:"&e="; http_uri; content:"&v="; http_uri; content:"&uid="; http_uri; content:"&time="; http_uri; content:"&win="; http_uri; content:"&ac="; http_uri; content:"&ti="; http_uri; content:"&xv="; http_uri; reference:md5,2609c78efbc325d1834e49553a9a9f89; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:trojan-activity; sid:2014339; rev:1; metadata:created_at 2012_03_08, updated_at 2012_03_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/GameVance Adware User Agent"; flow:established,to_server; content:"User-Agent|3a| zz_"; http_header; pcre:"/^User-Agent\x3a zz_[a-z0-9]{1,3}\s*[0-9]\.[0-9]{1,2}\.[0-9]{2,4}/Hmi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:trojan-activity; sid:2014340; rev:4; metadata:created_at 2012_03_08, updated_at 2012_03_08;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/MediaGet.Adware Installer Download"; flow:established,to_client; content:"Set-Cookie|3A 20 |MediagetDownloaderInfo=installer"; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=860182; reference:md5,39c1769c39f61dd2ec009de8374352c6; classtype:trojan-activity; sid:2014353; rev:4; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/SoftonicDownloader.Adware User Agent"; flow:established,to_server; content:"User-Agent|3A 20|Softonic Downloader/"; http_header; reference:md5,1047b186bb2822dbb5907cd743069261; classtype:trojan-activity; sid:2014355; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/LoudMo.Adware Checkin"; flow:established,to_server; content:"/?aff="; http_uri; content:"Host|3A 20|www.gamebound.com"; http_header; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FLoudmo; reference:md5,fc06c613e83f0d3271beba4fdcda987f; classtype:trojan-activity; sid:2014400; rev:2; metadata:created_at 2012_03_19, updated_at 2012_03_19;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/PaPaPaEdge.Adware/Gambling Poker-Edge Checkin"; flow:established,to_server; content:"/xml_action.php?user="; http_uri; content:"&appid="; http_uri; content:"&hwid="; http_uri; content:"&id="; http_uri; content:".poker-edge.com|0d 0a|"; http_header; reference:md5,f9d226bf9807c72432050f7dcb396b06; classtype:trojan-activity; sid:2014403; rev:1; metadata:created_at 2012_03_19, updated_at 2012_03_19;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE BitCoinPlus Embedded site forcing visitors to mine BitCoins"; flow:established,from_server; file_data; content:"BitcoinPlusMiner("; fast_pattern:only; reference:url,www.bitcoinplus.com/miner/embeddable; reference:url,www.bitcoinplus.com/miner/whatsthis; classtype:bad-unknown; sid:2014535; rev:3; metadata:created_at 2012_04_09, updated_at 2012_04_09;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware/FakeAV.Kraddare Checkin UA"; flow:established,to_server; content:"pcsetup_"; http_header; pcre:"/User-Agent\x3a \w+pcsetup_\w+/H"; metadata: former_category TROJAN; reference:url,www.scumware.org/report/update.best-pc.co.kr; classtype:trojan-activity; sid:2014583; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2012_04_16, updated_at 2017_09_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Pdfjsc.XD Related Checkin (microsoft_predator_client header field)"; flow:established,to_server; content:"|0d 0a|microsoft_predator_client|0d 0a|"; nocase; reference:url,www.fourteenforty.jp/products/yarai/CVE2011-0609/; reference:url,www.kahusecurity.com/2011/apec-spearphish-2/; reference:md5,3d91d9df315ffeb9bb1c774452b3114b; classtype:bad-unknown; sid:2014584; rev:4; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/GameVance User-Agent (aw v3)"; flow:established,to_server; content:"User-Agent|3A 20|aw v3"; http_header; classtype:trojan-activity; sid:2014606; rev:3; metadata:created_at 2012_04_17, updated_at 2012_04_17;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/GameVance Adware Server Reponse To Client Checkin"; flow:established,to_client; file_data; content:"cfgint="; within:7; content:"cid="; within:30; content:"eus="; within:30; content:"esint="; within:30; content:"sc2dcnt="; within:30; content:"domfqcap="; within:30; content:"domtm="; within:30; content:"css="; within:30; classtype:trojan-activity; sid:2014605; rev:4; metadata:created_at 2012_04_17, updated_at 2012_04_17;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Dialer.Adultchat Checkin"; flow:established,to_server; content:"/getclientid.wnk?srv="; http_uri; content:"&ver="; http_uri; content:"&pin="; http_uri; content:"&OSInfo2="; http_uri; content:"&cinfo="; http_uri; content:"retryattempt="; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDluca.AN&ThreatID=-2147365813; reference:md5,fd2c949dc20b651a53326a3d571641ec; classtype:trojan-activity; sid:2014667; rev:1; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious file bitdefender_isecurity.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/programas/bitdefender-internet-security/2011/bitdefender_isecurity.exe"; http_uri; nocase; reference:md5,283ae10839fff3e183193efde3e633eb; classtype:trojan-activity; sid:2014735; rev:2; metadata:created_at 2012_05_11, updated_at 2012_05_11;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Bublik.B/Birele/Variant.Kazy.66443 Checkin"; flow:established,to_server; urilen:12; content:"POST"; http_method; content:"/rdc/rnd.php"; http_uri; reference:md5,48352e3a034a95845864c0f6aad07d39; classtype:trojan-activity; sid:2014767; rev:5; metadata:created_at 2012_05_18, updated_at 2012_05_18;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCMightyMax Agent PCMM.Installer"; flow:to_server; content:"User-Agent|3A 20|PCMM.Installer"; http_header; classtype:bad-unknown; sid:2014798; rev:1; metadata:created_at 2012_05_21, updated_at 2012_05_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious pusk.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/pusk.exe"; nocase; http_uri; reference:md5,eae75c0e34d11e6daef216cfc3fbbb04; classtype:trojan-activity; sid:2014810; rev:3; metadata:created_at 2012_05_25, updated_at 2012_05_25;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OnlineGames Checkin"; flow:established,to_server; content:"/game"; http_uri; content:"/diary/item/"; http_uri; content:"User-Agent|3A| getURLDown|0D 0A|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:trojan-activity; sid:2015017; rev:3; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OnlineGames User Agent loadMM"; flow:established,to_server; content:"User-Agent|3A| loadMM|0D 0A|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:trojan-activity; sid:2015018; rev:1; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Toolbar.CrossRider.A Checkin"; flow:to_server,established; content:".gif?action="; http_uri; content:"&browser="; http_uri; content:"&ver="; http_uri; content:"&bic="; fast_pattern:only; http_uri; content:"&app="; http_uri; content:"&appver="; http_uri; content:"&verifier="; http_uri; reference:md5,55668102739536c1b00bce9e02d8b587; classtype:trojan-activity; sid:2018301; rev:2; metadata:created_at 2012_10_05, updated_at 2012_10_05;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney.A Checkin 1"; flow:established,to_server; content:"/get_xml?"; http_uri; fast_pattern; content:"User-Agent|3a| tiny-dl"; http_header; pcre:"/\/get_xml\?(?:file_id|stb)=/Ui"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024250; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2012_12_19, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney.A Checkin 2"; flow:established,to_server; content:"/download.php?id="; http_uri; fast_pattern; content:"&f="; http_uri; content:"User-Agent|3a| tiny-dl"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024251; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2012_12_19, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE suspicious User-Agent (vb   wininet)"; flow:established,to_server; content:"User-Agent|3a 20|vb|20 20 20|wininet|0d 0a|"; http_header; classtype:bad-unknown; sid:2016069; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2012_12_20, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Eorezo.Adware CnC Beacon"; flow:established,to_server; content:"/cgi-bin/advert/settags?x_mode="; fast_pattern:8,20; http_uri; content:"&x_format="; http_uri; content:"&x_pub_id="; http_uri; content:"&tag="; http_uri; content:"User-Agent|3A| Mozilla/4.0  (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-061213-2441-99; classtype:trojan-activity; sid:2016546; rev:1; metadata:created_at 2013_03_06, updated_at 2013_03_06;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Win32/SProtector.A Client Checkin"; flow:established,to_server; content:"?data="; http_uri; content:"&version="; http_uri; distance:0; content:"User-Agent|3a| win32|0D 0A|"; http_header; fast_pattern:only; reference:md5,38f61d046e575971ed83c4f71accd132; classtype:trojan-activity; sid:2016780; rev:1; metadata:created_at 2013_04_22, updated_at 2013_04_22;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney.A Checkin 3"; flow:to_server,established; content:"/get_download_xml_"; fast_pattern:only; http_uri; content:"?id="; http_uri; content:"User-Agent|3a| tiny-dl"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024252; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2013_05_03, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.MSIL.Solimba.b GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/dmr/access/"; http_uri; content:"User-Agent|3a| DownloadMR"; nocase; http_header; reference:url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016905; rev:2; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.MSIL.Solimba.b POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/dmr/exception"; http_uri; content:"User-Agent|3a| DownloadMR"; nocase; http_header; reference:url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016906; rev:2; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent Smart-RTP"; flow: established,to_server; content:"User-Agent|3A| Smart-RTP"; nocase; http_header; reference:url,www.threatexpert.com/report.aspx?md5=a80f33c94c44556caa2ef46cd5eb863c; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader8.25530.html; reference:md5,2b63ed542eb0e1a4547a2b6e91391dc0; classtype:trojan-activity; sid:2016915; rev:3; metadata:created_at 2013_05_22, updated_at 2013_05_22;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent Custom_56562_HttpClient/VER_STR_COMMA"; flow: established,to_server; content:"User-Agent|3A| Custom_56562_HttpClient/VER_STR_COMMA"; nocase; http_header; classtype:trojan-activity; sid:2016916; rev:2; metadata:created_at 2013_05_22, updated_at 2013_05_22;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware pricepeep Adware.Shopper.297"; flow: established,to_server; content:"GET"; nocase; http_method; content:"/logger/software/hit/"; nocase; http_uri; content:"/?v."; nocase; http_uri; reference:url,virustotal.com/en/file/1ea487b1507305f17a2cd2ab0dbcfac523419dbc27cde38e27cb5c4a8d3c9caf/analysis/; reference:url,lists.clean-mx.com/pipermail/viruswatch/20121222/037085.html; reference:md5,0564e603f9ed646553933cb0d271f906; classtype:trojan-activity; sid:2016917; rev:1; metadata:created_at 2013_05_22, updated_at 2013_05_22;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney.A Checkin 4"; flow:to_server,established; content:"/get_file_info.php?id="; fast_pattern; http_uri; content:"User-Agent|3a| tiny-dl"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024253; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2013_05_22, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Ezula Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/download/UVid.asp?"; fast_pattern:only; http_uri; reference:md5,dede600f1e78fd20e4515bea1f2bdf61; classtype:trojan-activity; sid:2016938; rev:2; metadata:created_at 2013_05_28, updated_at 2013_05_28;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Gamevance.AV Checkin"; flow:established,to_server; content:"/aj/"; http_uri; fast_pattern:only; content:".php?p="; http_uri; content:!"Referer|3a|"; http_header; reference:url,virustotal.com/en/file/21e04ef285d9df2876bab83dd91a8bd78ecdf0d47a8e4693e2ec1924f642bfc8/analysis/; reference:md5,0134997dff945fbfe62f343bcba782bc; classtype:trojan-activity; sid:2017136; rev:3; metadata:created_at 2013_07_11, updated_at 2013_07_11;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Crossrider Spyware Checkin"; flow:established,to_server; content:"/updater/"; http_uri; depth:9; content:"/update.json?rnd="; http_uri; distance:32; within:18; content:!"User-Agent"; http_header; classtype:trojan-activity; sid:2017196; rev:2; metadata:created_at 2013_07_25, updated_at 2013_07_25;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney.A Checkin 6"; flow:to_server,established; content:"/get_xml?story="; fast_pattern:only; http_uri; content:"&file"; http_uri; content:"User-Agent|3a| Downloader"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024254; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2013_09_11, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney.A Checkin 7"; flow:to_server,established; content:"/info?story="; fast_pattern:only; http_uri; content:"&file="; http_uri; content:"User-Agent|3a| Downloader"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024255; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2013_09_16, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Wajam.Adware Successful Install"; flow:established,to_server; content:"/wajam_install.exe?aid="; http_uri; content:"User-Agent|3A 20|NSIS_Inetc"; http_header; classtype:trojan-activity; sid:2017561; rev:3; metadata:created_at 2013_10_04, updated_at 2013_10_04;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney.A Checkin 5"; flow:to_server,established; content:"/getspfile.php?id="; fast_pattern:only; http_uri; content:"User-Agent|3a| tiny-dl"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024256; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2013_11_19, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OptimizerPro Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/op?sid="; http_uri; content:"&dt="; http_uri; distance:0; content:"&gid="; http_uri; distance:0; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,eba3a996f5b014b2d410f4bf32b8530b; classtype:trojan-activity; sid:2018742; rev:2; metadata:created_at 2013_12_11, updated_at 2013_12_11;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Linkular.Adware Successful Install Beacon"; flow:established,to_server; content:"/api/success/?s="; fast_pattern:only; http_uri; content:"&c="; http_uri; content:"&cv="; http_uri; content:"&context="; http_uri; content:"User-Agent|3A| NSIS_Inetc (Mozilla)"; http_header; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:trojan-activity; sid:2017880; rev:3; metadata:created_at 2013_12_17, updated_at 2013_12_17;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Linkular.Adware Icons.dat Second Stage Download"; flow:established,to_server; content:"/downloads/icons.dat"; fast_pattern:only; http_uri; content:"User-Agent|3A| NSIS_Inetc (Mozilla)"; http_header; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:trojan-activity; sid:2017881; rev:2; metadata:created_at 2013_12_17, updated_at 2013_12_17;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GMUnpackerInstaller.A Checkin"; flow:to_server,established; content:"/new/rar.xml"; fast_pattern:only; nocase; http_uri; content:!"User-Agent|3a| "; nocase; http_header; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:trojan-activity; sid:2017892; rev:1; metadata:created_at 2013_12_19, updated_at 2013_12_19;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/InstallRex.Adware Initial CnC Beacon"; flow:established,to_server; content:"/?step_id="; http_uri; content:"&publisher_id="; http_uri; content:"&page_id="; http_uri; content:"&country_code="; http_uri; content:"&browser_id="; http_uri; content:"&download_id="; http_uri; content:"&hardware_id="; http_uri; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:trojan-activity; sid:2017911; rev:1; metadata:created_at 2014_12_30, updated_at 2014_12_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/InstallRex.Adware Report CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/?report_version="; http_uri; content:"data="; http_client_body; depth:5; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:trojan-activity; sid:2017912; rev:1; metadata:created_at 2014_12_30, updated_at 2014_12_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.PUQD Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/debug/Version/"; fast_pattern:only; http_uri; content:"/trace/"; http_uri; pcre:"/^\/debug\/Version\/\d_\d_\d_\d\d{1,2}?\/trace\/(?:mostrarFailed(?:EndLoading|ReadyState)|Get(?:XmlDataRequisites|BinaryData)|(?:DownloadRequisites|down_)Finish|Re(?:cievedXml|adyState)|PreDownloadRequisites|EndLoading|UserAdmin|Start)$/U"; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; reference:md5,e44962d7dec79c09a767a1d3e8ce02d8; reference:url,www.virustotal.com/en/file/1a1ff0fc6af6f7922bae906728e1919957998157f3a0cf1f1a0d3292f0eecd85/analysis/; classtype:trojan-activity; sid:2017945; rev:2; metadata:created_at 2014_01_08, updated_at 2014_01_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Potentially Unwanted Application AirInstaller"; flow:to_server,established; urilen:>31; content:"GET"; http_method; content:"/launch/?c="; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"&m="; http_uri; content:"&l="; http_uri; content:"&b="; http_uri; content:"&sid="; http_uri; content:"&os="; http_uri; reference:md5,3eaaf0de35579e5af89ae3dd81d0c592; reference:md5,ac030896aad1b6b0eeb00952dee24c3f; classtype:trojan-activity; sid:2018095; rev:3; metadata:created_at 2014_01_13, updated_at 2014_01_13;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader.NSIS.OutBrowse.b Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/Installer/Flow?pubid="; nocase; depth:22; http_uri; fast_pattern; content:"&distid="; distance:0; http_uri; content:"&productid="; distance:0; http_uri; content:"&subpubid="; distance:0; http_uri; content:"&campaignid="; distance:0; http_uri; content:"&networkid="; distance:0; http_uri; content:"&dfb="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&version="; distance:0; http_uri; content:"Chrome/18.0.1025.142 Safari/535.19|0d 0a|Host|3a|"; http_header; reference:md5,38eeed96ade6037dc299812eeadee164; reference:url,sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/OutBrowse%20Revenyou/detailed-analysis.aspx; classtype:trojan-activity; sid:2018617; rev:4; metadata:created_at 2014_01_13, updated_at 2016_06_22;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BetterInstaller"; flow:to_server,established; content:"GET"; http_method; content:"?v="; http_uri; content:"&uid="; http_uri; content:"&muid="; http_uri; pcre:"/[a-f0-9]{32}\?v=/Ui"; reference:md5,efa0bed2695446eab679083a9f0f89c6; classtype:trojan-activity; sid:2018195; rev:3; metadata:created_at 2014_01_15, updated_at 2014_01_15;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent 100 non-printable char"; flow:to_server,established; content:"User-Agent|3a 20|"; pcre:"/^([\x7f-\xff]){100}/Ri"; reference:md5,176638536e926019e3e79370777d5e03; classtype:trojan-activity; sid:2017982; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2014_01_17, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/OutBrowse.G Variant Checkin"; flow:to_server,established; content:"/dmresources/instructions"; fast_pattern; http_uri; content:".dat"; http_uri; content:"|20|HTTP/1.0|0d 0a|"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|NSISDL/1.2 (Mozilla)|0d 0a|"; http_header; reference:md5,d75055c45e2c5293c3e0fbffb299ea6d; reference:url,www.virustotal.com/en/file/95e0eaaee080f2c167464ed6da7e4b7a27937ac64fd3e1792a1aa84c1aed488e analysis/; classtype:trojan-activity; sid:2017992; rev:5; metadata:created_at 2014_01_20, updated_at 2014_01_20;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/BettrExperience.Adware Initial Checkin"; flow:established,to_server; content:"/updater/"; http_uri; content:"User-Agent|3A 20|UpdaterResponse"; http_header; fast_pattern:12,15; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:trojan-activity; sid:2018024; rev:1; metadata:created_at 2014_01_27, updated_at 2014_01_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/BettrExperience.Adware POST Checkin"; flow:established,to_server; content:"POST"; content:"User-Agent|3A 20|UpdaterResponse"; http_header; fast_pattern:12,15; pcre:"/^\x2F[A-F0-9]{25,40}$/U"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:trojan-activity; sid:2018025; rev:1; metadata:created_at 2014_01_27, updated_at 2014_01_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/BettrExperience.Adware Update Checkin"; flow:established,to_server; content:"/Check.ashx?"; depth:12; http_uri; content:"&e="; http_uri; content:"&n="; http_uri; content:"&mv="; http_uri; content:!"Referer|3a 20|"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:trojan-activity; sid:2018026; rev:1; metadata:created_at 2014_01_27, updated_at 2014_01_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/AdLoad.Downloader Download"; flow:established,to_server; content:"/v"; http_uri; content:"&product_name="; http_uri; content:"&installer_file_name="; http_uri; pcre:"/\x2Fv[0-9]{3,4}[\x2F\x3F]/U"; reference:url,malwaretips.com/blogs/trojandownloader-win32-adload-da-virus/; classtype:trojan-activity; sid:2018048; rev:2; metadata:created_at 2014_01_31, updated_at 2014_01_31;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent EXE2"; flow: established,to_server; content:"User-Agent|3A| EXE2|0d 0a|"; nocase; http_header; reference:md5,112c6db4fb8a9aa18d0cc105662af5a4; classtype:trojan-activity; sid:2018049; rev:1; metadata:created_at 2014_01_31, updated_at 2014_01_31;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Magania"; flow: established,to_server; flowbits:set,EXE2; flowbits:noalert; content:"GET"; http_method; content:".txt"; http_uri; content:"User-Agent|3a| EXE2"; fast_pattern; nocase; http_header; content:!"Accept|3a| "; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; content:!"Connection|3a| "; nocase; http_header; reference:md5,112c6db4fb8a9aa18d0cc105662af5a4; classtype:trojan-activity; sid:2018050; rev:2; metadata:created_at 2014_01_31, updated_at 2014_01_31;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent Mozi11a"; flow: established,to_server; content:"User-Agent|3A| Mozi11a|0d 0a|"; http_header; reference:md5,3cf3d4d5de51a8c37e11595159179571; classtype:trojan-activity; sid:2018051; rev:2; metadata:created_at 2014_01_31, updated_at 2014_01_31;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (gettingAnswer)"; flow: established,to_server; content:"User-Agent|3A| gettingAnswer"; nocase; http_header; reference:md5,c305a0af3fe84525a993130b7854e3e0; classtype:trojan-activity; sid:2018084; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2014_02_06, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Safekeeper.Adware CnC Beacon"; flow:established,to_server; content:"/app_version/solution/cfg/exn.php?pid="; http_uri; content:".dll|0D 0A|"; http_header; pcre:"/User-Agent\x3A\x20[^\r\n]*\x2Edll\x0D\x0A/H"; reference:md5,9a1c669203b5e9ebb68e2c2cfc964daa; classtype:trojan-activity; sid:2018099; rev:1; metadata:created_at 2014_02_10, updated_at 2014_02_10;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/InstallMonetizer.Adware Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3A| NSIS_Inetc (Mozilla)"; http_header; fast_pattern:12,20; content:"from="; http_client_body; depth:5; content:"&type="; http_client_body; distance:0; content:"&pubid="; http_client_body; distance:0; content:"&BundleVersionID="; http_client_body; distance:0;  classtype:trojan-activity; sid:2018148; rev:2; metadata:created_at 2014_02_17, updated_at 2014_02_17;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/InstallMonetizer.Adware Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3A| NSIS_Inetc (Mozilla)"; http_header; fast_pattern:12,20; content:"from="; http_client_body; depth:5; content:"&type="; http_client_body; distance:0; content:"&mode="; http_client_body; distance:0; content:"&subid="; http_client_body; distance:0; content:"&mid="; http_client_body; distance:0; classtype:trojan-activity; sid:2018149; rev:1; metadata:created_at 2014_02_17, updated_at 2014_02_17;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.AdWare.iBryte.C Install "; flow:established,to_server; content:"/offers.json?version="; http_uri; content:"&pid=installer&ts="; http_uri; reference:md5,2fae46d1a71a893834a01ed3106b8036; classtype:trojan-activity; sid:2018197; rev:1; metadata:created_at 2014_02_28, updated_at 2014_02_28;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.Yotoon.hs Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/product-am.php?id="; http_uri; fast_pattern:only; content:"&v="; http_uri; content:"&offer["; distance:0; http_uri; content:"User-Agent|3a 20|NSISDL/1.2 (Mozilla)"; http_header; content:!"Referer|3a|"; http_header; reference:md5,20c7226185ed7999e330a46d3501dccb; classtype:trojan-activity; sid:2018307; rev:2; metadata:created_at 2014_03_19, updated_at 2014_03_19;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Linkular.Adware Successful Install Beacon (2)"; flow:established,to_server; content:"/api/software/?s="; fast_pattern:only; http_uri; content:"&os="; http_uri; content:"&output="; http_uri; content:"&v="; http_uri; content:"&l="; http_uri; content:"&np="; http_uri; content:"&osv="; http_uri; content:"&b="; http_uri; content:"&bv="; http_uri; content:"&c="; http_uri; content:"&cv="; http_uri; reference:url,webroot.com/blog/2014/03/25/deceptive-ads-expose-users-adware-linkularwin32-speedupmypc-puas-potentially-unwanted-applications/; classtype:trojan-activity; sid:2018323; rev:2; metadata:created_at 2014_03_26, updated_at 2014_03_26;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SoundCloud Downloader Install Beacon"; flow:established,to_server; urilen:10; content:"POST"; http_method; content:"/index.php"; http_uri; content:"&OSversion="; http_client_body; content:"&Slv="; http_client_body; content:"&Sysid="; http_client_body; content:"&Sysid1="; http_client_body; content:"&admin="; http_client_body; content:"&browser="; http_client_body; content:"&exe="; http_client_body; content:"&ffver="; http_client_body; content:"&lang_DfltUser="; http_client_body; content:"&ver="; http_client_body; content:"&ts="; http_client_body; reference:url,blog.malwarebytes.org/online-security/2014/03/soundcloud-downloader-always-read-the-eulas/; reference:md5,2e20e446943ecd01d3a668083d81d1fc; classtype:trojan-activity; sid:2018324; rev:1; metadata:created_at 2014_03_26, updated_at 2014_03_26;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Amonetize.Downloader Executable Download Request"; flow:established,to_server; content:"GET"; http_method; content:"/bundle/"; http_uri; content:"/?p="; http_uri; content:"User-Agent|3A| zz_afi"; http_header; reference:md5,23246f740cffc0bd9eb5be2e7703568a; classtype:trojan-activity; sid:2018333; rev:2; metadata:created_at 2014_03_28, updated_at 2014_03_28;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/DownloadAdmin.Adware CnC Beacon"; flow:established,to_server; content:"/dl?gclid="; fast_pattern:only; http_uri; content:"&source="; http_uri; content:"&c="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:trojan-activity; sid:2018338; rev:2; metadata:created_at 2014_03_31, updated_at 2014_03_31;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/DownloadAdmin.Adware Executable Download Request"; flow:established,to_server; content:"/download/"; http_uri; content:"/dl?s="; fast_pattern:only; http_uri; content:"&c="; http_uri; content:"&brand="; http_uri; content:"&pid="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; content:"&cb="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:trojan-activity; sid:2018339; rev:2; metadata:created_at 2014_03_31, updated_at 2014_03_31;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/iBryte.Adware Affiliate Campaign Executable Download"; flow:established,to_server; content:"GET"; http_method; content:".exe?mode="; fast_pattern:only; http_uri; content:"&subid="; http_uri; content:"&filedescription="; http_uri; content:!"Referer|3a 20|"; http_header; reference:md5,65e5b8e84772f55d761a85bf53c14169; reference:md5,cfda690ebe7bccc5c3063487f6e54086; classtype:trojan-activity; sid:2018367; rev:5; metadata:created_at 2014_04_07, updated_at 2014_04_07;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/PullUpdate.Adware CnC Beacon"; flow:established,to_server; urilen:7; content:"POST"; http_method; content:"?v="; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; content:!"User-Agent|3a 20|"; http_header; pcre:"/^\/[a-z]{2}\x3Fv\x3D[0-9]$/U"; reference:md5,129563c2ab034af094422db408d7d74f; classtype:trojan-activity; sid:2018368; rev:4; metadata:created_at 2014_04_07, updated_at 2014_04_07;)
+
+#alert tcp $HOME_NET any -> 54.218.7.114 $HTTP_PORTS (msg:"ET MALWARE DomainIQ Check-in"; flow:established,to_server; content:"User-Agent|3a 20|NSISDL/1.2|20 28|Mozilla|29 0d 0a|"; http_header; fast_pattern:14,20; reference:md5,00699af9bb10af100563adbb767bcee0; classtype:trojan-activity; sid:2018458; rev:1; metadata:created_at 2014_05_09, updated_at 2014_05_09;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.MultiInstaller"; flow:established, to_server; content:"GET"; http_method; content:"?s1="; http_uri; fast_pattern:only; pcre:"/^\/(?:info|entrance|start|debug)\?s1=[a-f0-9]{100,}$/U"; content:!"Referer|3a|"; http_header; reference:md5, 26973eeddb4781225b7c23d2d9cce996; reference:md5,a74b1602a50b9c7d3262e3f80a6a2e68; classtype:trojan-activity; sid:2018512; rev:4; metadata:created_at 2014_06_02, updated_at 2014_06_02;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Win32/DownloadGuide.A"; flow:established, to_server; content:"POST"; http_method; content:"/1/dg/3"; http_uri; fast_pattern; content:"Content-Type|3a| application/json"; http_header; content:!"Referer|3a|"; http_header; content:"{|22|BuildId|22 3a|"; http_client_body; content:"|22|Campaign|22|"; http_client_body; content: "|22|TrackBackUrl|22|"; http_client_body; reference:md5,37b91123a58a48975770241445392aeb; classtype:trojan-activity; sid:2018513; rev:2; metadata:created_at 2014_06_02, updated_at 2014_06_02;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Win32.SoftPulse Checkin"; flow: established, to_server; content:"POST"; http_method; content:"User-Agent|3a 20|NSIS_Inetc (Mozilla|29|"; http_header; content:"|7b 22|event_type|22 3a 22|SPidentifier|22 2c 20 22|environment|22 3a 22|"; depth:45; http_client_body; content:"|22|machine_ID|22 3a 22|"; distance:0; http_client_body; reference:md5,9aa08a2700074c7a8a81e49dc8396e00; reference:md5,50f1fc1085f18a25c09c08566fc1a457; classtype:trojan-activity; sid:2018557; rev:4; metadata:created_at 2014_06_11, updated_at 2014_06_11;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/RocketfuelNextUp.Adware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/evt/?nexcb="; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; distance:0; pcre:"/^\x2Fevt\x2F\x3Fnexcb\x3D[a-f0-9\x2D]{10,}$/U"; reference:md5,408e8969cd0abd153eab6696f8add363; classtype:trojan-activity; sid:2018565; rev:2; metadata:created_at 2014_06_16, updated_at 2014_06_16;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.MultiInstaller checkin 2"; flow:established, to_server; content:"GET"; http_method; content:"/entrance?s1="; depth:13; http_uri; pcre:"/^\/entrance\?s1=[a-f0-9]{100,}$/Ui"; content:!"Referer|3a|"; http_header; reference:md5,c610d46d97c1b80f027f56d227a003f7; classtype:trojan-activity; sid:2018590; rev:1; metadata:created_at 2014_06_20, updated_at 2014_06_20;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Optimizer Pro Adware Download"; flow:established,to_server; content:"GET"; http_method; content:"/OptimizerPro.exe"; nocase; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/OptimizerPro\.exe$/Ui"; reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/; classtype:trojan-activity; sid:2018743; rev:1; metadata:created_at 2014_07_21, updated_at 2014_07_21;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Optimizer Pro Adware GET or POST to C2"; flow:established,to_server; content:"GET"; http_method; content:"/?q="; offset:4; depth:8; http_uri; content:"optpro"; http_header; fast_pattern:only; pcre:"/^\/(?:get|install)\/\?q=/U"; reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/; classtype:trojan-activity; sid:2018744; rev:3; metadata:created_at 2014_07_21, updated_at 2014_07_21;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Win32.SoftPulse Retrieving data"; flow:established,to_server; content:"GET"; http_method; content:"/maxpower-static/templates/"; depth:27; http_uri; content:!"Referer|3a|"; http_header; reference:md5,4aa02ca6a3f04cf445924a6d657d10e5; classtype:trojan-activity; sid:2019143; rev:3; metadata:created_at 2014_07_22, updated_at 2014_07_22;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/SearchSuite Install CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:23; content:"/install_statistics.php"; fast_pattern; http_uri; depth:23; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE|3B| Win32)"; http_header; content:"XML="; http_client_body; depth:4; content:!"Referer|3a|"; http_header; reference:md5,7203a56c3888e819c602e758fce823fa; reference:md5,77e33e8a53e2a0dbc06c921de9b71142; classtype:trojan-activity; sid:2018753; rev:1; metadata:created_at 2014_07_23, updated_at 2014_07_23;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/BrowseFox.H Checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:3; content:"/rs"; http_uri; content:"alpha="; http_client_body; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^alpha=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; reference:md5,437a5cb57567c2691ce61a700682eab7; classtype:trojan-activity; sid:2018899; rev:2; metadata:created_at 2014_07_29, updated_at 2014_07_29;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MultiPlug.A checkin"; flow:to_server,established; content:"get/?ver="; http_uri; content:"&aid="; http_uri; distance:0; content:"&hid="; http_uri; distance:0; content:"&rid="; http_uri; distance:0; content:"&data="; http_uri; distance:0; content:"&report="; http_uri; distance:0; content:!"Referer|3a 20|"; http_header; pcre:"/^\/get\/\?ver=.+?\&aid=\d{8,12}\&hid=[a-f0-9]{15,17}&rid=\d{13}\&data=.*?&report=/U"; reference:md5,f9556acf36168414ad7d5650eeee7972; reference:md5,69e28b658520528a1473f51e62698c87; classtype:trojan-activity; sid:2018867; rev:1; metadata:created_at 2014_08_01, updated_at 2014_08_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney.A Checkin 8"; flow:established,to_server; content:"GET"; http_method; content:"&chromeLog="; http_uri; fast_pattern; content:"&ffLog="; distance:0; http_uri; content:"&operaLog="; distance:0; http_uri; content:"¬Admin="; distance:0; http_uri; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024257; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2014_08_05, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MAC/Conduit Component Download"; flow:established,to_server; content:"GET"; http_method; content:"/installer?dp="; http_uri; content:"&sdp="; http_uri; content:"&f="; http_uri; content:"&id="; http_uri; content:"&v="; http_uri; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:trojan-activity; sid:2019144; rev:1; metadata:created_at 2014_09_09, updated_at 2014_09_09;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Stan Malvertising.Dropper CnC Beacon"; flow:established,to_server; urilen:>50; content:"GET"; http_method; content:"Proxy-Authorization|3A| Basic"; http_header; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"Host|3A| stan|2E|"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{50,}$/U"; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:trojan-activity; sid:2019145; rev:1; metadata:created_at 2014_09_09, updated_at 2014_09_09;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Kyle Malvertising.Dropper CnC Beacon"; flow:established,to_server; urilen:>50; content:"GET"; http_method; content:"Host|3A| kyle|2E|"; http_header; fast_pattern:only; pcre:"/^\/[\w-]{50,}$/U"; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:trojan-activity; sid:2019156; rev:1; metadata:created_at 2014_09_10, updated_at 2014_09_10;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/SoftPulse.H Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:9; content:"/__dmp__/"; http_uri; fast_pattern:only; content:"data={"; depth:6; http_client_body; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,6424fb3317b4be3d00e4d489122c9a48; classtype:trojan-activity; sid:2019228; rev:2; metadata:created_at 2014_09_24, updated_at 2014_09_24;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.InstallCore.B Checkin"; flow:established,to_server; urilen:14<>17; content:"POST"; http_method; content:"/?pcrc="; fast_pattern:only; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/^\/\?pcrc=[0-9]{7,10}$/U"; content:"0A0Czut"; depth:7; http_client_body; reference:md5,d933bef7e1118b181add31eb5edc5c73; classtype:trojan-activity; sid:2019511; rev:4; metadata:created_at 2014_10_27, updated_at 2014_10_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/DealPly Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/pxl/"; http_uri; fast_pattern:only; content:"e=-1"; http_uri; content:"&c="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,c6ebffb418813ed68ac5ed9f51f83946; classtype:trojan-activity; sid:2019622; rev:1; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Win32/ELEX Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/v"; depth:2; http_uri; content:"?update"; http_uri; fast_pattern; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\?update[0-9]?=[a-z]+/Ui"; reference:md5, 2fed7fe9d055ebb63897bc2c8996676d; reference:md5,e2fd0d2c44e96cab5017bb8a68ca92a6; classtype:trojan-activity; sid:2019779; rev:5; metadata:created_at 2014_11_24, updated_at 2014_11_24;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/CloudScout Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/QualityCheck/"; http_uri; fast_pattern; content:".php"; distance:0; http_uri; content:!"Referer|3a|"; http_header; content:"dp="; http_client_body; depth:3; content:"&sdp="; http_client_body; distance:0; content:"&a="; http_client_body; distance:0; pcre:"/\.php$/U"; reference:md5,c732b52b245444e3f568d372ce399911; classtype:trojan-activity; sid:2019780; rev:6; metadata:created_at 2014_11_24, updated_at 2016_05_24;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/DomaIQ Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/index.php"; http_uri; content:"&OSversion="; http_client_body; content:"&Sysid="; http_client_body; content:"&Sysid1="; http_client_body; content:"&X64="; http_client_body; content:"&exe="; http_client_body; content:"&ffver="; http_client_body; content:"&lang_DfltSys="; http_client_body; content:"&lang_DfltUser="; http_client_body; reference:md5,9befc43d2019c5614e7372a16e3a5ce5; classtype:trojan-activity; sid:2019944; rev:2; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP W32/DownloadGuide.D"; flow:established,to_server; content:"POST"; http_method; content:"/config-from-production"; http_uri; content:"{|22|os|22 3A 22|"; http_client_body; depth:7; content:"|22|lang|22 3A 22|"; http_client_body; distance:0; content:"|22|uid|22 3A 22|"; http_client_body; distance:0; content:"|22|prod|22 3A 22|"; http_client_body; distance:0; reference:md5,294752c7c4fcf4252a9e99bb4df7ff5c; classtype:trojan-activity; sid:2019974; rev:1; metadata:created_at 2014_12_18, updated_at 2014_12_18;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/iBryte.Adware Installer Download"; flow:established,to_server; content:"GET"; http_method; content:".exe?mode="; http_uri; content:"&sf="; http_uri; content:"&browser="; http_uri; content:"&useragent="; http_uri; content:!"Referer|3a|"; http_header; reference:md5,4c80e5f72a2ab8324b981e37b3b0e5d1; classtype:trojan-activity; sid:2020197; rev:3; metadata:created_at 2015_01_16, updated_at 2015_01_16;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP.Win32.BoBrowser User-Agent (LogEvents)"; flow:established,to_server; content:"User-Agent|3a 20|LogEvents|0d 0a|"; http_header; fast_pattern:12,11; reference:url,malwareprotectioncenter.com/2015/01/20/bobrowser; classtype:trojan-activity; sid:2020238; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP.Win32.BoBrowser User-Agent (VersionDwl)"; flow:established,to_server; content:"User-Agent|3a 20|VersionDwl|0d 0a|"; http_header; fast_pattern:12,12; reference:url,malwareprotectioncenter.com/2015/01/20/bobrowser; classtype:trojan-activity; sid:2020239; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP.Win32.BoBrowser User-Agent (BoBrowser)"; flow:established,to_server; content:"User-Agent|3a 20|"; http_header; content:" BoBrowser/"; http_header; distance:0; fast_pattern; threshold:type limit,track by_src,count 1,seconds 180; reference:url,malwareprotectioncenter.com/2015/01/20/bobrowser; classtype:trojan-activity; sid:2020240; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MultiPlug.J Checkin"; flow:established,to_server; urilen:>103; content:"/?q="; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"POST"; http_method; pcre:"/^\/(?:[A-Za-z]+\d?\/)?\?q=(?=[a-z0-9+/]*[A-Z])(?=[A-Z0-9+/]*[a-z])(?=[A-Za-z0-9+/\x25]*\d)[A-Za-z0-9+/\x25]{100}/U"; content:!"map24.com|0d 0a|"; http_header; content:!"aptrk.com|0d 0a|"; http_header; content:!"Accept-"; http_header; pcre:"/^Accept\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r?$/Hi"; reference:md5,64482895a11d120a9f17ded96aa43cd3; reference:md5,a108ae58850e8f48428070d3193e5c11; classtype:trojan-activity; sid:2020422; rev:16; metadata:created_at 2015_02_13, updated_at 2016_07_20;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/MultiPlug.Adware Adfraud Traffic"; flow:established,to_server; content:"GET"; http_method; content:"/sync"; http_uri; depth:5; content:"/?rmbs="; within:8; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17|0d 0a|"; http_header; content:!"Referer|3A|"; http_header; reference:url,blogs.cisco.com/security/talos/bad-browser-plug-ins; classtype:trojan-activity; sid:2020457; rev:1; metadata:created_at 2015_02_17, updated_at 2015_02_17;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney Checkin 1"; flow:established,to_server; content:"POST"; http_method; urilen:8; content:"/ppu.php"; http_uri; fast_pattern:only; content:"xml_req="; depth:8; http_client_body; content:"system"; distance:0; http_client_body; content:"os+version"; distance:0; http_client_body; metadata: former_category MALWARE; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024258; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2015_02_17, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/WinWrapper.Adware Initial Install Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/api.cgi?act="; http_uri; fast_pattern:only; content:"&appid="; http_uri; content:"&ts="; http_uri; content:"&dlip="; http_uri; content:"&dlid="; http_uri; content:"&proto="; http_uri; content:"User-Agent|3a 20|NSIS_Inetc (Mozilla|29 0d 0a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:trojan-activity; sid:2020627; rev:2; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MALWARE W32/WinWrapper.Adware POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/api.cgi?act="; http_uri; fast_pattern:only; content:"&appid="; http_uri; content:"&proto="; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|WinWrapper|0d 0a|"; http_header; content:"{|22|appId|22 3a 22|"; http_client_body; content:"|22|uuId|22 3a 22|"; http_client_body; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:trojan-activity; sid:2020628; rev:1; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MALWARE W32/WinWrapper.Adware User-Agent"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|WinWrapper|0d 0a|"; http_header; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:trojan-activity; sid:2020629; rev:1; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney Checkin 2"; flow:to_server,established; content:"POST"; http_method; urilen:12; content:"/launch_info"; http_uri; content:"User-Agent|3a 20|Downloader "; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024259; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2015_03_13, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney User Agent"; flow:established,to_server; content:"User-Agent|3a 20|Downloader "; http_header; fast_pattern:12,11; pcre:"/^User-Agent\x3a Downloader \d\.\d\r?$/Hm"; metadata: former_category MALWARE; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024249; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2015_03_13, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Potentially Unwanted Application AirInstaller CnC Beacon"; flow:to_server,established; content:"GET"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"/log/?"; http_uri; fast_pattern; content:"="; distance:1; within:1; http_uri; content:"&d="; distance:0; http_uri; content:"&o="; http_uri; content:"&r="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; pcre:"/^\/(?:[^\x2f]+\/)*log\/\?[bc]=/U"; reference:md5,e89ec5e8f89ee6ae4a6b65157c886614; classtype:trojan-activity; sid:2020701; rev:1; metadata:created_at 2015_03_16, updated_at 2015_03_16;)
+
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE AdWare.Win32.BetterSurf.b SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b 2a|.tr553.com"; distance:1; within:12; threshold: type limit, track by_src, count 2, seconds 60; reference:md5,54c9288cbbf29062d6d873cba844645a; classtype:trojan-activity; sid:2020712; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_19, updated_at 2016_07_01;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image M2"; flow: established,from_server; content:"|0d 0a|Content-Type|3a 20|image/jpeg"; pcre:"/^(?:(?!\r?\n\r?\n).)*?\r?\n\r?\nMZ/Rs"; content:"!This program"; distance:0; fast_pattern; metadata: former_category MALWARE; classtype:trojan-activity; sid:2020757; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2015_03_26, performance_impact Low, updated_at 2017_12_21;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Win32/AdWare.Sendori User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Sendori-Client"; http_header; fast_pattern:6,20; reference:url,isc.sans.edu/forums/diary/Suspect+Sendori+software/16466; reference:md5,aee8ddf3b36d60d33c571ee798b6bad6; classtype:trojan-activity; sid:2020881; rev:1; metadata:created_at 2015_04_08, updated_at 2015_04_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney Checkin 3"; flow:established,to_server; content:"/get_json?"; http_uri; fast_pattern:only; content:"&name="; http_uri; content:"rnd="; http_uri; content:"User-Agent|3a 20|Downloader|20|"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024261; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2015_04_09, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/PicColor Adware CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"?d="; http_uri; content:"&format=json"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/&format=json$/U"; reference:md5,6b173406ffccaa6d0287b795f8de2073; classtype:trojan-activity; sid:2020948; rev:1; metadata:created_at 2015_04_20, updated_at 2015_04_20;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Softpulse PUP Install Failed Beacon"; flow:established,to_server; content:"GET"; http_method; content:"?sentry_version="; http_uri; content:"&sentry_client="; distance:0; http_uri; content:"&sentry_key=84ce05510b844b75acc37de959560a65&sentry_secret=1c9aa912021b4626a5b7a7e589cba678&sentry_data="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,bb9f26d52327979fb9b4d467408eba25; classtype:trojan-activity; sid:2021027; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Toolbar.Conduit.AG Checkin"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:"User-Agent|3a 20|NSIS_Inetc (Mozilla|29 0d 0a|"; http_header; content:"postInstallReport"; http_client_body; fast_pattern; content:"machineId|22 3a 22|"; http_client_body; reference:md5,8fc00c6696268ae42411a5ebf9d2576f; classtype:trojan-activity; sid:2021094; rev:2; metadata:created_at 2015_05_13, updated_at 2015_05_13;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP.GigaClicks Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/ver/"; http_uri; content:"/sid/"; http_uri; content:"instlog="; http_client_body; fast_pattern; content:!"User-Agent|3a|"; http_header; reference:md5,942fd71fb26b874502f3ba8546e6c164; classtype:trojan-activity; sid:2021099; rev:1; metadata:created_at 2015_05_15, updated_at 2015_05_15;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Win32/Conduit.SearchProtect.O CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/?uid="; http_uri; content:"&affid="; distance:0; http_uri; content:"&inst_date="; distance:0; http_uri; fast_pattern; content:"&prod="; distance:0; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,525917c79e22fa9bc54da36b94437a46; classtype:trojan-activity; sid:2021173; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/DownloadAssistant.A PUP CnC"; flow:established,to_server; content:"POST"; http_method; content:"/v2/"; http_uri; depth:4; fast_pattern; content:"X-Crypto-Version|3A|"; http_header; content:!"User-Agent|3A|"; http_header; pcre:"/^\/v2\/(?:(?:(?:intro_impr|s)ession|l(?:aunch|og)|exit)/$|c(?:(?:dn_(?:success|check)|ancel)/$|lick/))/U"; reference:md5,a54f78d0fe6d1a1a09c22a71646c24b3; classtype:trojan-activity; sid:2021282; rev:1; metadata:created_at 2015_06_16, updated_at 2015_06_16;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Win32/DownloadAssistant.A Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/launch/"; http_uri; content:"X-Crypto-Version|3a|"; http_header; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/launch\/$/U"; reference:md5,62a4d32dcb1c495c5583488638452ff9; classtype:trojan-activity; sid:2021283; rev:4; metadata:created_at 2015_06_16, updated_at 2015_06_16;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP TheSZ AutoUpdate CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/update.php?p="; http_uri; fast_pattern:only; content:"&v="; http_uri; content:"&id="; distance:0; http_uri; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|AutoUpdate|0d 0a|"; http_header; reference:md5,76e54deb6f81edd6b47c854c847d590d; classtype:trojan-activity; sid:2021401; rev:1; metadata:created_at 2015_07_10, updated_at 2015_07_10;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OSX ADWARE/Mackeeper Checkin"; flow:established,to_server; content:"/landings/"; depth:10; http_uri; content:"Macintosh|3b|"; http_header; content:"Host|3a| mackeeper"; http_header; content:"ldrBrowser=|25|22Safari|25|22|3b|"; http_cookie; content:"ldrOs=|25|22Mac+OS+X|25|22|3b|"; http_cookie; classtype:trojan-activity; sid:2021548; rev:1; metadata:created_at 2015_07_29, updated_at 2015_07_29;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/DownloadAdmin.Adware User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Installer|28|ref=|5b|"; http_header; fast_pattern:7,20; content:"|3b|windows="; http_header; distance:0; content:"|3b|uac="; http_header; distance:0; content:"|3b|elevated="; http_header; distance:0; content:"|3b|dotnet="; http_header; distance:0; content:"|3b|startTime="; http_header; distance:0; content:"|3b|pid="; http_header; distance:0; classtype:trojan-activity; sid:2021564; rev:1; metadata:created_at 2015_07_31, updated_at 2015_07_31;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DealPly Adware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/?pcrc="; http_uri; depth:7; fast_pattern; content:"&v="; http_uri; pcre:"/^\/\?pcrc=\d+&v=[\d.]+$/U"; content:!"Referer|3a 20|"; http_header; reference:md5,a34236628ea04e10430e20ac2b9d7ad2; classtype:trojan-activity; sid:2021618; rev:3; metadata:created_at 2015_08_12, updated_at 2015_08_12;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DealPly Adware CnC Beacon 2"; flow:established,to_server; content:"/?v="; http_uri; depth:4; content:"&pcrc="; http_uri; distance:0; content:"&LSVRDT="; http_uri; distance:0; fast_pattern; content:"&ty="; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021619; rev:2; metadata:created_at 2015_08_12, updated_at 2015_08_12;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DealPly Adware CnC Beacon 3"; flow:established,to_server; content:"POST"; http_method; content:"/?v="; http_uri; depth:4; content:"&pcrc="; http_uri; content:"&LUDT="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; classtype:trojan-activity; sid:2021643; rev:1; metadata:created_at 2015_08_17, updated_at 2015_08_17;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUA Boxore User-Agent"; flow:to_server,established; content:"User-Agent|3a 20|BoxoreClent"; http_header; content:!"Referer|3a|"; http_header; reference:md5,5cb2e8a9b6935f228623c69f1b17669d; classtype:trojan-activity; sid:2021700; rev:1; metadata:created_at 2015_08_21, updated_at 2015_08_21;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney Checkin 4"; flow:established,to_server; content:"/data_files="; depth:12; fast_pattern; http_uri; content:"&rnd="; distance:0; http_uri; content:"User-Agent|3a 20|Downloader 1"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category MALWARE; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024262; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2015_08_24, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OSX/Fake Flash Player Download Oct 20"; flow:established,to_server; content:"GET"; http_method; content:"/download/"; http_uri; content:"/FMP.dmg?download_browser="; distance:0; http_uri; fast_pattern; content:"&app_id="; http_uri; distance:0; content:"&campaign="; http_uri; distance:0; content:"&cargoType="; http_uri; distance:0; content:"&oname=FMP.dmg"; http_uri; distance:0; classtype:trojan-activity; sid:2021984; rev:1; metadata:created_at 2015_10_20, updated_at 2015_10_20;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PPI User-Agent (InstallCapital)"; flow:to_server,established; content:"User-Agent|3a 20|InstallCapital"; http_header; metadata: former_category TROJAN; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:trojan-activity; sid:2022246; rev:2; metadata:created_at 2015_12_11, updated_at 2018_02_21;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DealPly Adware CnC Beacon 4"; flow:established,to_server; content:"POST"; http_method; content:"/?v="; http_uri; depth:4; fast_pattern; content:"&pcrc="; http_uri; content:!"Referer|3a 20|"; http_header; content:!"Accept-"; http_header; pcre:"/^\/\?v=[\d.]+&pcrc=\d+$/U"; reference:md5,038da581f99c88a4ee6700de440a54ca; classtype:trojan-activity; sid:2022354; rev:1; metadata:created_at 2016_01_13, updated_at 2016_01_13;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/SmartTab PUP Install Activity 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/v"; http_uri; depth:2; content:".asp"; http_uri; content:"User-Agent|3a 20|Mozilla/3.0 (compatible|3b| Indy Library|29 0d 0a|"; http_header; fast_pattern:32,20; pcre:"/\/v\d\/[^.]+\.asp$/Ui"; reference:md5,84fcdf1cd6dc3ee71686835f9489752c; classtype:trojan-activity; sid:2022694; rev:1; metadata:created_at 2016_04_01, updated_at 2016_04_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OSX/Adware.Pirrit CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".sh?do="; http_uri; content:"&d="; http_uri; content:"&inj="; http_uri; content:"&cl="; http_uri; content:"&cs="; http_uri; content:"&id="; http_uri; content:"&se="; http_uri; content:"User-Agent|3a 20|Mozilla/5.0|0d 0a|"; http_header; fast_pattern:5,20; content:!"Referer|3a|"; http_header; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:trojan-activity; sid:2022716; rev:1; metadata:created_at 2016_04_08, updated_at 2016_04_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OSX/Adware.Pirrit CnC Activity 1"; flow:established,to_server; content:"GET"; http_method; content:"?mid="; http_uri; fast_pattern; content:"User-Agent|3a 20|curl/"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/(cld|update-effect)\?mid=[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}&(ct|st)=[a-z0-9]+$/Ui"; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:trojan-activity; sid:2022717; rev:1; metadata:created_at 2016_04_08, updated_at 2016_04_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OSX/Adware.Pirrit CnC Activity 2"; flow:established,to_server; content:"POST"; http_method; content:!"."; http_uri; content:"User-Agent|3a 20|curl/"; http_header; content:"vs_mid="; http_client_body; depth:7; fast_pattern; content:"&br_mid="; http_client_body; content:"&event_type="; http_client_body; content:"diss URL"; http_client_body; nocase; content:!"Referer|3a|"; http_header; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:trojan-activity; sid:2022718; rev:1; metadata:created_at 2016_04_08, updated_at 2016_04_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OSX/Adware.Pirrit Web Injects"; flow:established,to_server; content:"GET"; http_method; content:"/mu?id="; http_uri; fast_pattern; content:"&d="; http_uri; content:"&cl="; http_uri; pcre:"/\/mu\?id=[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}&d=[A-Za-z]+&cl=\d+$/Ui"; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:trojan-activity; sid:2022719; rev:1; metadata:created_at 2016_04_08, updated_at 2016_04_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Adposhel.A Checkin 3"; flow:established,to_server; content:"HEAD"; http_method; content:"/u/?"; depth:4; http_uri; fast_pattern; content:"&c="; http_uri; distance:0; content:"&r="; http_uri; distance:0; pcre:"/^\/u\/\?[a-z]=[a-zA-Z0-9_-]+&c=[a-zA-Z0-9_-]+&r=[0-9]{17,}$/U"; reference:url,blog.malwarebytes.org/cybercrime/2016/01/trojan-dnschanger-circumvents-powershell-restrictions/; classtype:trojan-activity; sid:2022722; rev:1; metadata:created_at 2016_04_11, updated_at 2016_04_11;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Adposhel.A Checkin 4"; flow:established,to_server; content:"POST"; http_method; content:"/u/"; depth:3; http_uri; fast_pattern; content:"Connection|3a| Close|0d 0a|"; nocase; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; content:!"Accept"; http_header; content:!"Referer|3a|"; nocase; http_header; content:"a="; depth:2; http_client_body; content:"&c="; http_client_body; distance:0; content:"&r="; http_client_body; distance:0; pcre:"/^a=[a-zA-Z0-9_-]+&c=[a-zA-Z0-9_-]+&h=[a-zA-Z0-9_-]+&r=[0-9]{15,}$/P"; reference:md5,3ea75d62966f8c52de16d7849eeb3691; classtype:trojan-activity; sid:2022723; rev:1; metadata:created_at 2016_04_11, updated_at 2016_04_11;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/InstallCore Initial Install Activity 1"; flow:established,to_server; content:"POST"; http_method; content:"/?v="; depth:4; http_uri; content:"&subver="; fast_pattern; distance:0; http_uri; content:"&pcrc="; distance:0; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^\/\?v=[\d\.]{3,4}&subver=[\d\.]{4,5}&pcrc=\d+$/U"; reference:md5,0a6a0baf77b80706cab665754ecadac9; classtype:trojan-activity; sid:2022807; rev:2; metadata:created_at 2016_05_16, updated_at 2016_05_16;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Successful QuizScope Installation"; flow:established,to_server; content:"GET"; http_method; content:"/qscope/ithankyou"; depth:17; fast_pattern; http_uri; reference:md5,4dae2a394b792c36936a88cfc296f9b9; classtype:trojan-activity; sid:2022812; rev:1; metadata:created_at 2016_05_17, updated_at 2016_05_17;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SearchProtect PUA User-Agent Observed"; flow:established,to_server; content:"User-Agent|3a 20|SearchProtect|3b|"; fast_pattern; http_header; reference:md5,34e2350c2ed6a9a9e9d444102ae4dd87; classtype:trojan-activity; sid:2022813; rev:1; metadata:created_at 2016_05_17, updated_at 2016_05_17;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Conduit Trovi Adware/PUA"; flow:established,to_server; content:"GET"; http_method; content:"/?gd="; http_uri; depth:5; fast_pattern; content:"&ctid="; http_uri; distance:0; content:"&octid="; http_uri; distance:0; content:"&SSPV="; http_uri; distance:0; reference:md5,069ce8c2a553f9bc5a9599d7541943ce; classtype:trojan-activity; sid:2022814; rev:1; metadata:created_at 2016_05_17, updated_at 2016_05_17;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE InstallCore PUA/Adware Activity M1"; flow:established,to_server; content:"/gettrk_l?partner="; depth:18; http_uri; content:"User-Agent|3a 20|WinHTTP/1.0|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022821; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE InstallCore PUA/Adware Activity M2"; flow:established,to_server; content:"/install-report?"; http_uri; content:"User-Agent|3a 20|WinHTTP/1.0|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022822; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE InstallCore PUA/Adware Activity M3"; flow:established,to_server; content:"/event-report?"; http_uri; content:"User-Agent|3a 20|WinHTTP/1.0|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022823; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE InstallCore PUA/Adware Activity M4"; flow:established,to_server; content:"?type=off"; http_uri; content:"&topic="; http_uri; distance:0; content:"User-Agent|3a 20|WinHTTP/1.0|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022824; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toolbar User-Agent (BrandThunderHelper)"; flow:established,to_server; content:"User-Agent|3a 20|BrandThunderHelper|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022825; rev:2; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Toolbar.WIDGI User-Agent (WidgiToolbar-)"; flow:to_server,established; content:"POST"; http_method; nocase; content:"User-Agent|3a 20|WidgiToolbar-"; http_header; reference:md5,1785f9784cb4e7400ed6f2c8f0e421c2; classtype:trojan-activity; sid:2022826; rev:2; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP/DriverRestore Sending System Information to Affiliate"; flow:established,to_server; content:".jsp?leadTrackerId="; http_uri; content:"|22|ComputerName|22|"; http_uri; distance:0; content:"|22|UserName|22|"; http_uri; distance:0; content:"|22|IsAdmin|22|"; http_uri; distance:0; content:"User-Agent|3a 20|DriverRestore/"; http_header; fast_pattern:6,20; content:!"Referer|3a 20|"; http_header; reference:md5,4f7f497668e3e716a6f4a53af0924a25; classtype:trojan-activity; sid:2022827; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCAcceleratePro PUA/Adware User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|PCAcceleratePro|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022828; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopTools PUP Install Activity"; flow:established,to_server; content:"POST"; http_method; content:"_install.cgi"; http_uri; content:"User-Agent|3a 20|BIDUI18N|0d 0a|"; http_header; content:"name=|22|ufile01|22 3b 20|filename=|22|boundary|22|"; http_client_body; fast_pattern; content:"Content-Type|3a 20|application/octet-stream"; http_client_body; distance:0; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:md5,3e464cff8690c7a2f57542688a278c62; classtype:trojan-activity; sid:2022829; rev:1; metadata:created_at 2016_05_19, updated_at 2016_05_19;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Hadsruda!bit Adware/PUA Installation Activity"; flow:to_server,established; content:"GET"; http_method; content:"?alpha="; http_uri; content:"User-Agent|3a 20|NSIS_Inetc"; http_header; fast_pattern; pcre:"/\?alpha=(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})/U"; reference:md5,6b58b3eb9bbb0f7297a2e36e615506d3; classtype:trojan-activity; sid:2022850; rev:1; metadata:created_at 2016_06_02, updated_at 2016_06_02;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MSIL/Adload.AT Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/impression.do"; http_uri; fast_pattern; content:"source="; http_uri; content:"&event="; http_uri; content:"&implementation_id="; http_uri; content:"user_id="; http_uri; content:"&useragent="; http_uri; content:"&sgn="; http_uri; content:"&subid2="; http_uri; content:"&ts="; http_uri; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; metadata: former_category MALWARE; reference:md5,d15069e44ec849ab26bcefffe6867f10; reference:md5,4ececc2f027a096c2100ec1125d0d151; classtype:trojan-activity; sid:2022893; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Adware, signature_severity Major, created_at 2016_06_13, malware_family MSIL_Adload, updated_at 2018_06_22;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE LoadMoney Checkin 5"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a 20|Downloader|20|"; http_header; content:"|0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22 0d 0a|"; http_client_body; pcre:"/^User-Agent\x3a Downloader\s\d+\.\d+$/Hm"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2022987; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2016_07_27, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious Chrome Extension"; flow:established,to_server; content:"page?url="; http_uri; fast_pattern; content:"/user/"; http_uri; content:"iframe="; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2023015; rev:1; metadata:affected_product Web_Browser_Plugins, affected_product Google_Chrome, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_05, performance_impact Low, updated_at 2016_08_05;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MultiPlug.J Checkin"; flow:established,to_server; urilen:>103; content:"/?q="; http_uri; fast_pattern; depth:4; content:!"Referer|3a 20|"; http_header; content:"GET"; http_method; content:"+"; http_raw_uri; pcre:"/^\/(?:[A-Za-z]+\d?\/)?\?q=(?=[a-z0-9+/]*[A-Z])(?=[A-Z0-9+/]*[a-z])(?=[A-Za-z0-9+/\x25]*\d)[A-Za-z0-9+/\x25]{100}/U"; content:!"map24.com|0d 0a|"; http_header; content:!"aptrk.com|0d 0a|"; http_header; content:!"Accept-"; http_header; pcre:"/^Accept\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\n\r?$/H"; reference:md5,6b95ddc5238cc0576db7b206af13339e; classtype:trojan-activity; sid:2023707; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_09, malware_family PUA, performance_impact Low, updated_at 2017_01_09;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image M3"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| image/png"; pcre:"/^(?:(?!\r?\n\r?\n).)*?\r?\n\r?\nMZ/Rs"; content:"!This program"; distance:0; fast_pattern; metadata: former_category MALWARE; classtype:trojan-activity; sid:2023750; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_19, performance_impact Low, updated_at 2017_12_21;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.LoadMoney User Agent"; flow:established,to_server; content:"User-Agent|3a 20|Downloader "; http_header; fast_pattern:12,11; pcre:"/^User-Agent\x3a Downloader \d\.\d\r?$/Hm"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024260; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2017_04_27, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/LoadMoney Adware Activity"; flow:to_server,established; content:"POST"; http_method; content:".htm?v="; http_uri; fast_pattern; content:"&eh="; distance:0; http_uri; content:"&ts="; distance:0; http_uri; content:"&u2="; distance:0; http_uri; content:"Cookie|3a 20|a=h+"; content:!"Referer|3a 20|"; http_header; flowbits:set,ETPTadmoney; metadata: former_category MALWARE; reference:md5,681501695c12112aaf2129ab614481bd; reference:md5,1282b899c41b06dac0adb17e0e603d30; classtype:trojan-activity; sid:2024693; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_12, malware_family Neshta, performance_impact Low, updated_at 2017_09_11;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE InstallCore Variant CnC Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; content:"|7c|"; http_client_body; depth:40; content:"POST|20|/|20|HTTP/1.1|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|Host|3a|"; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x7c/P"; metadata: former_category MALWARE; reference:md5,42374945061c7941d6690793ae393d3a; classtype:trojan-activity; sid:2024428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_26, performance_impact Moderate, updated_at 2017_09_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ProxyGearPro Proxy Tool PUA"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a 20|Proxy|20|Gear|20|Pro/"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; metadata: former_category MALWARE; reference:md5,b8889db7b4ef74c9302c12781a92a23a; classtype:policy-violation; sid:2024484; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_20, performance_impact Moderate, updated_at 2017_07_20;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Adware/Rukometa(LoadMoney) Fake PNG File"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|89 50 4e 47 0d 0a 1a 0a|"; depth:8; byte_jump:2,8,from_beginning,little; isdataat:20,relative; isdataat:!21,relative; content:!"IHDR"; offset:12;depth:4; flowbits:isset,ETPTadmoney; metadata: former_category MALWARE; classtype:trojan-activity; sid:2024699; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internet, signature_severity Major, created_at 2017_09_11, performance_impact Moderate, updated_at 2017_09_12;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Malicious Chrome Ext. DNS Query For Adware CnC (startupfraction)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|startupfraction|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024722; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Malicious Chrome Ext. DNS Query For Adware CnC (search.feedvertizus)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|search|0c|feedvertizus|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024723; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Malicious Chrome Ext. DNS Query For Adware CnC (go.querymo)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|go|07|querymo|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024724; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Malicious Chrome Ext. DNS Query For Adware CnC (opurie)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|opurie|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024725; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious Adware Chrome Extension Detected (1)"; flow:to_server,established; content:"/hostedsearch?"; http_uri; fast_pattern; content:"subid"; distance:0; http_uri; content:"&keyword="; distance:0; http_uri; content:"User-Agent|3a 20|"; http_header; content:"Upgrade-Insecure-Requests|3a 20|"; http_header; content:"Accept"; http_header; content:"Connection|3a 20|"; http_header; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024726; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious Adware Chrome Extension Detected (2)"; flow:to_server,established; content:"/?keyword="; http_uri; fast_pattern; content:"&id="; distance:0; http_uri; content:"&sysid="; distance:0; http_uri; content:"User-Agent|3a 20|"; http_header; content:"Upgrade-Insecure-Requests|3a 20|"; http_header; content:"Accept"; http_header; content:"Connection|3a 20|"; http_header; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024727; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] WebToolbar.Win32.Searchbar.k HTTP JSON Artifact"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|7b 22|lib_version|22 3a 22|"; depth:16; content:"|22 2c 22|lib_url|22 3a 22|"; distance:0; fast_pattern; content:"|22 2c 22|bin_version|22 3a 22|"; distance:0; content:"|22 2c 22|bin_url|22 3a 22|"; distance:0; metadata: former_category MALWARE; reference:url,blog.malwarebytes.com/detections/adware-searchgo/; classtype:trojan-activity; sid:2024761; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_22, performance_impact Low, updated_at 2017_09_22;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE [PTsecurity] Adware.SearchGo (start_page)"; flow:established,to_server; urilen: >100; content:"/%f3%07%27%f6%46%d3"; http_raw_uri; depth:19; content:"GET"; http_method; content:"User-Agent|3a 20|start_page"; http_header; fast_pattern; content:!"Content-Length|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Accept-Encoding|3a|"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category MALWARE; reference:url,blog.malwarebytes.com/detections/adware-searchgo/; classtype:trojan-activity; sid:2024762; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_22, malware_family Searchgo, performance_impact Low, updated_at 2017_09_22;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] DeathBot.Java (Minecraft Spambot)"; flow:established, to_server; dsize:<256; content:"|00 00 00|"; depth:3; content:"|01 78 9c|"; distance:1; within:3; fast_pattern; byte_jump:1,3,from_beginning,post_offset 2; isdataat:1, relative;  isdataat:!2,relative; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category MALWARE; classtype:misc-activity; sid:2024793; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_02, malware_family Spambot, performance_impact Moderate, updated_at 2017_10_02;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Java.Deathbot Requesting Proxies"; flow:established,to_server; content:"GET"; http_method; content:"/Socks"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|Java/1."; http_header; pcre:"/\/Socks[45]\.txt$/U"; metadata: former_category MALWARE; classtype:trojan-activity; sid:2024794; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_02, malware_family Spambot, updated_at 2017_10_02;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE [PTsecurity] Adware.FileFinder Activity"; flow:established, to_server; content:"POST"; http_method; content:"/?i="; http_uri; content:"Content-Type|3a| application/x-www-form-urlencoded"; http_header; content:!"Accept-Encoding|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"report=AAA"; http_client_body; depth:20; fast_pattern; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category MALWARE; classtype:trojan-activity; sid:2024904; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_10_23, performance_impact Moderate, updated_at 2017_10_23;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Adposhel.A Checkin 5"; flow:established,to_server; content:"POST"; http_method; content:"/q/"; depth:3; http_uri; fast_pattern; content:"Connection|3a| Close|0d 0a|"; nocase; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; content:!"Accept"; http_header; content:!"Referer|3a|"; nocase; http_header; content:"q="; depth:2; http_client_body; pcre:"/^q=[a-zA-Z0-9_-]+$/P"; metadata: former_category MALWARE; reference:md5,f0e02ba660cfcb122b89bc780a6555ac; classtype:trojan-activity; sid:2025094; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internet, tag Adware, signature_severity Major, created_at 2017_12_01, malware_family Adposhel, performance_impact Moderate, updated_at 2017_12_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.LoadMoney User Agent 2"; flow:established,to_server; content:"User-Agent|3a 20|s|20|2.8"; fast_pattern:only; pcre:"/^User-Agent\x3a\x20s\x202\.8\d\r?$/Hm"; metadata: former_category MALWARE; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2025302; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_02, malware_family Loadmoney, performance_impact Moderate, updated_at 2018_02_02;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/LoadMoney Adware Activity M2"; flow:to_server,established; content:"GET"; http_method; content:"/software_install?sid="; http_uri; fast_pattern; content:"&sub_id="; distance:0; http_uri; content:"&hash="; distance:0; http_uri; content:"&mid="; distance:0; http_uri; content:"&fname="; distance:0; http_uri; content:!"Referer|3a 20|"; http_header; flowbits:set,ETPTadmoney; metadata: former_category MALWARE; reference:md5,844e53381099d572c3864c7a42ddbbf1; classtype:trojan-activity; sid:2025303; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_02, malware_family Loadmoney, performance_impact Moderate, updated_at 2018_02_02;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rogue.WinPCDefender Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/?machine_id={"; http_uri; depth:14; fast_pattern; content:"}"; http_uri; distance:0; pcre:"/\/\?machine_id=\x7b[A-F0-9-]+\x7d/U"; content:!"Referer"; http_header; content:"Host|3a 20|anti"; http_header; metadata: former_category MALWARE; reference:md5,aa8def27909596f8477a5374f735eec9; reference:url,www.bleepingcomputer.com/virus-removal/remove-antivirus-pro-2017; classtype:trojan-activity; sid:2025358; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_14, performance_impact Moderate, updated_at 2018_02_14;)
+
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/Calender 2 Mining)"; flow:established,to_client; content:"|55 04 03|"; content:"|0a|*.qbix.com"; distance:1; within:11; fast_pattern; metadata: former_category MALWARE; reference:url,objective-see.com/blog/blog_0x2B.html; classtype:trojan-activity; sid:2025424; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_03_12, performance_impact Moderate, updated_at 2018_03_12;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Observed Win32/Foniad Domain (maraukog .info in TLS SNI)"; flow:established,to_server; content:"|00 00 0d|maraukog.info|00|"; fast_pattern; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025487; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_16;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Observed Win32/Foniad Domain (acinster .info in TLS SNI)"; flow:established,to_server; content:"|00 00 0d|acinster.info|00|"; fast_pattern; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025488; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Observed Win32/Foniad Domain (aclassigned .info in TLS SNI)"; flow:established,to_server; content:"|00 00 10|aclassigned.info|00|"; fast_pattern; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Observed Win32/Foniad Domain (efishedo .info in TLS SNI)"; flow:established,to_server; content:"|00 00 0d|efishedo.info|00|"; fast_pattern; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Observed Win32/Foniad Domain (enclosely .info in TLS SNI)"; flow:established,to_server; content:"|00 00 0e|enclosely.info|00|"; fast_pattern; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Observed Win32/Foniad Domain (insupposity .info in TLS SNI)"; flow:established,to_server; content:"|00 00 10|insupposity.info|00|"; fast_pattern; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025492; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Observed Win32/Foniad Domain (suggedin .info in TLS SNI)"; flow:established,to_server; content:"|00 00 0d|suggedin.info|00|"; fast_pattern; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025493; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Observed Win32/Foniad Domain (suggedin .info in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|08|suggedin|04|info|00|"; nocase; distance:0; fast_pattern; metadata: former_category MALWARE; reference:md5,dc2c0b6a8824f5ababf18913ad6d0793; classtype:trojan-activity; sid:2025531; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_17, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_24;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Lavasoft PUA/Adware Client Install"; flow:established,to_server; content:"POST"; http_method; content:"/event-stat?ProductID="; http_uri; fast_pattern; content:"&Type=StubStart"; http_uri; distance:0; content:"lavasoft.com|0d 0a|"; http_header; metadata: former_category MALWARE; classtype:trojan-activity; sid:2025537; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Adware, signature_severity Minor, created_at 2018_04_26, updated_at 2018_04_26;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WiseCleaner Installed (PUA)"; flow:established,to_server; content:"POST"; http_method; content:".php?p=install_statistics"; nocase; http_uri; content:"Host|3a 20|wisecleaner.net|0d 0a|"; http_header; fast_pattern; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|Maxthon)"; http_header; metadata: former_category MALWARE; reference:url,wisecleaner.com; reference:md5,cd6e96207ea60b3e6e46c393fdcc9e0c; classtype:trojan-activity; sid:2025589; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_06_12, updated_at 2018_06_12;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Antibody Software Installed (PUA)"; flow:established,to_server; content:"GET"; http_method; content:"version.php?ver="; nocase; http_uri; content:"&newinstall="; nocase; http_uri; distance:0; content:"Host|3a 20|antibody-software.com|0d 0a|"; http_header; fast_pattern; content:"User-Agent|3a 20|Embarcadero URI Client/1.0"; http_header; metadata: former_category MALWARE; reference:url,antibody-software.com; reference:md5,8e22d630b992f9cb4d7f6b0aceebb37f; classtype:trojan-activity; sid:2025590; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_06_12, updated_at 2018_06_12;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE [eSentire] Win32/Adware.Adposhel.lgvk CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/inst?data="; http_uri; nocase; content:"User-Agent|3a 20|Installer event sender/"; http_header; fast_pattern:13,20; content:"|0d 0a|"; http_header; distance:2; within:4; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category MALWARE; reference:md5,e7c2c1b796dad6210165110b7e8cda7d; classtype:trojan-activity; sid:2025645; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_10, malware_family Adposhel, performance_impact Low, updated_at 2018_07_10;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"ET MISC HP Web JetAdmin ExecuteFile admin access"; flow: to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; reference:url,doc.emergingthreats.net/2001055; classtype:attempted-admin; sid:2001055; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL MISC Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:2100449; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:2101321; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:2101627; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:2100523; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:2100502; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert ip any any -> any any (msg:"GPL MISC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102189; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert ip any any -> any any (msg:"GPL MISC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102186; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert ip any any -> any any (msg:"GPL MISC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102187; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert ip any any -> any any (msg:"GPL MISC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102188; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"GPL MISC return code buffer overflow attempt"; flow:to_client,established,no_stream; content:"200"; isdataat:64,relative; pcre:"/^200\s[^\n]{64}/smi"; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:2101792; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"GPL MISC Source Port 20 to <1024"; flow:stateless; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:2100503; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"GPL MISC source port 53 to <1024"; flow:stateless; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:2100504; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"GPL MISC Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:2100488; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"GPL MISC ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:2100616; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-admin; sid:2101538; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC nntp SEARCH pattern overflow attempt"; flow:to_server,established; content:"SEARCH"; nocase; pcre:"/^SEARCH\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2103078; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT"; nocase; isdataat:1024,relative; pcre:"/^X?PAT\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2102927; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2102432; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102427; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102428; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; isdataat:21,relative; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102430; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC Nntp rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102431; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102429; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102424; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102425; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102426; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"GPL MISC rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:2101323; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:2100602; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:2100603; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:2100606; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:2100608; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:2100609; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:2100610; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger bomb attempt"; flow:to_server,established; content:"@@"; reference:arachnids,381; reference:cve,1999-0106; classtype:attempted-dos; sid:2100328; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger remote command execution attempt"; flow:to_server,established; content:"|3B|"; reference:arachnids,379; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:2100326; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; reference:arachnids,380; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:2100327; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2102549; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; nocase; content:"Content-Type|3A|"; nocase; content:"Multipart"; distance:0; nocase; reference:bugtraq,9978; classtype:web-application-activity; sid:2102547; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL MISC HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; reference:bugtraq,9972; classtype:web-application-activity; sid:2102548; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2102561; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2102048; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"GPL MISC BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2102523; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"GPL MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; reference:bugtraq,6213; reference:cve,2002-1350; classtype:bad-unknown; sid:2102159; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2102010; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2102011; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2102013; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2102009; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2102008; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2102012; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102317; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"GPL MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:2100511; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp any any <> any 179 (msg:"GPL MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2102158; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"GPL MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; classtype:attempted-recon; sid:2100517; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP Location overflow"; content:"Location|3A|"; nocase; isdataat:128,relative; pcre:"/^Location\x3a[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:2101388; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:2101384; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP service discover attempt"; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:2101917; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"GPL MISC squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:2103089; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:2101939; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL MISC bootp invalid hardware type"; content:"|01|"; depth:1; byte_test:1,>,7,1; reference:cve,1999-0798; classtype:misc-activity; sid:2101940; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"GPL MISC Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:2100281; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:2100270; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET MISC RuggedCom factory account backdoor"; flow:to_server,established; content:"factory"; fast_pattern:only; flowbits:isset,ET.RUGGED.BANNER; pcre:"/factory[\r\n\x00]+[0-9]{9}/"; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014646; rev:3; metadata:created_at 2012_04_27, updated_at 2012_04_27;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MOBILE_MALWARE Android Trojan Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/getAdXml.do"; http_uri; nocase; content:"params="; nocase; reference:url,www.isc.sans.org/diary.html?storyid=10186; classtype:trojan-activity; sid:2012140; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_01_05, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8118 (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1"; flow:established,to_server; content:"/push/androidxml/"; depth:200; nocase; content:"sim="; depth:200; nocase; content:"tel="; depth:200; nocase; content:"imsi="; depth:200; content:"pid="; depth:200; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A; classtype:trojan-activity; sid:2012451; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 9033 (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 2"; flow:established,to_server; content:".log"; depth:200; nocase; content:"id="; depth:200; nocase; content:"softid="; depth:200; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A/; classtype:trojan-activity; sid:2012452; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MOBILE_MALWARE Android Trojan DroidDream Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/GMServer/GMServlet"; nocase; http_uri; content:"|0d 0a|User-Agent|3a| Dalvik"; http_header; reference:url,blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/; classtype:trojan-activity; sid:2012453; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"request"; depth:200; nocase; content:".php"; depth:200; nocase; content:""; content:""; content:""; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012454; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 9033 (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 2"; flow:established,to_server; content:"req.php"; nocase; depth:200; content:"pid="; depth:200; nocase; content:"ver="; depth:200; nocase; content:"area="; depth:200; nocase; content:"insttime="; depth:200; nocase; content:"first="; depth:200; nocase; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012455; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8118 (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; content:"StartUpdata.ini"; nocase; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012782; rev:1; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8118 (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/BackgroundUpdata.ini"; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012783; rev:1; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8118 (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; content:"active.txt"; nocase; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012784; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request"; flow:established,to_server; content:"/Kernel.jsp?Version="; nocase; fast_pattern:only; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012844; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request"; flow:established,to_server; content:"/bs?Version="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012845; rev:1; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2"; flow:established,to_server; content:"/number/?PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012846; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3"; flow:established,to_server; content:".jsp?PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012847; rev:1; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI"; flow:established,to_server; content:"POST"; http_method; content:"imei="; nocase; http_uri; pcre:"/imei=\d{2}-?\d{6}-?\d{6,}-?\d{1,}/Ui"; content:!"Host|3a 20|iphone-wu.apple.com"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2012848; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending User Information to Server"; flow:established,to_server; content:"Host|3a| mobile.flexispy.com"; http_header; content:"/service"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_flexispy.a!tr.spy.html; classtype:trojan-activity; sid:2012850; rev:1; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server Communication"; flow:established,to_server; content:"/PropertyFile.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012851; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server Communication"; flow:established,to_server; content:"TipFile.jsp"; http_uri; content:"&LanguageCode="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012852; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server Communication"; flow:established,to_server; content:"NumberFile.jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012853; rev:1; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Merogo User Agent"; flow:established,to_server; content:"User-Agent|3A| LiveUpdater 1.0"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_merogo.b!tr.html; classtype:trojan-activity; sid:2012854; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic Location Logs To Remote Server"; flow:established,to_server; content:"/webapi/gpslog.php"; nocase; http_uri; content:"&long="; nocase; http_uri; content:"&lat="; nocase; http_uri; content:"&speed="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012855; rev:1; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs to Remote Server"; flow:established,to_server; content:"/webapi/calllog.php"; http_uri; content:"&date="; http_uri; content:"&time="; http_uri; content:"&from="; http_uri; content:"&dur="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012856; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs to Remote Server"; flow:established,to_server; content:"/webapi/sms.php"; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012857; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/HiShowServlet/servlet"; http_uri; pcre:"/\x2FHiShowServlet\x2Fservlet.+(InstalNum|UserActivation)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012858; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/cot?ID="; http_uri; content:"&DLType="; http_uri; content:"&SD="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012859; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0"; flow:established,to_server; content:"User-Agent|3A| LARK/"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012861; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"/billwebsvr.dll?Buy?user="; http_uri; content:"&key="; http_uri; content:"&channel="; http_uri; content:"&corp="; http_uri; content:"&product="; http_uri; content:"&phone="; http_uri; content:"&private="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012862; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"?id="; http_uri; content:"&time="; http_uri; content:"&imei="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012863; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"sender="; http_uri; content:"&cpId="; http_uri; content:"&cpServiceId="; http_uri; content:"&channelId="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012864; rev:1; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to Server"; flow:established,to_server; content:"jiao.com"; http_header; fast_pattern; content:"/?id=book22"; nocase; http_uri; pcre:"/Host\x3A[^\n\r]*jiao.com/Hi"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012904; rev:1; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Smspacem CnC Communication Attempt"; flow:established,to_server; content:"/talktome.asmx"; nocase; http_uri; content:"cell"; http_client_body; nocase; content:"opname"; nocase; http_client_body; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_smspacem.a!tr.html; classtype:trojan-activity; sid:2012924; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_02, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Iphone iKee.B Checkin"; flow:established,to_server; content:"/xlm.p.php?id="; http_uri; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013019; rev:1; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin"; flow:established,to_server; content:"POST "; depth:5; nocase; content:"/search/sayhi.php"; distance:0; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013020; rev:1; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Possible Post of Infected Mobile Device Location Information"; flow:established,to_server; content:"POST"; http_method; nocase; content:"longitude="; http_uri; nocase; content:"latitude="; http_uri; nocase; classtype:trojan-activity; sid:2013021; rev:1; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 2"; flow:established,to_server; content:"POST "; depth:5; nocase; content:"search/rpty.php"; distance:0; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013022; rev:1; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query for gongfu-android.com DroidKungFu CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0E|gongfu-android|03|com"; distance:0; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013023; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_13, updated_at 2016_07_01;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Waplove.cn"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|waplove|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013038; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Tonclank JAR File Download"; flow:established,to_server; content:"/ProtocolGW/"; fast_pattern; http_uri; nocase; content:"filename="; http_uri; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013040; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_16, updated_at 2016_07_01;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Searchwebmobile.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0F|searchwebmobile|03|com"; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013041; rev:2; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Plankton/Tonclank Control Server Responding With JAR Download URL"; flow:established,to_client; file_data; content:"url=http|3A|//"; nocase; within:11; content:"ProtocolGW/|3B|filename="; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013044; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_16, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 3"; flow:established,to_server; content:"POST "; depth:5; nocase; content:"/search/getty.php"; distance:0; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; reference:url,blog.fortinet.com/androiddroidkungfu-attacking-from-a-mobile-device/; classtype:trojan-activity; sid:2013063; rev:1; metadata:created_at 2011_06_17, updated_at 2011_06_17;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.HongTouTou Checkin"; flow:established,to_server; content:"POST"; http_method; content:".aspx?im="; http_uri; content:"User-Agent|3A| J2ME/UCWEB"; http_header; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/android_hongtoutou.a!tr.html; classtype:trojan-activity; sid:2013072; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message"; flow:established,to_server; content:"/android/android.dbug.php?action=heart"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013078; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.YzhcSms URL for Possible File Download"; flow:established,to_server; content:"/ss/attachments/files/URLshorter.apk"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013079; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE XML Style POST Of IMEI International Mobile Equipment Identity"; flow:established,to_server; content:"POST"; http_method; content:""; http_client_body; nocase; content:"<|2F|IMEI>"; nocase; distance:0; http_client_body; content:!".blackberry.com|0d 0a|"; http_header; content:!".nokia.com|0d 0a|"; http_header; content:!".sonyericsson.com|0d 0a|"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2013138; rev:6; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE XML Style POST Of IMSI International Mobile Subscriber Identity"; flow:established,to_server; content:"POST"; http_method; nocase; content:""; http_client_body; nocase; content:"<|2F|IMSI"; nocase; http_client_body; distance:0; reference:url,www.learntelecom.com/telephony/gsm/international-mobile-subscriber-identity-imsi; classtype:trojan-activity; sid:2013139; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message"; flow:established,to_server; content:".jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"PhoneImsi="; http_uri; content:"&PhoneNumber="; http_uri; content:"&Succeed="; http_uri; content:"&Fail="; http_uri; content:"&Source="; http_uri; content:"&Time="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013140; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes Plugucsrv.sisx File Download"; flow:established,to_server; content:"plugucsrv.sisx"; http_uri; fast_pattern:only; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013141; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message"; flow:established,to_server; content:"/Jump.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType=";  http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013142; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin Message"; flow:established,to_server; content:"/KernelPara.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013143; rev:1; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.CruseWin Retriving XML File from Hard Coded CnC"; flow:established,to_server; content:"/flash/test.xml"; http_uri; fast_pattern:only; flowbits:set,ET.And.CruseWin; flowbits:noalert; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:trojan-activity; sid:2013193; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_05, updated_at 2016_07_01;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin XML Configuration File Sent From CnC Server"; flowbits:isset,ET.And.CruseWin; flow:established,from_server; file_data; content:"http|3A|//"; nocase; distance:0; content:"http|3A|//"; nocase; distance:0; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Walkinwat Sending Data to CnC Server"; flow:established,to_server; content:"/wat.php"; nocase; http_uri; content:"incorporateapps.com"; nocase; http_header; pcre:"/Host\x3A[^\r\n]*incorporateapps\x2Ecom/Hi"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-033008-4831-99&tabid=2; reference:url,blog.avast.com/2011/03/21/android-is-calling-walk-and-text-and-be-malicious/; classtype:trojan-activity; sid:2013209; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_06, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET MOBILE_MALWARE Android.Bgserv POST of Data to CnC Server"; flow:established,to_server; content:"POST "; depth:5; nocase; content:"/Coop/request"; within:15; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-031005-2918-99&tabid=2; classtype:trojan-activity; sid:2013210; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_06, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/GoldDream Infected Device Registration"; flow:established,to_server; content:"/RegistUid.asp"; fast_pattern:only; http_uri; nocase; content:"?pid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&imei="; nocase; http_uri; content:"&sim="; nocase; http_uri; content:"&imsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013238; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/GoldDream Task Information Retrieval"; flow:established,to_server; content:"/alotWorkTask.aspx?no="; http_uri; content:"&uid="; http_uri; content:"&ti="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013240; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/GoldDream Uploading Watch Files"; flow:established,to_server; content:"/upload/UploadFiles.aspx?askId="; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013241; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/CommDN Downloading Second Stage Malware Binary"; flow:established,to_server; content:"DGOManagerServer/file/TianXiangServer2.sisx"; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_commdn.a!tr.html; classtype:trojan-activity; sid:2013261; rev:1; metadata:created_at 2011_07_13, updated_at 2011_07_13;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin"; flow:established,to_server; content:"/ddown/getvalid.aspx"; nocase; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013265; rev:1; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message Template from CnC Server"; flow:established,to_client; content:""; content:""; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013266; rev:1; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/HippoSms Method Request to CnC"; flow:established,to_server; content:"/clientRequest.htm?method="; http_uri; nocase; content:"&os="; http_uri; content:"&brand="; nocase; http_uri; content:"&sdkVersion="; nocase; http_uri; pcre:"/method\x3D(update|startcharge)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/android_hipposms.a!tr.html; classtype:trojan-activity; sid:2013299; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_23, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.AdSms Retrieving XML File from CnC Server"; flow:established,to_server; content:"/Submit.aspx?ver="; http_uri; content:"&sys="; http_uri; content:"&imei="; http_uri; content:"&ua="; http_uri; content:"&pro="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013316; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_26, updated_at 2016_07_01;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.AdSms XML File From CnC Server"; flow:established,from_server; content:""; content:""; content:"<|2F|mobile>"; fast_pattern; within:50; content:""; distance:0; content:""; distance:0; content:""; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013317; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_26, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC Server"; flow:established,to_server; content:"POST"; http_method; content:"/security.jsp"; nocase; http_uri; content:"f0="; http_client_body; depth:3; content:"&b0="; distance:0; http_client_body; content:"&pid="; distance:0; http_client_body; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:trojan-activity; sid:2013327; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_27, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Netisend.A Posting Information to CnC"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/netsend/nmsm_json.jsp"; fast_pattern:only; http_uri; content:"User-Agent|3a| Apache-HttpClient/"; http_header; reference:url,www.fortiguard.com/latest/mobile/2959807; classtype:trojan-activity; sid:2013694; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_09_23, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/SndApp.B Sending Device Information"; flow:established,to_server; content:"/android_notifier/notifier.php?app="; http_uri; content:"&deviceId="; http_uri; content:"&mobile="; http_uri; content:"&country="; http_uri; content:"&carrier="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302891; classtype:trojan-activity; sid:2013965; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Ozotshielder.A Checkin"; flow:established,to_server; content:"/AndroidService.aspx?imsi="; http_uri; content:"&mobile="; http_uri; content:"&pid="; http_uri; content:"&ownerid="; http_uri; content:"&testchlid="; http_uri; content:"&androidver="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302951; classtype:trojan-activity; sid:2013966; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/KungFu Package Delete Command"; flow:established,to_server; content:"/search/isavailable"; http_uri; content:".php?imei="; http_uri; content:"&ch="; http_uri; content:"&ver="; http_uri; content:"User-Agent|3A 20|adlib/"; http_header; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013968; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:to_server,established; content:"/send.php?a_id="; http_uri; content:"&telno="; fast_pattern:only; http_uri; content:"&m_addr="; http_uri; content:"Android"; http_header; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; reference:url,anubis.iseclab.org/?action=result&task_id=1ba82b938005acea4ddefc8eff1f4db06; reference:md5,cf9ba4996531d40402efe268c7efda91; reference:md5,537f190d3d469ad1f178024940affcb5; classtype:trojan-activity; sid:2014161; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_01_27, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to_server; content:"/android_notifier/notifier.php?h="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM; classtype:trojan-activity; sid:2014162; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_01_27, updated_at 2016_07_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Plankton.P Commands Request to CnC Server"; flow:established,to_server; content:"/ProtocolGW/protocol/commands"; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_PLANKTON.P; classtype:trojan-activity; sid:2014215; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_02_07, updated_at 2016_07_01;)
+
+#alert tcp $HOME_NET 8888 -> any any (msg:"ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access"; flow:from_server,established; content:"/>Keystrokes - iKeyMonitor